GoDaddy and WordPress Hacked

If you have a WordPress site installed on GoDaddy (and others) that has suddenly started running very slow or displaying “odd” behavior you need to check and make sure your site hasn’t been hacked.

The quickest way is to view source on your site. Scroll to the bottom and see if you have a reference to www.kdjkfjskdfjlskdjf(dot)com

If you see that, then you have been hacked and there is a lot of cleanup to be done on your site.

The malicious script will have been written to every .php file on your site. This includes your wp-config.php as well as all the .php files in your plugin directory (and that could be a lot of .php files)

If you are running WP 2.9 or earlier, you are playing with a loaded gun. Especially if it is 2.9. There was a well documented security issue when it came out. WP released 2.9.1 almost the next day and pleaded with people to update.

What if I’m not hacked but my site is SO SLOW!

Probably caused by someone on your server being hacked. For the most part this should have already been resolved. GoDaddy has been working overtime to get this resolved and off their servers.

This is actually the second major attach. The first was on Sat. April 24th I believe and the second on May 1.

The attacks have not been limited to GoDaddy, others have been hit as well. But GoDaddy hosts a lot of WP blogs. And they are a big target.

If you are on GoDaddy you probably got a email from them this past week. READ IT if you still have it. I’m afraid some will simply have deleted it without reading. The short version. If you aren’t on the latest release of WP, then please, upgrade now.

I spent several days this past week cleaning up and updating sites. Some my own, some for others. One had been hit with the attack, the other was obviously on a server that had been hit.

Do You have any Old Abandoned WP installs?

I decided it was time to get rid of all those legacy “play” and old listing sites I had out there.   It seems once your hosting is hacked it can roam the directories to every other WP install.   This is why any backdoor is access to all.

I’ve also added a little piece of code to the .htaccess file on all the sites to keep the wp-config file from being changes.

# protect wpconfig.php
<files wp-config.php>
order allow,deny
deny from all
</files>

If you decide to add this code do it in notepad and FTP it back to your site.   Just an extra lock on the door.

Yesterday I know a lot of people were waiting to see if they would be hit again.   As far as I can tell from the lack of chatter on the issue it was a quiet weekend on this front.

If you have any questions or suspicions you might have been hit.   I’ll be glad to check for you.

Have a Great Mother’s Day all.

Comments

  1. Crap! I’m afraid to go look. I’ve got a bunch of single listing WordPress blogs and I’m hoping things are ok.

    Thanks for the heads up Dave. 😉
    .-= Joe´s last blog ..Happy Mothers Day, ~ The Lane Real Estate Team 🙂 =-.

  2. does this only affect godaddy hosting?

    I do not understand how anyone could enjoy doing this to someone….
    .-= Pierre Batbatian remax agent montreal´s last blog ..testing 2 =-.

  3. Pierre,

    “If you have a WordPress site installed on GoDaddy (and others)”
    “The attacks have not been limited to GoDaddy, others have been hit as well. But GoDaddy hosts a lot of WP blogs. And they are a big target.”

    They enjoy it because once this script is run on your system it will try and install malware on any of your visitors computers. Which is even worse than you having the virus. Once the malware is installed it will begin harvesting information for those computers. Infecting your system is only the means to an end.

    Dave

  4. Joe,

    I looked : ) Your sites all seem to be fine.

    Say hi to Colleen for me.

    Dave

  5. Surely have to check , which site share has been attacked.

  6. Is it only for the Wp blogs or others also. I have check mine realestate blog

  7. It there have been more than just WP sites hit. Any site with .php files has been a target. For some Access was by FTP for others it was the 2.9 security leak.

    Dave

  8. I was hacked twice on Godaddy and then decided to move all my WordPress sites to Hostgator.
    .-= John Soares´s last blog ..Why I Left Godaddy Hosting =-.

  9. @John,

    Not sure leaving GoDaddy solves anything. You might have jumped from the frying pan into the fire. Simply search for \”hostgator hacked\” and you\’ll see what I mean.
    .-= Joe´s last blog ..Homes for Sale in Cottonwood Springs Kennewick Washington =-.

  10. Thanks for your report on this. My main site is on GD, and I’m researching how to add a WP blog to that domain and the related activities required to be mindful of both safety and SEO. Makes sense that GD would get the notice in the press with the high volume of hosting they do.

  11. I’m glad you posted this. I wasn’t aware of it until my friend told me that she had received an email stating that the email address had been changed to the hacker’s email address and in the process had transferred two domain names under their account. They immediately reported the whole situation but then GD acted quite indifferently about it and acted as if they didn’t care. Strict laws should be implemented for committing serious offenses such as hacking!!!!