Website hacked?!

letterpressious · June 12, 2019, 8:16pm

H!

3 few days ago my website looked hacked and after installing all available updates it was ok again.
Now I can not acces my website at all! Not via wordpress admin login and not via just going to the url.
I am little stressed now and hope you can help me

Thanks!
Aida

Prasant · June 12, 2019, 9:56pm

Hello Aida,

Thanks for writing in!

Looks like the website is still having issues as the login page showing eval(String.fromCharCode. Please take a look at following resource for some solution:

https://wordpress.org/support/topic/malware-86/

At the same time I suggest you to have a chat with hosting company as they are better placed to assist you.

Thanks.

letterpressious · June 12, 2019, 11:29pm

Hi!
Thank you for your response.
From the links you sent and what I read of the forum, it looks like it might be connected to the Convert Plus plugin security issues. Since this is the plugin I trusted since it was linked to Pro, is there a way you can help me? I see sucuri and wordfence are asking money to help me, but I hope you can help me.
I will contact my hosting company as well, but I am not sure what they will be able to do.
Thanks!
Aida

ruenel · June 13, 2019, 2:06am

Hello Aida,

Your site URL will redirects to a different URL. I would recommend that you give us your FTP details in a secure note as well so that we can investigate further.

Meanwhile, you can also check out this link:

https://wordpress.org/support/article/faq-my-site-was-hacked/

Thanks.

letterpressious · June 13, 2019, 5:21am

please see above for the ftp login details
thank you!!

lely · June 13, 2019, 7:44am

Hi Aida,

For convertplus, we do suggest to update it to the latest version 3.4.4. It has a security patch regarding the vulnerability. See this guide on how to update the update plugin. I am able to login to ftp but I cannot find at the moment where is the root folder of your installation. The hosting company might help you better to clean it up. We’re sorry for the inconvenience. Thank you.

letterpressious · June 13, 2019, 11:45am

Hi!
I really need your help, please
I can not access wordpress since its being redirected. I can not download and upgrade the convert plus plugin as I need a license and I don’t have it unless via Pro. So I can not do the upgrade myself or clean my website up. There is even a more recent upgrade 3.4.5 but unfortunately I don’t see how I can download it.
I have checked via ftp and I have the 3.4.4 version installed and still got hacked.
I will write in a secure message how you can access all files via ftp
I hope you can help me.
Thanks!
Aida

letterpressious · June 13, 2019, 12:22pm

Hi!
Update: my hosting company was able to remove the redirect from the webpage but the page is obviously still in hands of hackers as all of the design is removed, and Pro is not in use… I still can not access wordpress…
I hope you can help me
regards,
Aida

Prasant · June 13, 2019, 4:19pm

Hello Aida,

Thanks for updating the thread.

On my end the login page is getting redirected to (please see secure note for the URL). Looks like you haven’t entered the URL protocol (HTTP or HTTPS) in Settings > General.

So, for now you need to hard code the URL in wp-config.php file. Here’s a resource that you can refer for more information.

Thanks.

letterpressious · June 13, 2019, 9:24pm

Thanks so much for your help!!
I was able to make the suggested changes and was able to login to wordpress. After removing the convert plus plugin the website was up and running again. However if I activate the plugin the website is changed again, so I guess there is malware in the plugin.
Since I have the latest version available via wordpress for convert plus, what do you suggest I should do in order to be able to use the plugin again?
thanks!
Aida

ruenel · June 14, 2019, 12:59am

Hello Aida,

Please do wait for the latest version 3.4.5 which will be available in automatic updates after we have done some conflict and compatibility testing. Meanwhile, please install WordFence or Succurri and check all other files in your site for malware to be sure that it is not just the plugin that is causing it.

Perhaps these links may help you:

Hope this helps.

innovatek · June 18, 2019, 6:57am

While mine may be different, I was also just hacked - probably due to the same plugin. Lucky though I could log in. The initial ‘hack’ action was auto-creating a new admin user and a new bugged theme. The same plugin inflected all of my 15 independent websites. One website did lock me out, but my web host got me back in.
My solution, which could be different from yours, was to:

Delete any strange user, template, post, page and portfolio
Remove all non-essential plugins - including Connects MailChimp (Convert Plus addon. This plugin could never seem to be updated due to some error)
Install Wordfense plugin - free version is all that you need
Run Wordfense plugin scan and remove/fix any potentially dangerous files
Update all remaining plugins
Install new Connect MailChimp plugin via file upload - use the file upload, not through X Pro/Convert Plus install
Go back to Wordfense and change notification settings - if you have several websites with multiple admins the default settings for this plugin email you about everything…

jade · June 18, 2019, 8:18am

Hi @Innovatek,

Thank you for sharing a details steps and helping out you fellow users.

Much appreciated!

system · June 28, 2019, 8:18am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.