• You MUST read the Babiato Rules before making your first post otherwise you may get permanent warning points or a permanent Ban.

    Our resources on Babiato Forum are CLEAN and SAFE. So you can use them for development and testing purposes. If your are on Windows and have an antivirus that alerts you about a possible infection: Know it's a false positive because all scripts are double checked by our experts. We advise you to add Babiato to trusted sites/sources or disable your antivirus momentarily while downloading a resource. "Enjoy your presence on Babiato"

Website Been Hacked

These issues are known to us but not to the customer. You should not feel bad about it, you are not responsible for what happened.

I will answer your question

My intention of posting this thread is to asked if any of you here facing this problem and want to let all know that this attack is happening to every part of the world..

No, I do not face such problems or this specific.

I do not know how many years of experience you have, but this job requires patience and strong nerves.
 
  • Like
Reactions: netzowl
These issues are known to us but not to the customer. You should not feel bad about it, you are not responsible for what happened.

I will answer your question



No, I do not face such problems or this specific.

I do not know how many years of experience you have, but this job requires patience and strong nerves.

Well, im still a newbie. 7 years in this job, hope to gain more knowledge and experience..thank god i found babiato!!~ kudos to all, you guys really helpful and generous.. i never face such problems for the past 7 years hihi .. this is my 1st time though..
 
  • Like
Reactions: darkmesaia
I´ve developed tons of Wordpress website, and thankfully none of them was hacked (afaik), but i take some measures to make sure my wordpress install is secure enough.

Let me tell you what i do in my wordpress installs:

  • Install Wordfence (With the "optimize firewall" option)
  • Hide wp-admin with something complicated (I use the "WPS Hide Login" plugin)
  • Add recaptcha to login page and comment section (I also add it in WooCommerce forms and Contact Form 7 Forms)
  • Add Akismet Anti-Spam to protect from spam (Both comments and Contact Form 7 Forms)
I've seen websites that had 10k+ brute force attempts every month, if you apply everything i told above, you can reduce it to 20 brute force attempts every month.

Also, never use "admin" or "[insert site/brand name here]" as a username, those will be the targets for brute-forcers.

You can use the tool "WPSec" to check if you have any known vunerability from a plugin that your wordpress install has.

Hope this helps, and to all babiato users, feel free to tell me other ways to protect a Wordpress website :)
 
I´ve developed tons of Wordpress website, and thankfully none of them was hacked (afaik), but i take some measures to make sure my wordpress install is secure enough.

Let me tell you what i do in my wordpress installs:

  • Install Wordfence (With the "optimize firewall" option)
  • Hide wp-admin with something complicated (I use the "WPS Hide Login" plugin)
  • Add recaptcha to login page and comment section (I also add it in WooCommerce forms and Contact Form 7 Forms)
  • Add Akismet Anti-Spam to protect from spam (Both comments and Contact Form 7 Forms)
I've seen websites that had 10k+ brute force attempts every month, if you apply everything i told above, you can reduce it to 20 brute force attempts every month.

Also, never use "admin" or "[insert site/brand name here]" as a username, those will be the targets for brute-forcers.

You can use the tool "WPSec" to check if you have any known vunerability from a plugin that your wordpress install has.

Hope this helps, and to all babiato users, feel free to tell me other ways to protect a Wordpress website :)
Thanks
 
Do not install any firewall better route DNS through Cloudflare. Then see how many hack attempts happening to your website.

Security.png
  • Avoid null plugins and themes
  • Use captcha or limit login attempts
  • Hide wp meta trough Wp hide kind of plugins
  • Aggregate feed through feed burner or disable them
  • Use SSL for Admin
    /* SSL at Wp-Config */
    define( 'FORCE_SSL_LOGIN', true );
    define( 'FORCE_SSL_ADMIN', true );
  • This one is very important

    /* Updates */
    define( 'WP_AUTO_UPDATE_CORE', true );
    define( 'DISALLOW_FILE_MODS', true );
    define( 'DISALLOW_FILE_EDIT', true );
These much can protect from hacking, Note: do not use any security plugins.
 
  • Like
Reactions: grafixer
Yeah i agree with u..the 1st website i didnt do anything much..cause i didnt provide the client with hosting..he picked hosting provider himself..so he asked them to fix everything..once it was back to normal state. Then its happening again..now the hosting provider give up and asked my client to redo all the website again..which is pain in the a*s for me .. i saw the database. they copied the database and its haywire ..

The 2nd one i already follow suggestions from our fellow in Babiato here .. my hosting provider restore and do some fix but asked me to re-install fresh theme and plugin .. and i also install wp hide .. so far it turns out ok.. but still observing the website..

I would love to if u can scan the website.. anything i should provide for u too scan the website?

Thanks

Yes, I can do a fast local scan so just zip me the all the files. Otherwise I can't do much. At least I'll point you to all the known traps inside this project. Keep in mind the whole server can be affected and even after cleaning everything there's still a risk involved.
 
I´ve developed tons of Wordpress website, and thankfully none of them was hacked (afaik), but i take some measures to make sure my wordpress install is secure enough.

Let me tell you what i do in my wordpress installs:

  • Install Wordfence (With the "optimize firewall" option)
  • Hide wp-admin with something complicated (I use the "WPS Hide Login" plugin)
  • Add recaptcha to login page and comment section (I also add it in WooCommerce forms and Contact Form 7 Forms)
  • Add Akismet Anti-Spam to protect from spam (Both comments and Contact Form 7 Forms)
I've seen websites that had 10k+ brute force attempts every month, if you apply everything i told above, you can reduce it to 20 brute force attempts every month.

Also, never use "admin" or "[insert site/brand name here]" as a username, those will be the targets for brute-forcers.

You can use the tool "WPSec" to check if you have any known vunerability from a plugin that your wordpress install has.

Hope this helps, and to all babiato users, feel free to tell me other ways to protect a Wordpress website :)
Do not use wordfence, it adds a lot load time to server and website. It slows down the site. Use cloudflare instead.

Use sucuri wordpress plugin to seal the security using their anti hack mechanisms. Sucuri is most important plugin for every wordpress install.
Review: https://gizmolord.com/sucuri-web-security-malware-cleanup-service/

Use Wp-sweep plugin for deleting old leftover files from removed old plugins and other old data from database. This plugin is better than wp-optimize plugin as stated by famous websites and authors.


 
  • Like
Reactions: nesym
This is very common issues and can be resolve in a very easy steps. Hardly takes 1-2 hrs.

Suggestion:
-Always avoid nulled theme/plugin;
-Keep updates wordpress/theme/plugin;
-Keep changing your admin password;
-Its better if you activate 2FA on admin account.
 
I´ve developed tons of Wordpress website, and thankfully none of them was hacked (afaik), but i take some measures to make sure my wordpress install is secure enough.

Let me tell you what i do in my wordpress installs:

  • Install Wordfence (With the "optimize firewall" option)
  • Hide wp-admin with something complicated (I use the "WPS Hide Login" plugin)
  • Add recaptcha to login page and comment section (I also add it in WooCommerce forms and Contact Form 7 Forms)
  • Add Akismet Anti-Spam to protect from spam (Both comments and Contact Form 7 Forms)
I've seen websites that had 10k+ brute force attempts every month, if you apply everything i told above, you can reduce it to 20 brute force attempts every month.

Also, never use "admin" or "[insert site/brand name here]" as a username, those will be the targets for brute-forcers.

You can use the tool "WPSec" to check if you have any known vunerability from a plugin that your wordpress install has.

Hope this helps, and to all babiato users, feel free to tell me other ways to protect a Wordpress website :)

100% agree with this if you're going to be working with WordPress have to understand that it's so popular people will always target sites using it. That being said after setting up a clients site with everything they need you'll have to make sure to properly secure it.

1. WordFence [ Helps detect and remove malicious scripts/code ]

2. WP Hide [ Helps change login url/ admin url / and other obvious WordPress signs and exploits people try to use

3. Google Recaptcha

4. Lastly but definitely important monthly full backups even if you do everything right something can go wrong so setup a system for monthly backups

5. Don't use nulled theme/plugins from random sources. After using them on different websites and having plenty of headaches. I came to find out how most of these free theme websites are scams to rob you of your website or to simply use your website as a spam link farm. Now babiato is the only website source I use to test themes/plugins using a null version, but even with babiatio I thoroughly scan before I use the resources and I scan with wordfence after I've installed the resources just to be sure.

As for getting rid of the malicious code you have on client's websites atm it'd be easy if you had a full backup then just restore it. If you still have access to the website add the WordFence plugin and do a full thorough scan it should be able to find most of the foreign code/script that doesn't belong and help you remove it. In most cases, they aren't hard to find manually if you really look.
 
  • Like
Reactions: BossMan87
Merhaba,
Tek sitede virüs temizleme işleminizi 80 $ yardımcı olabilirim.

Staff edit: you didn't read the rules carefully, you posted in a different language than english, you offered to sell your services.
3 strikes at once resulting in immediate ban
 
Last edited by a moderator:
Hi there, you wrote in Turkish! I wanted to answer in Turkish too. English is a rule of course! Why is your price so expensive?
Don't bother to ask anymore as the user have been banned.
 
  • Like
Reactions: grafixer
In my experience with websites getting infected with JS injections, and or completely takeover. Is usually the result of the following:

1) Admin's computer is infected, and the saved password in the browser gets used by the attacker.

2) Poorly nulled plugins. Sometimes genuine plugins get exploited too because of rushed / unpolished updates that leave a lot of holes for the attackers to target.

3) Website using outdated themes (WordPress default). Usually, we don't bother updating them, but I would suggest completely removing them if they're not being used.

4) Website that offers a form of any kind should look into using a CDN with firewall, or Wordfence, as some forms have an upload field which can be used by the attackers too.

5) If the attacker gets a hold of the admin login, without the need for cpanel credentials, they can access the website's Mysql (thanks to the help of plugins & wp-config file) and ruin the website completely.

Suggestions. Run a monthly backup from the cPanel and the WordPress site. DELETE unused/unwanted plugins & themes. Clear all the clutter so that you and your visitors can have a fast and smooth WordPress experience.

Cheers
 
Hello Brothers,

I have one issue with Admin's Login eMail ID ---> What ever ID is used it someway or the other shoots few emails to site users there by revealing Admin's ID at times especially for eCom sites where regular order updates are sent thru email. What would be a way to hide Admin's eMail ID for ever ?

For rest in my quest for hardening the security lines to the gateway to my or my client's websites I follow as under :

- Changed The Login Url
- Set the redirects of known combinations of Urls to ---> 404 Page ---> which finally takes them back to Home Page
- Installed plugin to accept hardware Security Key as 2FA over and above some 20 character password
- Set brute force attacks to around 3-5 wrong password attempts and then lock out for few hours before placing a permanent ban on IP if similar adventure takes place from the same IP (which rarely happens especially when VPN are used at the perp's end)
- Login verifications with OTP
- HTTPS

Did I miss doing some thing more or was it already was an over kill :p
 
What would be a way to hide Admin's eMail ID for ever ?
I am using for my client's sites custom smtp plugins and private smtp server that override all wp mail settings and send update and notice emails from no-reply@domain
This way your main admin address is hidden and you're only receiving critical emails from website

Did I miss doing some thing more or was it already was an over kill

make sure your xmlrpc is not accepting or is blocking queries related to [login] or is disabled completely if you don't use it
 
  • Like
Reactions: danielpk
Screenshots I randomly took them from @danielpk 's website as mentioned by him on his forum profile. My query as under :

1606607832131.png

1606607871096.png

Wondering how do people get rid of these mentions of Wordpress / Woocomerce on their source codes, despite using "Hide My WP" types of plugins ? I randomly when surfing websites do a check on source codes and have found many websites have covered their WP tracks but fail to hide these few PopCorns many places on their source code.

Hey bud, currently I'm not running any plugin to mask out my original file paths. But, I have mentioned this before in other topics, and I'll mention it here too. There is absolutely no way to hide the fact that your site is on WordPress. You can rename the folders to whatever you wish. At the end of the day, it will still be somewhere in the source code. UNLESS you're not on a CMS platform.

The source code still needs these "popcorns" xD ...people with time and knowledge to find out if the site is on WordPress will eventually do find it.

And to be frank with you, I really don't care about it. I'm sitting behind a CDN with firewall, and I have my backups made every now and then and saved locally to my HDD.
 
May be a cent worth thought that why like many I too feel the urge to hide traces elements of Wordpress and its Popcorns :

EITHER too ashamed of using Wordpress - No

OR We need to hide traces of Popcorns (Plugins) because we never know who may harness their weakness and fkup our project websites - in all probability YES

Without which we may lay a Red carpet for perps to plan their move once they learn what all are the ingredients used to develop the website. Why risk a project unnecessarily when the idea is in using a little caution to help slow down or thwart any fkups.
 
Last edited:
  • Like
Reactions: danielpk
Definitely the 2nd. Though personally, I take it as a challenge upon myself to fix an issue if and when it arises :D

Another reason could be the following:

1) You're a web development agency, and your client is a cheapstake. They want the cheapest possible with disregard to the safety of the site, or the performance. So you charge them extra for the maintenance and leave the popcorns to sit.

2) You have an OCD and can't be bothered to change the file paths / login URLs, and would much rather deal with the issue if an when it happens (me).

The pre-safety measures i personally take i find are sufficient. If we're talking about other valuable things such as vehicle or house, i'd rather do the necessary pre-safety measures before the deadline 2-3 months ahead.

If, i'm working on a client's website, and things are going smoothly, i will ALWAYS suggest such steps to take, and will always educate them on where to watch were they step (if i'm handing the website over to their developer).

But, that's just me.
 
I know there are expert webmasters here who are more experienced than me, but I would like to share something I personally use a plugins which is tried and tested. I use this plugin called WP Hide and Security Enhancer to change my login url and dashboard url and it has been working for me. Here's a link to the mentioned plugin

............................................

Thank you I will give it a try.
 
AdBlock Detected

We get it, advertisements are annoying!

However in order to keep our huge array of resources free of charge we need to generate income from ads so to use the site you will need to turn off your adblocker.

If you'd like to have an ad free experience you can become a Babiato Lover by donating as little as $5 per month. Click on the Donate menu tab for more info.

I've Disabled AdBlock