Support

Admin Tools for WordPress

#32114 – Redirection on Wordpress Site

Posted in ‘Akeeba Admin Tools for WordPress’
This is a public ticket. Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.
Wednesday, 11 December 2019 06:30 CST
tayowaves
Good day, please i have a wordpress site that powers a microfinance bank (www.addosser.com) and there is a steady security breach on the site that usually redirects the site to any spam link of its choice. When you check the site url from the database, it would have changed to the spam website. Due to this issue, i decided to integrate Admin Tools for Wordpress on the site. However, the issue persists. I kindly seek for your help in resolving this . Thank you.

Temitayo O.
Wednesday, 11 December 2019 08:01 CST
nicholas
This implies that the attacker has established presence on your site before installing Admin Tools.

First, check all users that you have on your site. Is there any Administrator you do not recognize? If so, delete them.

Change all your passwords: WordPress administrator, FTP / hosting account, database.

Are you on a shared host? Ask your hosting company if they use account isolation i.e. if there are active measures to prevent another site on the same server from accessing yours.

If you are hosting your site on a reseller account you may want to consider moving it into its own virtual private server or the very least its own hosting account (the latter provided that your host does have account isolation).

Are you using FileZilla on Windows? Please don't. Not only does it store by default the passwords to your site in a plain text (unencrypted) text file in a well-known location, it's been caught installing adware / spyware as well. Use another FTP / SFTP application such as CyberDuck or WinSCP. While on the subject, never use FTP. Use SFTP. They are entirely different protocols. FTP is unencrypted and can be used by a malicious actor to steal your connection details. SFTP is encrypted, making subversion of your login information a far more difficult and largely impractical task.

If you're on Windows, run a good antivirus, ideally from a bootable disk / flash drive and scan your computer. Avoid using free antivirus applications, they are not even worth your time. If you have Windows 10 please use Microsoft Defender. It is a really good antivirus and it comes free with Windows itself.

Back to your site. Have you updated WordPress itself as well as all of its installed plugins and themes on your site? If not, do so now. There are several older plugins and themes with well-known security issues. Depending on your Admin Tools settings and the nature of these issues they might not be addressed on your site, allowing an attacker to get through.

Speaking of configuration, are you using our .htaccess Maker? If not, you should – especially its site protection feature. This feature prevents arbitrary .php scripts from running on your site. This will most likely cause things to break so please make sure you've read and understood the documentation about determining and applying exceptions.

On a similar note, did you use the Optimize WAF feature in Admin Tools? Some plugins and themes use arbitrary .php files to provide functionality, even though it's not advisable. Since these scripts run outside of WordPress they are not normally protected by Admin Tools since Admin Tools is a plugin running inside WordPress itself. The Optimize WAF feature instructs your server to load a special version of the basic protections afforded by our Web Application Firewall before executing any non-WordPress .php file. This means that a lot of known vulnerabilities in arbitrary .php files found in older plugins will be neutered.

If this still doesn't help it's likely that your site has been thoroughly compromised before Admin Tools was installed. An attacker can have very easily modified your WordPress files or add .php files in places where legitimate code normally resides to add a backdoor to your site. Since the backdoor would execute before Admin Tools has the chance to do something about it and because access to it would look like a legitimate request to your site it would be impossible to protect against it. In this case your only hope is a thorough security scan of your site conducted from an external source and possibly hiring someone to clean your site. I can personally recommend mySites.guru's fix services (full disclosure: I personally know Phil Taylor, the owner of this third party service but I do not receive any kind of commission or compensation for recommending his service).

After having a clean site it's a good idea having Admin Tools' PHP File Change Scanner run periodically, e.g. once a day. This will notify you if a file gets added or modified without your knowledge which will alert you to something nefarious going on. If this does happen you may want to consider the third party plugins and themes you are using because they might have a subtle but serious security hole which cannot be detected or protected against by automated tools such as Admin Tools, WordFence etc. All security plugins can address a wide range of security vulnerabilities but not absolutely everything under the sun. Some vulnerabilities are really subtle, e.g. a third party registration form which unfortunately allows a guest user to select which role they are subscribing as, effectively allowing anybody to become an Administrator on your site (this is a real example from a few years ago but I can't and won't name names on a public ticket). The only solution to these subtle issues is that they are addressed by the developers of the plugins OR, if no update exists, replacing the affected plugins with alternatives that are better maintained.

As a side note to the latter issue, there has been a recurring problem with some popular plugins in the WordPress Plugins Directory with a single, overworked developer that get bought out by nefarious entities. The new owner publishes a new version fixing some easy bugs and introducing a backdoor. Since this software comes from a trusted source (the Directory) it bypasses all security plugins, third party firewalls and even hosts' defenses. Due to the way these backdoors are implemented it's impossible to detect or stop them. The Directory typically moves slow, taking weeks to unpublished the affected plugins. So please do check the Directory for any plugins you have installed in case any of them are unpublished due to nefarious practices. If they are you definitely need to uninstall them and hire someone to clean up your site because your site is already compromised six ways to Sunday.

I hope this information helps!


Nicholas K. Dionysopoulos

Lead Developer and Director



🇬🇷Greek: native

🇬🇧English: excellent

🇫🇷French: basic



Please keep in mind my timezone and cultural differences when reading my replies. Thank you!



Friday, 10 January 2020 17:17 CST
system
This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.
This ticket is closed, therefore read-only. You can no longer reply to it. If you need to provide more information, please open a new ticket and mention this ticket's number.