Some Advice if your Server Get Hacked

Banderas
WordPress site has all of a sudden starting receiving direct traffic to URLs that don’t exist?
Does anybody have any idea what this could be?
Hacking attempt maybe?

might my server get hacked
🔗🏹
💬🗨

Ramon
have you tried hitting those urls using a user agent switcher? It may be that regular people can't see those urls, but googlebot can – which would mean your site is hacked
👍3
Banderas ✍️
No not tried an agent switcher. If you try and visit one of the URLs it just redirects to the homepage.
Lakshay
These maybe the bad backlinks generated to your website.
👍🤭2

Banderas ✍️ » Lakshay
they’ve only just appeared today.

Banderas ✍️
Seems very coincidental as I’m just in the process of switching development companies 🤔
Roger
Those are hackbots probing for vulnerabilities. It's like a car thief, walking down the street checking car door handles for ones that are unlocked.
👍5

Banderas ✍️
Ah ok thanks Roger, so hopefully they haven't got in yet
Roger
If you get too many then it can slow down your site, like a DDOS. You can install Wordfence and that helps a lot. You can also use Wordfence to create special rules that immediately block specific User Agents. Using Wordfence you can see what IP addys, UA (User Agents), and webhosts they're coming from. So if the majority are coming from Bluehost or AWS, then you can simply block that webhost and no matter what IP they use, as long as it's a Bluehost IP, it's automatically blocked.
I wrote an article about it recently and will try to publish another article with more specific/advanced advice later this month.
https://www.searchenginejournal.com/how-to-protect-wordpress-from-hackers/386512/
How to Protect a WordPress Site from Hackers – Search Engine Journal
👍4
Roger
Also, make sure your site is not already hacked, probably not. I see this kind of thing all the time.
👍3
Banderas ✍️
Great thanks. I'll have a look at Wordfence 👍
Roger » Banderas
There are many security plugins, but imo, Wordfence and Sucuri are the top plugins. The premium version of Wordfence protects you from vulnerabilities as soon as they're discovered and I think gives you the ability to block by country.
Some of that functionality is also present in Cloudflare, which also has DDOS and bot mitigation features.
Sucuri has site scanning features, site hardening against hacks and the premium version has a firewall that can block bots.
👍3
Banderas ✍️
I’m just looking at Cloudflare, there seems to be lots of attacks it’s blocking but some must be getting through. I think I might be able to block the IP from CF.
👍1
Roger » Banderas
Don't be surprised if they switch IP addresses. Once you block one IP they cycle to a new one.
That's why it's better to block by webhost IF that's an option, though it's not always. For example, hackbots originating from Bluehost I've found can be blocked by webhost. Hackbots originating from Digital Ocean I can't, not with Wordfence.
I use Fail2Ban at the server level (on a dedicated server) and that does an okay job, but I can still see hackbots coming in.
👍1
Banderas ✍️ » Roger
ok thanks. It seems to have reduced after I put it in attack mode in Cloudflare. I’m just going through Wordfence now. Not sure how to block from server level but will have a look at fail2ban 👍

👈📰
Tome
Add the site on Cloudflare on: under attack mode, and add Wordfence security plugin and scan the site but don't delete the files but try to manually clean it.
👍1

Banderas ✍️ » Tome
ok done that and adding Wordfence now 👍

Matt
Happened to a client recently. You've been hacked. It's already too late. Do a malware scan with something like Wordfence Security and remove malicious scripts/files.
👍1

Banderas ✍️ » Matt
oh god really?
Matt
It sounds scarier than it is. But yes. There's a PHP script on your site that randomly redirects traffic to cheap ads, spam, etc. So it's hard for you to see it yourself. But a tool like Wordfence identifies and explains all the extra files they've added and sometimes automates removal.

Marcin
You are hacked…probably some kind of plugin has a whole.
👍2

Banderas ✍️ » Marcin
thanks. Is this a common issue with WordPress? As this isn’t the first time this has happened.
Roger
That does NOT mean he's hacked. Those are hacker bots probing for vulnerabilities. It only means he's hacked IF the URLs exist.
This is a very common thing that happens to sites that are not hacked.
👍1

Kirill
Hi David. On a first – restore backup of your site and database a month ago or later. You need to understand when it’s happened, next – check your SSH (Secure Shell) with a tool like Ibolit or delegate this step to your hosting provider Or support company – its to detect and close a weak spots in your site. Next – use Tool for bulk temporary rejection bad links from google index.

Banderas ✍️ » Kirill
ok thanks for the input Kirill 👍

Jigs
You may not be hacked but what you can do is find where the direct traffic is comming from and block the pattern or ip from Wordfence, Cloudflare or .htaccess
But your site has been added to hackable list of world's hackers so be ready to be attacked every now and then.
👍1
Srikant
I too received such traffic. It is not hacking. Two years back, it used to impact ranking. But this year is different. Such backlinks from non existing sites has no impact in ranking. I used to disavow these links at search console.
👍2

Lakshay » Srikant
Yes absolutely right brother… hacking is different thing it will first impact on your website content or database, and these are the landing pages with different source of non existing reference backlinks which is easy to detox them by SEMrush or disavow. David you should still upload Wordfence or blog vault plugin to make your website secure for future from vulnerabilities.
👍1

SiOates
I started received the exact same type of traffic today, naturally I've stepped up security somewhat. Wordfence premium scan still showed no evidence of an actual hack though.
👍1
Banderas ✍️
Response from server guys;
Hi Dave,
Looking through your access logs I see that you are currently getting hit with 6 different bots. Usually you will only get hit with one or two crawlers at a time, and some of these are bots I have not seen in a while. It is possible to block the bots or to limit them if they are valid bots you want crawling your server. In order to block the bots your App will need to be in NGINX-only and you will need to decide whether to block them by App or by server. The following article has further information:
How to Block Crawlers and Other User Agents
I see that you already have a robots.txt but it does not have any of the bots I am currently seeing. The following is a list of the bots I am seeing:
www.semrush.com/bot.html
www.bing.com/bingbot.htm
www.google.com/bot.html
www.opensiteexplorer.org/dotbot
ahrefs.com/robot
ZoominfoBot
Please update your robots.txt to handle these bots, or let us know if you want us to add a block. Keep in mind if the site goes to NGINX only it will no longer be able to use the .htaccess file. If you do want this please let us know if you want it set per app or for the server
Banderas ✍️
Spoke with some other devs and they said nothing to major to worry about. Happens all the time with high traffic sites.
Just need to keep on top of security. No penetration as yet but lots of attempts so just stepping up security.
Thanks for everyone’s input, very much appreciated 👍👍👍
Basu
WordPress and security are like oil and water. They do not mix. 👍
👍1

👈📰
RELATED POSTs

Leave a Reply

Your email address will not be published.