14

I run an informational website for medical students. We just got hacked. Fuck you and fuck you WordPress.

Comments
  • 9
    Was it a zeroday? Or didn't you do the updates? And was it really WP, or a theme/plugin that you installed?

    Also, do you really need an online CMS in the first place? An informational website looks like a good case for a static site via SSG.
  • 4
    Yes fuck WordPress... probably some plugin and not doing updates?
    May I ask what exactly got hacked or what the damage was?
  • 3
    Was WordPress really required for the task? 🤔
  • 3
    @Fast-Nop It's been live for four or five years or so, and yes we've been slacking with the updates. Tbh it's probably not WordPress fault at all, just that I'm incredibly irritated and angry :| SSG would be great and we use it for some other sites, but this is basically a blog with a handful of authors, so won't do. So yeah, our fault in the end, but fucking annoying :p

    @jonas-w Yeah. Not entirely sure what happened, but I assume they've gained access to the code. We deployed this site a few years ago and it wasn't meant to run like it did for all those years. But we never got around to deploy it properly, so it just runs on bare bones and being the hobby project that it is we're not too good at actually updating things. The DB is intact so I'm assuming they've gained access to code. Or perhaps they've just completely fucked up some WP settings. Can also mention that we saw the admin usernames pop up in the logs a few too many times, so doesn't seem to be brute force.

    @catgirldev yes

    @iiii not necessarily WordPress, but a CMS, yes
  • 2
    I offer WordPress hack repair services to help customers sort out the issue, find out how they hacked you and then put in additional security to help prevent further attacks. Do you want help with this?

    ben@lacey-tech.com
    15 years experience in website development and certified ethical hacker
  • 1
    @laceytech Yeah no but thank you. We'll be moving to a different platform while we have that chance
  • 1
    put WordFence
  • 1
    I use Pantheon.io specifically because they lock down live as a read only file system. updates happen on dev and you push that to test (also read only) and then to live. Like we used to do before everything got lazy within CMSes. Only a few hacks in 8 years and exactly zero hacks were due to defacement through the file system or even the database. The ones that did occur were due to external factors like poorly configured Cloudflare (not even necessary) and people with bad login security hygiene.
Add Comment