Hacking and security
-
Hi, we have had some of our sites hacked and i would like your advice on the situation.
We pay a fair but of money for a dedicated server as we thought that by having a dedicated server it would make the sites secure.
The language we use for our sites are joomla and wordpress but yesterday a few of them on the dedicated server were hacked.
the hosting company have sent us the following info
'There is one extra security improvement on the system we may offer you and it is cloudlinux with cageFS. This improves the overall security on the server but will not stop unsecured code exploiting if such coding is present in your website scripts.'
The hosting company is asking for an extra £20 a month to add this on.
we asked the hosting company what they meant by unsecured code and they said:
'Unsecure coding is code in your scripts which will allow injections of files from external source. Unfortunately better explanation is not available and for any detailed information you may check with experience local web developer.'
We thought that the sites would be secured. The hosting company have said that because one of the sites was not updated from joomla 1.5 to joomla 3.0 which we were planning to do this week, this is the reason why it has happened. However, this does not make any sense, as this is a dedicated server so why has the wordpress sites which are up to date been hacked when they are on the same dedicated server.
any advice in understand more on this issue would be great, as i need to find out why this has happened and if i should be taking my sites to another hosting company
-
The wordpress hacking was almost surely due to having outdated version of WP, or having a vulnerable plugin installed. There are a few helpful plugins you can use to secure your WP site, plugins like (http://wordpress.org/plugins/better-wp-security/).
also a couple things to note, you should also take basic measures to project the site by changing the default table prefixes of your DB from _wp, create a new admin user and delete the default "admin" accoun & limit access to your wp-admin section in your .htaccess file.... these security plugins will give you a whole checklist of items to "secure".
-
I have only used dreamhosts shared hosting, don't know about dedicated.
"would you expect the hosting company to let you know that your site has been hacked or is it down to yourself to know"
Generally no, that you be your responsibility (or if your have a maintenance contact with the web developer).
Again dreamhost has some cool auto safe guards eg one of my clients had malware/virus on his pc and was sending out spam, they auto reset the password when it was picked up. I also think they have other auto features to inform you about hacking, but its guaranteed service, its just a bonus they do.
I'm not saying you should go with dreamhost, I'm just telling you what they can/have done, (i have only use a few host companies) but I'm sure there are alot of hosts that do that too (maybe even more).
-
will have to look at dreamhost and see how much they charge for dedicated server. do they offer managed dedicated server. also the hosting company is not taking any responsibility.
would you expect the hosting company to let you know that your site has been hacked or is it down to yourself to know
-
What your saying is true, but I have never heard of anyone getting hacked (bar brute forcing password or poor passwords), if they keep upto date with the security fixes.
Some hosts eg dreamhost will auto update installs for you , so you don't have to worry about updating.
-
I don't think its the server, wordpress and other cms are continually hacked. The server can not stop much at all. your code needs stop most hacks, and since wordpress is used by so many, all some one needs to do is hack their own and then they can go out and hack all wordpress sites of the same version.
-
Yeah standard, "its not our problem" response.
As I said before, if the joomla site shared something like mysql database access then it was most likely not the hosts fault.
I have seen hosts blame opensource cms when actually they were just trying to hide their issues. Its going to be impossible to know until someone looks properly into it (which hosts will not do, which is fair enough).
-
just got this from my hosting company
Hello,
1. The server was not hacked. The application on these account has been compromised. In order to have the exact reason and coding vulnerability which allowed this to happen you may contact certified developer as we do not offer development services at this point.
2. Review the above. What we do is secure the service on the server by applying all the patches available for the same. The coding and the updates on your website functions and coding is your responsibility. The review and patching of any script you use for your website is development related task.
3. Again you will have to request this from expert web developer as s/he may review the coding of your website and provide the reason why and how it has been compromised.
4. Contact certified developer with proven feedback to review and patch your websites coding.
5. The answer to this question you may check here:
Should you have any further questions or comments please do not hesitate to contact us.
Best regards,
-
i am waiting for the hosting company to get back to me, they have been working on this now for over 24 hours, i have sent them some questions but they have said they cannot answer them yet. it seems strange that the wordpress sites were hacked and they were all hacked even though they all had seperate logins
-
I'm not an expert (but have some experience) , but if they are truly separated, and the word press sites were up to date but were hacked too, then there is something very wrong.
-
ok thanks. The sites all have their own access but are all on the dedicated server. they can all be gained through a whm where we can change cpanel passwords and usernames but besides that they have no connection.
-
If each site was on a different domain and were completely separate (separate ftp access, separate mysql database access, no master/common username and passwords etc) then that might point to a problem with the hosting side, but to be honest it really hard to know, with our proper investigation.
Since your not technically minded you would be better getting someone with more technical knowledge to review you current setup to see if it was the hosts failing or it was the way you have your sites set up, there is just too many unknowns to get conclusive help from a forum.
Hope that helps
-
hi, it is a managed dedicated server where they look after everything.
there is a joomla site on there that was not hacked but all the other sites were hacked including wordpress.
all the wordpress sites were upto date but there were three joomla sites that were in joomla 1.5 instead of joomla 3.
we were told when we moved up to a bigger and newer dedicated server it was secure from hacking but we have now been hacked.
i am trying to find out, how this has happened, this happened over 24 hours ago and still they are sorting out putting the back up of the sites live but it seems to be taking a long time.
we have another site on there which is not ours who we let use the space and they have a it expert on board who claims this should not have happened even if there was a older joomla site on there.
they claim that the hosting company should have made everything secure and has suggested we move to a better server that is secure.
i am not technically minded so not sure what we should do, if it was the hosting company fault or not.
-
When you say dedicated do you mean a "managed" dedicated server? or are you in charge of server maintenance?
As for joomla I think there are security updates for 1.5 (best check if its still supported, just make sure you have them upto date. to late now unless you have a backup before the hack then, update straight away and change passwords (there is a how to recover from a hack guide for this on the joomla site)
If the hacker got into you joomla site and was able to get you database passwords and if that was a master user account that also had access to the wordpress database then I could see how they could have gotten into both. Of if the word press site is on the same domain as the hacked joomla site, then again they could get into the wordpress site. Or if you used common usernames or passwords for the different sites.
But the most important with any opensource software is to make sure that your uptodate with security fixes, because as soon as there is a exploit found script kiddies search the web for vulnerable site and have there fun. I'm know what "cloudlinux with cageFS" is but as your host says it would not have stopped this hack.
Browse Questions
Explore more categories
-
Moz Tools
Chat with the community about the Moz tools.
-
SEO Tactics
Discuss the SEO process with fellow marketers
-
Community
Discuss industry events, jobs, and news!
-
Digital Marketing
Chat about tactics outside of SEO
-
Research & Trends
Dive into research and trends in the search industry.
-
Support
Connect on product support and feature requests.
Related Questions
-
Site Hack In Meta Description
Hey MOZ Community, I am looking for some help in identifying where the following meta description is coming from on this home page - https://www.apins.com. I have scrubbed through the page source without being able to locate where the content is being pulled from. The website is built on WordPress and metas were updated using Yoast, but I am wondering if an installed plugin could be the culprit. On top of this, I have had a developer take a look for the "hack" and they have assured that the issue has been removed. I have submitted the URL in GSC a couple of times to be re-indexed but have not had much luck. Any thoughts would be much appreciated, the displayed description is below. The health screening plays http://buyviagraonlineccm.com/ a significant and key role in detecting potentially life-threatening illnesses such as cancer, heart ...
Technical SEO | | jordankremer0 -
Manual action due to hack
We have had some issues with one of our websites getting hacked. The first time it happened, we noticed it the next morning and cleaned it up before Google even realised. However, the same thing happened again over the weekend, and I came into the office to an email from Google: Google has detected that your site has been hacked by a third party who created malicious content on some of your pages. This critical issue utilizes your site’s reputation to show potential visitors unexpected or harmful content on your site or in search results. It also lowers the quality of results for Google Search users. Therefore, we have applied a manual action to your site that will warn users of hacked content when your site appears in search results. To remove this warning, clean up the hacked content, and file a reconsideration request. After we determine that your site no longer has hacked content, we will remove this manual action. _Following are one or more example URLs where we found pages that have been compromised. Review them to gain a better sense of where this hacked content appears. The list is not exhaustive. _ We have again cleaned up the website, however, my problem is that even though we have received this email, I cannot find any evidence of the manual action having actually been applied. I.e. it doesn't show in the Search Console and I am also not getting a warning in the search results when searching for our own website or clicking on the result for our website. That means I cannot submit a reconsideration request - however I am not sure at all there was actually a manual action applied at all based on my test searches. Has anyone here experienced the same issue? What do you suggest doing in this case? Thank you very much in advance for any ideas.
Technical SEO | | ViviCa10 -
Our homepage url has been 301'd to the new https version - as our MD wanted us to have the secure protocol
Hello Mozers I'm just checking whether it is good practice to 301 the main homepage url to its https version. Will this have any detrimental effect on ranking and DA?
Technical SEO | | Catherine_Selectaglaze0 -
Spammers created bad links to old hacked domain, now redirected to our new domain. Advice?
My client had an old site hacked (let's call it "myolddomain.com") and the hackers created many links in other hacked sites with links such as http://myolddomain.com/styless.asp?jordan-12-taxi-kids-cheap-T8927.html The old myolddomain.com site was redirected to a different new site since then, but we still see over a thousand spam links showing up in the new site's Search Console 404 crawl errors report. Also, using the links: operator in google search, we see many results of spam links. Should we be worried about these bad links pointing to our old site and redirecting to 404s on the new site? What is the best recommendation to clean them up? Ignore? 410s? Other? I'm seeing conflicting advice out there. The old site is hosted by the client's previous web developer who doesn't want to clean anything up on their end without an ongoing hosting contract. So beyond turning redirects on or off, the client doesn't want to pay for any additional hosting. So we don't have much control over anything related to "myolddomain.com". 😞 Thanks in advance for any assistance!
Technical SEO | | usDragons0 -
Spam pages / content created due to hack. 404 cleanup.
A hosting company's server was hacked and one of our customer's sites was injected with 7,000+ pages of fake, bogus, promotional content. Server was patched and spammy content removed from the server. Reviewing Google Webmaster's Tools we have all the hacked pages showing up as 404's and have a severe drop in impressions, rank and traffic. GWT also has 'Some manual actions apply to specific pages, sections, or links'... What do you recommend for: Cleaning up 404's to spammy pages? (I am not sure redirect to home page is a right thing to do - is it?) Cleaning up links that were created off site to the spam pages Getting rank bank // what would you do in addition to the above?
Technical SEO | | GreenStone0 -
Domain hacked and redirected to another domain
2 weeks ago my home page plus some others had a 301 redirect to another cloned domain for about 1 week (due to a hack).The original pages were then de-indexed and the new bad domain was indexed and in effect stole my rankings.Then the 301 was removed/cleaned from my domain and the bad domain was fully de-indexed via a request I made in WMT (this was 1 week ago).Then my pages came back into the index but without any ranking power (as if it's just in the supplemental index).It's been like this for a week now and the algorithms have not been able to correct it. So how do I get this damage undone or corrected? Can someone at Google reverse/cancel the 301 ranking transfer since the algorithms don't seem to be able to?I have the option to do a "Change of Address" in WMT from bad domain to my domain. But I don't think this would work properly because it says I also need to place a 301 on the bad domain back to mine. Would a change of address still work without the 301?Please advise/help what to do in order to get my rankings back to where they were.
Technical SEO | | Dantek0 -
Site Got Hacked! Need Help!
Hi Guys. One of my friend's site got hacked 2 weeks ago, because of bad php script hole and Google indexed the pages which got hacked and all the Title Tags and Descriptions are indexed in the Google which is very embarssing situation. All adult content texts. Right now we have solved the problem and closed the hole submitted the new sitemap, but Google is no longer coming back and refreshining the SERP. We have been waiting for 3 weeks for now? What should we do? Methods we tried so far: 1.Cleaned all meta tags generate new sitemap and submitted that to Google 2.Built some backlinks 3.Built some social bookmarks Thanks!
Technical SEO | | DigitalJungle0 -
Websites being hacked & duplicated, what should we do?
Hi, please help! Our website was hacked and being totally duplicated. They even injected codes to intercept our orders. Although the codes issue had been solved, still there're two mirror sites out there. When search for some of our key words, they even have good ranks. What exactly can we do to let Google ban those two sites. Thanks in advance!
Technical SEO | | Squall3150