Ranter
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Comments
-
Was it a zeroday? Or didn't you do the updates? And was it really WP, or a theme/plugin that you installed?
Also, do you really need an online CMS in the first place? An informational website looks like a good case for a static site via SSG. -
j0n4s53103yYes fuck WordPress... probably some plugin and not doing updates?
May I ask what exactly got hacked or what the damage was? -
@Fast-Nop It's been live for four or five years or so, and yes we've been slacking with the updates. Tbh it's probably not WordPress fault at all, just that I'm incredibly irritated and angry :| SSG would be great and we use it for some other sites, but this is basically a blog with a handful of authors, so won't do. So yeah, our fault in the end, but fucking annoying :p
@jonas-w Yeah. Not entirely sure what happened, but I assume they've gained access to the code. We deployed this site a few years ago and it wasn't meant to run like it did for all those years. But we never got around to deploy it properly, so it just runs on bare bones and being the hobby project that it is we're not too good at actually updating things. The DB is intact so I'm assuming they've gained access to code. Or perhaps they've just completely fucked up some WP settings. Can also mention that we saw the admin usernames pop up in the logs a few too many times, so doesn't seem to be brute force.
@catgirldev yes
@iiii not necessarily WordPress, but a CMS, yes -
laceytech753yI offer WordPress hack repair services to help customers sort out the issue, find out how they hacked you and then put in additional security to help prevent further attacks. Do you want help with this?
ben@lacey-tech.com
15 years experience in website development and certified ethical hacker -
@laceytech Yeah no but thank you. We'll be moving to a different platform while we have that chance
-
I use Pantheon.io specifically because they lock down live as a read only file system. updates happen on dev and you push that to test (also read only) and then to live. Like we used to do before everything got lazy within CMSes. Only a few hacks in 8 years and exactly zero hacks were due to defacement through the file system or even the database. The ones that did occur were due to external factors like poorly configured Cloudflare (not even necessary) and people with bad login security hygiene.
I run an informational website for medical students. We just got hacked. Fuck you and fuck you WordPress.
rant