WordPress Website Hacked - Now Redirecting

[WendyMay]

Earlier this week, I visited one of my WordPress blogs and to my surprise, I found that it was redirecting to a website with the URL of DoNotifyFriends[dot]info. I freaked out a bit and was just about to place a support ticket with my hosting provider (LiquidWeb) when I realized I could restore the website to an earlier version through my backup provider (CodeGuard). I was lucky that I hadn’t written any new posts or changed the site any in the past week, so I went ahead and restored the site to two days previous. That worked perfectly and I was a happy camper.

Just as luck would have it, I woke up two days later and the blog was hacked again. This time, the domain was forwarding to BeMyLittleTeddy[dot]info and Gearbest[dot]com. By this point, I was pretty angry and I wanted to find out what was going on. I sent in a ticket to the site host after restoring the website again to a few days previous. This was their reply:

Typically these happen from outed or insecure plugins. A few plugins recently have been getting hit hard. With a couple, even if uninstalled, they leave items behind in the database that still allow a back door to be opened. With the site not redirecting, there is little we can go on now as we would need to see the site hacked and redirecting to start to track anything down.

Totally understandable. I was hoping they could look in the log files and get an idea of what happened. That’s not likely to help much since I’m sure hackers use all sorts of IP addresses.

After this, I decided to install a security and firewall plugin on the website. After reading all sorts of reviews, I installed the WordFence plugin and am hoping this helps.

I’m wondering if anyone else has had their WordPress website or blog hacked so it redirects to some spammy sites. This is getting on my nerves.

UPDATE

I’ve been checking out some tech forums and have found the culprit! Lot’s of people are getting hit by this hack and it appears to be coming from an abandoned plugin. Sites with this old plugin installed are pointing to these spam domains. Everyone is looking for a solution.

The post I read that helped the most stated that the author disabled all of their plugins while the website was still redirecting. After they did this, the site was fine and it didn’t appear to be hacked anymore. Then, they began activating each plugin, one by one, in an effort to see which one was causing the redirect.

In their case, the malicious redirect was caused by the yuzo-related-post plugin, which, as I just discovered, I have installed on my site. I also discovered that this Yuzo Related Post plugin has been discontinued since March 30, 2019. I not only turned the plugin off, but I also uninstalled it. I hope this helps and I don’t get hacked again. I’m just concerned that, as my host stated, this plugin didn’t leave anything behind in the database that is keeping a back door open.

 

[15Katey]

Some months back I faced this issue and didn’t get a good response from my hosting provider (Shared hosting), just for the security reasons I have moved to WordPress hosting with Cloudways managed the platform, They offer security and 24/7 daily backup, Nothing went wrong yet so far.

 

[WendyMay]

Some months back I faced this issue and didn’t get a good response from my hosting provider (Shared hosting), just for the security reasons I have moved to WordPress hosting with Cloudways managed the platform, They offer security and 24/7 daily backup, Nothing went wrong yet so far.

I guess you’re going to get bottom shelf support when you go with shared hosting, although it really does depend on what options you have, even if you’re using a dedicated server. I use CodeGuard for backups and restored my website from an earlier version of it and I’m lucky I had that version. I suppose I could have waited to learn which file was targeted and simply removed that one. The news came out with that information in just a few days. In the meantime though, my site would have been redirecting to some strange places.

What’s the moral of the story? Stay away from shady WordPress plugins that are no longer being developed and always have backups of your websites.

 

[15Katey]

I had the same issue a year back when I was hosted on a shared server, It happens due to sharing the same server with multiple websites, then I found a developer who got the data back and restore my website. Then, I moved to managed hosting for WordPress by Cloudways and their platform is fully secured by firewall, they keep daily backup and run security check for websites.

 

[WendyMay]

I had the same issue a year back when I was hosted on a shared server, It happens due to sharing the same server with multiple websites, then I found a developer who got the data back and restore my website. Then, I moved to managed hosting for WordPress by Cloudways and their platform is fully secured by firewall, they keep daily backup and run security check for websites.

Even though you’re obviously a shill for Cloudways, I’ll bite and add my two cents. I think many WordPress hosting environments offer a firewall to cover their network from things like this. I operate on a dedicated server environment though, so I’m not sure that would apply. Also, my current server also offers a firewall that’s running all the time. This particular hack circumvented that firewall and the perpetrator snuck right through. The definitions for the firewall weren’t there to block this particular attack.

I have recently installed WordFence as a plugin for my WordPress installs and it seems to be doing a good job. This plugin actually protects the entire domain, not just the directory in which WordPress is installed. It’s also free, which is nice. They do offer a paid “pro” plan though.

 

[WendyMay]

Website Hacked Because of Yuzo Related Posts Plugin​

I wrote an earlier post above describing a specific situation fairly clearly, but I thought I'd summarize what happened here. This is important information and I don’t want anyone to miss it. To get caught up with what’s going on with the Yuzo Related Posts plugin hack, please read through this post and then return here.

Okay, I’ve been doing a bit more research on this topic. As you know, one of my blogs was hacked on April 19, 2019 and because of this hack, it began redirecting to some spammy websites. Most notably DoNotifyFriends[dot]info, BeMyLittleTeddy[dot]info and Gearbest[dot]com. After reading a very well written description of what went down on the WordFence blog, I now have a clear picture of what occurred.

Apparently, the Yuzo plugin was removed from the WordPress plugin directory in late March 2019 because of a vulnerability in their coding (stored cross-site scripting (XSS) that went unattended to. When there’s a vulnerability in a plugin’s code, this is what WordPress does. They remove it from the directory. Unfortunately, even though the plugin was removed, no one who had it installed had any way of knowing there was an issue. Anyway, there was some sloppy coding, WordPress got rid of the plugin and for some strange reason, someone out there decided to announce to the world, and the hacker, what the exact vulnerability was. When the hacker heard this, they went ahead and created some malicious code and then crawled the web to locate the over 60,000 users of this plugin. Once they did that, they injected malicious JavaScript into one of the files of the plugin, causing the redirect. As you know, finding the actual problem file is the toughest thing to deal with when attempting to repair a hacked website. It’s been suggested that anyone who has this plugin installed on their website remove it immediately. Don’t just disable it, remove it entirely.

To read more on this topic, please take a look at this post and reply down below if you have any questions or to let me know about what happened to your own website or blog.

Yuzo Related Posts Zero-Day Vulnerability Exploited in the Wild