Massive WordPress Security Alert - My WordPress Website Was HACKED! Must Watch Video!!
Вставка
- Опубліковано 5 жов 2024
- I thought it could never happen to me. I was wrong, my website was hacked. Find out what happened and why it was not that big of a deal for me.
Make a backup now. Here is a vintage WPCrafter video that will show you exactly how I backup offsite using a free tool • How To Backup A WordPr...
Get better hosting www.wpcrafter....
EXCLUSIVE WORDPRESS DEALS 2023
🟡 SureCart -- www.wpcrafter.... (SAVE 50% Auto Applied)
🟡 SureMembers -- www.wpcrafter.... (SAVE 50% Auto Applied)
🟡 Presto Player -- www.wpcrafter.... (SAVE 33% Auto Applied)
🟡 Astra Theme -- www.wpcrafter.... (SAVE 10% Coupon WPCRAFTER)
🟡 CartFlows -- www.wpcrafter.... (SAVE 40% Auto Applied)
🟡 Cloudways -- www.wpcrafter.... (SAVE 20% Coupon WPCRAFTER)
🟡 BuddyBoss -- www.wpcrafter.... (SAVE 10%)
Want to offer a discount to WPCrafter subscribers, contact me on my website
BEST WORDPRESS PAGE BUILDERS
🟡 Spectra -- www.wpcrafter....
🟡 Elementor -- www.wpcrafter....
🟡 Beaver Builder -- www.wpcrafter....
🟡 Divi -- www.wpcrafter.... (SAVE 20%)
BEST WORDPRESS HOSTING
🟡 Full List -- www.wpcrafter....
🟡 Cloudways -- www.wpcrafter.... (SAVE 20% Coupon WPCRAFTER)
🟡 Hostinger -- www.wpcrafter.... (SAVE 75%)
🟡 NameHero -- www.wpcrafter.... (SAVE 70%)
🟡 SiteGround -- www.wpcrafter.... (SAVE 70%)
CONTACT WPCRAFTER
☑ Website -- www.wpcrafter.com
☑ Facebook Group -- / wpcrafter
☑ Twitter -- / wpcrafter
☑ Twitter -- / adampreiser
All of the opinions expressed in this video are my own, I was not paid to make this video. Whenever there is a link in any of my videos, if there is a referral program available, please assume that you are clicking on a referral link.
Hey Adam, we have been making backups every 4 hours for our clients since 2015 (soon to go to 3 hours). But there is one thing you need to keep in mind. Make sure you have monthly backups that are kept for at least 6 months. A trend among hackers is to use a vulnerable to create a "back door" and then they will go dormant for a long while. Then when you least expect it they attack and when you load up your backup, the back door is in those backups as well. The reason I know this several of our clients last summer were hacked, they had backups dating back 4 months, all their backups had the back door in their backups.
I like your thinking... No such thing as too many backups! Thanks for sharing Adam.
Yea I have a crazy automated setup. It goes like this > backup every 4 hours and is sent to Dropbox > Dropbox pushes to my computer > My computer has backups to a NAS here. I end up with backups going back 12 months or more. And one time I did indeed need it.
Most virus scanners would detect those backdoors.
Great point thank you so much.
@@WPCrafter wow it really crazy automated setup for backup
Thanks for sharing your experience. Your recommendation of having an off site backup is 100% correct and the best advice. As a developer, I know that no advance piece of software/app/plugin with hundreds of thousands or millions of lines of code can ever be 100% secure. Mistakes happen to even the best coders out there, hence why having a backup is a must have solution. I'm going to analyze what's changed from the previous version of the plugin to the patched version for my own edification. Again, thanks for spreading the word.
Cutting edge content as usual! Thanks for keeping us on our toes. Very Best Regards, Nate
Great video! Lot of hacking going on right now. I did a video on this just the other day!
Thank you very much. Could you please share the link to the list you found on Facebook?
Yes, please.
Today, my website was hijacked and my host wanted $300 to help recover it. Thankfully I had watched your video a year ago and installed updraft! My recovery was easy-peezy and all by myself...Thanks Man!
Sorry to hear and happy you had a backup. Did you have Yellow Pencil installed on your website?
@@WPCrafter YES... and it had the most recent change date. I suspected it. I just noticed that I am reinfected so I guess that I have to ditch Yellow Pencil and maybe load a much earlier backup.
@@furtrapper11 You would have needed to disable YP. But they have an update out that fixes the vulnerability.
I hate when themes recommend installing like 10s of new plugins. :(
yes, I installed a couple of these recommended by Divi and now I am like.. what d fq
Thanks for not only looking after us Adam, but giving us timely solutions. G'day from Australia mate. 🇦🇺😎
Good to hear that you fixed this! Keep the videos coming!
Thanks, Adam for keeping us updated!
Just a brief clarification. In my formal life in the banking industry I was an Enterprise Risk Analyst and a control tester for JPMC and a very large corporate credit union. Your suggestion, which is over all great by the way, is technically a “loss mitigation” control - rather a way to “prevent” the risk from occurring; which is how you described it. (Not trying to be nit-picky, but to just add value to your suggestions and explication). Backups won’t *prevent* a hack from occurring; they will just help with what’s called “business continuity” I.e, processes and procedures that assist with a businesses ability to get back up and running after an incident causes down-time. Firewalls and dedicated IPs and things of the like help with preventing hacks. Thanks for the update Adam!
Best Protection: regular backups
Second-best Protection: paying attention to Adam Preiser
Thanks for this post Adam.
Paid plugins with frequent updates, and not too many plugins...and also daily backups. That's my plan.
I would recommend to backup every week not every 4 hours otherwise the virus might be traveling with your backup. I respect this man and it's only my advice but not trying to disagree with him his right aswell.
For me, it is important because my database is constantly changing with comments, student registrations, course progress, etc.
@@WPCrafter
Absolutely that's true what u said,
We need to back up every 4 hours for established sites.
For newcomers learning to create new sites and editing continuously must not keep the backup on auto and need to back it up less frequently otherwise the database may get corrupted if files are being edited while the backup is also being copied.
In that case we need to back it up manually or weekly after an edit for new sites under construction sites.
I love your video's keep us updated with all your research. Thanks
Thank god i don’t use this plugin. I was sweating for a min. My thoughts go to those who were hacked. Such a pain in the butt.
thank you Adam!! thank you!! ❤️😁❤️
Thanks for watching.
Make a video on this topic, best security plugin free and paid in 2020.
hi there, can you make an video on how to protect digital downloads on wordpress???
I have a backup but how do I know when the hacked happened to restore the correct one?
develop everything off site and use off site backups. The only sure way to know is constantly updating from off site original, replacing online exposed ones. If the files were exposed, they can't be trusted. You can go one step further - have one account for offline development and another for hosting to prevent cross contamination. Use Linux or Mac
Important vid. Sending warning and link to it to a couple of people right now.
Hey Adam....thanks AGAIN for helping us keep informed. Just wondering that if we backup every fours hours as you suggest, then how many backups should we be keeping in storage before we overwrite or delete the older ones?
I need to clarify that. I do 4 hours because my website is constantly changing with activity. Less active sites don't need to be backed up as often. I send them to Dropbox, and then they are sent to my local computer. I keep 7 days worth, but my local PC has its own backup that lasts much longer.
Thanks Adam...that’s very clear now.
Old video, but I hope to get answer to my question. In your opinion what is the best security plugin available at the moment?
Hello Adam, there is another hack via the register to site e-commerce, someone will register as a customer to buy or download for example, but somehow the user made himself administrator. I deleted them since administrators can delete content or edit links i suppose. I deactivate register option for now.
Good, that is the first option to do if you're developing a website.. You must choose to be customers or subscribers.. If you're using E-commerce is wise to turn it on
Update your website with security headers, particularily a content security policy. Blocks all non whitelisted resources :)
How about a link to those 300 plugins that MIGHT also be vulnerable
Please share the list of 300 plugins which might be vulnerable
Thanks for the heads up!
Is my yesterday backup ( or last week backup ) is safe ? I mean they maybe can install the hack one day and "activate it" a week later ?
Yes that happens. That's why it is good to have to rolling 30 days of backups.
Wtf is going just when I’m starting to learn about Wordpress security and all of a sudden youtubers that I’ve watched have gotten hacked, I’ve just watched your ithemes video two days ago
Say Adam,
Just sayinn??
If your backup offsite utility is a free a tool?
Doesn't that go against the grain of your message
about paid vs. unpaid dangers of hacking vulnerabilities?
Thanks for the heads-up on this new crap-hack though!
The community appreciates it...
Ha, great call out. I have the paid version of the plugin, that does the offsite backups. But it doesn't go against it, because there is a massive business model around the free version of the plugin. Of course, the paid version is not needed to backup offsite. But you go look at all the free backup plugins with less than 50k installs and no business behind it, those I won't use.
Thank you so much for the information. Social Warfare tweeted that they have an update and it should be fixed - how soon can we 'trust' this again (I have the paid version)?
Good video.. I want to ask about a change I made... I used the advance settings and enabled admin URL.. didn't break my site.. can there be future problems with that feature ?
Thanks Adam!
In regards to these plugin vulnerabilities, should this be something we should be concerned with on local wordpress installations? Also, once the plugins are deleted, do any of these leave remnants in the database? Such as extra tables?
You have nothing to worry about on local installations because there is no way for one of these scanners to access your site since it's not publicly accessible.
@@WPCrafter sounds good, thank you for your time Adam. Best regards.
Nothing will protect you against a zero-day vulnerability. There is always a window for exploitation. Some integrity tools could alert you of unauthorized changes to any of your files in real time and even restore the correct version for you. Not an easy game to play for non-technical people. A backup allow you to restore the version with the vulnerability, it is important to find the root cause and fix it or else you will be hacked repetitively.
Thanks, Adam.
Security is the reason I am leaving wordpress..
Thats happening to me right now, I don't have any backup and i need a fix
Try Sucuri. it is usually able to rescue your site even after being hacked.
Adam you are great dude))
Tomorrow i am working on my website and my itheme security detects some suspicious activity to my website who doing something wrong to my website... I am sharing that ip addresses 1. 66.249.79.102, 2. 203.133.169.113. They are lockedout by the security pligins... Can you tell me that is that good or bad?
Hey I'm going to do a Facebook Live and mention your website on my live,
Do you know what attack it was, xss,php injection, login brute force, sql injection.
hello, thanks for notifying. I am using itheme on my site which has been signaling time to time (for about 5 days already) that a user trying to connect as admin has been blocked. Do that mean am hacked? how do we really identify we are hacked? Thanks
Hi Adam.. i have 2 problems like this... whats plugins protec you recomend to use.? Thanks
Hi Aadam, thanks for the alert. I just noticed Forum section from your website is missing! any reason?
I am gonna take it down, just not sure how. It's still there, just the link is gone.
@@WPCrafter So, you are going to remove the forum section permanently, why like that? please let us know.
I've tried contacting you several times. Wish we could connect!
Hi Adam, I was creating a backup with updraft and uploading it to google drive, but I noticed that it cut my "uploads" folder into more pieces, did you ever experience that? Not sure how I would then import it, if it has many parts...
how to audit website? any tools?
What group was that on FB you said you seen the post. in yr vid here about 5:20
Oh I stated it there for sure. Its the MarTechWise group. It's a great group.
@@WPCrafter Cheers ole matey
Thanks a lot,.
so will you change your hosting cloudways to managed wordpress hosting?
No I'm happy with my hosting.
What firewall plugin are you running Adam?
I was using WebARX which advertises that they protect against 0-day attacks :-(
So what is the conclusion on Webarx?
They make a lot of marketing claims and it's not clear if what they claim is even possible. Their website claims they protect against 0-day attacks and that they check if your site has been changed.
When you see a plug-in that says it's 'open source software' isn't that an automatic red flag?
Most WordPress plugins are open source that’s the point of WordPress
@@TheDesignCreative So 'pro' versions of plug-ins are still open source?
Most of the Internet is powered on open source software. I'm not talking about WordPress, I'm talking about the server infrastructure.
@@WPCrafter Aha, thanks. TBH I didn't realise that.
Doesn’t ithemes help protect plugin hacks ?
Not if there's a zero day exploit.
Now it's ok.....end for this alert....
Haha, I think there will be more, would you agree?
What is the point of a backup if you dont know when the hack happened or what the hack was like most people.
Because if you watch my backup tutorial you would have 30 days of backups and potentially 6 months. If you are not engaged enough with your website to notice a hack within 30 days, you should hire someone to manage it for you.
@@WPCrafter That still did not answer the question i mentioned. Never said the hack didnt get noticed. I said how is the average person supposed to know WHAT or HOW it got hacked. A backup does not say hey buddy, this plugin is a problem. You can go back 30 days, doesnt mean the hole is still there, so what is the point. I got hacked a week ago, did your restore and it happened again.
Your website is almost always hacked when there is a vulnerability in a plugin. That happens either when you are not on top of keeping things updated, or in this case when there was a 0day attack. In both situations, a backup saves your ass. Simply restore the backup then update. Problem solved!
WPCrafter.com WordPress For Non-Techies as your video stated what if you have a website that does not have an updated good plugins, your site got hacked right. Sites still get hacked even when you do, maybe you did a check on all your plugins to find your social was the issue but not everyone is going to go through and spend hours to see if there is an issue with plugin x. Maybe you have a small plugin, chance of finding data is zero. Basically shit happens and there is no point of putting a bandaid on something that needs stitches. Backups dont solve the hole that is there, backdoor, bad files or anyone coming in again if you dont find the issue, bad plugin is still there. All your doing is removing the hack by using a backup not preventing. This video is very one sided. Anyways thanks, was just looking for a solution since you seemed like an expert, wasn’t looking to make this in to a big deal.
I just don't understand your argument here. Is it that having a good backup is not a good idea? That somehow it's not something that should be a site owners priority? And that because I am saying it is a good idea that the video is one-sided somehow? I would wholeheartedly disagree with that. Having a quality backup solution is place is ALLWAYS the ONE THING you have control over and is 100% the highest priority unless you want to spend $200 to Securi or some other service to fix your website. Priority one is always to get your website back online and buys you the time to sort everything else out.
google drive?
I have been facing a problem when i install themes. all themes looks like the screenshot: prnt.sc/n2s46h . where the theme is not rellay like this. theme sample: prnt.sc/n2s5y2 .... How can i solve this problem. if you can Help with this issue it will be great.. waiting for response.
Plz post Facebook link ...
You are wrong my friend. Someone got your domain's secret key. The end.
Which hosts do you use?
I think he uses InMotionHosting.
Sounds like a code injection exploit...
Is Google Drive backups an off-site backup?
Yes, those backups are stored in 3rd party cloud storage, which is outside of your hosting server
Zero views but 4 likes
That happens to all UA-cam videos when they are first published. Thumb's up show immediately, views don't.
I couldnt get past your intro
Sorry about that Mr. President.
Eighty bucks a month - oh man - CHEAP!!
you use too many plugins. my sites have just a few and only by larger, reputable developers. LESS IS MORE !!! so funny that youre admitting youre own faults ! you know whats RIGHT to do but dont do it....