Hacked by Chinafans

HI,
Yesterday I discovered that my Wordpress site had been hacked. Two posts were replaced with posts titled Hacked by China fans - I wasn’t the only one http://www.bbc.co.uk/news/technology-38930428 :slight_smile: I think the problem might have been that I was behind in updating Wordpress. I have now updated and have changed my local and Wordpress.com paswords. I am now consulting How to Clean a Hacked WordPress Site but would be grateful for any other tips on how to clean my install.

Hey Frances,

That article you link to is absolutely right. I’ve seen at least two other customers get hit with it. I believe the only thing you have to do delete the posts that were injected into the site and change your WordPress password. In our experience the hack didn’t add any additional code or files to sites but simply added new posts.

That’s a huge relief - please let me know if you find out that I need to do more.
Thanks !!

There has been a REST API exploit going on. Updating to the latest WP is the best defense. Also try the Wordfence and iThemes Bulletproof security plugins. They lock down logins and tweak the htaccess file to prevent exploits. WordFence will also scan you install for malware.
Two other things that can be done that is a manual preventative is to change the name of your blog directory to something other than /wordpress. Also, you can move the wp-config file out of the main wordpress directory. That makes it more difficult to get into the directory.
The upside to your problem is that they could have locked you out of your site entirely rather than play around with some posts.

Cheers!

Todd O’Neill
Assistant Professor, New Media Communication
Electronic Media Communication Department
College of Media and Entertainment
Middle Tennessee State University
todd.oneill@mtsu.edu
LinkedIn: toddoneill | FaceBook: OneillTodd | Twitter: mtsunewmedia

Just another dumb question. With 300+ posts, how exactly would I know that I have been hacked? Should I be checking my posts regularly, daily?

Companies like Sucuri and the paid version of Wordfence will scan public content for anything like that. Beyond that I don’t know of any automated way to be aware of that kind of stuff. With this particular hack in my experience the posts being defaced were more recent like the last post on the account but nothing preventing someone from choosing a different one. I don’t think beyond the paid services there’s a free way to monitor all content other than just being aware of it. Google can alert you to stuff like that too via their Search Console if they notice issues if you register your site there.

About to say the same thing, most hacks on the 4.7 exploit were recent posts, usually the latest one.

Thanks Todd. Just spotted that I hadn’t actually sent this so sorry for
delay

Frances Bell
You can also find me @francesbell on Twitter and at http://francesbell.com

Hi Aaron.
As said below, it was 2 most recent posts that were hacked. After I had
update WP and changed passwords, I just reverted to previous versions of
posts.