April 10, 2013 at 5:31 pm #34650
I have WordFence installed and last night I received an email that said the following:
“This alert was generated by WordFence on "" at Tuesday 9th of April 2013 at 09:55:23 PM
A user with username "wp-system" who has administrator access signed in to your WordPress site.
User IP: 220.127.116.11
User hostname: p3nlhg693.shr.prod.phx3.secureserver.net”
There is no and never has been an administrator account named wp-system. I neutered the “admin” account immediately upon installing the site months ago. My username is unique and my password is very long and hard to guess. After getting the warning email from WordFence, I went to my site and noticed that the custom image for the header was gone. I tried to navigate to various pages on the site and they all generated 404 errors.
I logged in my administrator account and noticed an extra file in Corporate Child Theme called entry-meta.php
I don’t know PHP but some of the code looked pretty ugly: http://pastebin.com/rxCAwevr
There was also an extra PHP page in the listing for the Genesis PHP pages called Entry-nav.php. It had equally bad looking code in it. I am not including it here but I can send in separate if you want me to.
I have many sites with Studiopress. This is the second time that the Corporate Child theme has been hacked. Can anyone shed any light as to how a hacker created an admin user called wp-system and hacked in so easily? Also, can you help me identify how the hacker got in? Thanks so much! The site is http://www.southparkpost.comApril 10, 2013 at 6:27 pm #34654
Here are some thoughts...
First, your WP installation is likely insecure by design. If you can install a plugin from the WP dashboard, your WP install is inherently insecure, because the wp-content directory is writable by the web user that is accessing the site.
Second, the computers you access your site may be compromised. If you are using FTP to access your site, that's inherently insecure. At a minimum, you need to be using SFTP and better yet SSH.
Third, the server could have been breached, and the walls between you and others on the server might be weak or nonexistent.
Lastly, you mention you have WordFence. WordFence is a decent plugin, and Mark has put a lot of effort into it. But if the rest of your configuration is insecure, WordFence can't keep the bad guys away forever. You could have been the victim of a brute force attack before WordFence was installed. What you report regarding a non-existent user is interesting. I'd report this in the WordFence forums and hope Mark responds. If you're a premium user, I'd email him directly.
You mention that it is the second time the Corporate theme has been hacked in your use. I'm not pointing fingers, but that's more a reflection of your approach to security or where you host; it has nothing to do with Genesis or the child theme. I've been working with Genesis for years, including the Corporate theme, and despite hundreds of attempted hacking attempts per day in some cases, I've never been hacked.
WP security can be a full time job, so I am sympathetic to the fact that it can be neglected, and that can lead to bad outcomes, since the hordes of bad guys out there don't go away. As I said in my first point, most WP installs on shared hosts are insecure by design, and it takes a lot of work to make them more secure. If you want to move your site to a more secure environment, I can help you with that. Otherwise, you should clean up the malware, change all of your passwords, check any device you use to access the site for infection, and consider hiring someone to secure your install. If you don't complete all those steps and successfully close all of the open doors, you'll likely go through it again.
April 10, 2013 at 7:26 pm #34663
Great advice from Bill, as usual.
In addition, that secureserver.net URL indicates you're on GoDaddy, yes? If so, that's not the most secure host in the world. See posts such as this one: http://wordpress.org/support/topic/entire-site-suddenly-in-italics-1?replies=38April 10, 2013 at 8:51 pm #34681
@essaysnark - Thanks for the kind words. That's a good catch on GoDaddy.
@avtsteve - You should follow essaysnark's advice and chase down some of the WP.org threads on GoDaddy. Some have called it the worst host out there for WP.
April 11, 2013 at 7:23 am #34723
Bill and essaysnark - Thanks for the input. Great advice! Lots to go through, I'll be working on it.
About the GoDaddy situation, I'm trying to move a couple sites to hosts away from Godaddy as soon as I can get the decision makers to. This incident should help make that decision easier. My local box is firewalled and virus free; FTP to the server should have been shored up better with SSH; Wordfence was installed on day 1 with WordPress; "admin" account deleted immediately; strong passwords; never logged in from wireless; Studiopress themes, plugins and WP always kept up to date. I'll be adding additional security measures per Bill's recommendations and further reading from this point forward. Thanks again for your input.
You must be logged in to reply to this topic.