It’s always hard to tell exactly why or how a site gets hacked. One of the WordPress sites I created for a client kept getting hacked. I took more extreme security measures, changing the database table prefix, adding an htaccess file to wp-admin that filtered IP addresses, adding a plugin to encrypt logins, adding a firewall, moving wp-config to another directory, and other measures. I thought the problem was with WordPress.
Then last weekend, I checked the site, and it was totally gone. Completely? Yeah, completely. I logged into cPanel and the entire database had been deleted. Previous hacks had just deleted all posts, pages, and users tables in the database. Now the hacker turned it up a level and deleted the entire database.
I looked at the log files and noticed that an IP address from Calgary rifled through the client’s cPanel and finally deleted the database. After about 30 minutes with Bluehost tech support, the support person mentioned that someone had requested the password to be sent to the email address on file. It’s common to have a retrieval method in case you forget your password. Almost every website with a login offers this. Somehow the hacker retrieved the password this way — either by retrieving it from the client’s email or through another method (intercepting it?).
I pressed the support rep about the security and encryption for the password retrieval tool, and he did say that you can request the password for any domain by plugging in https://www.bluehost.com/cgi/forgot?domain= or http://www.bluehost.com/cgi/forgot?domain= and adding your domain after the = sign.
He then said, ”I think our issue might be from our password request tool. I am reporting it now.” But he also suspected that the client’s email account had been compromised. He said changing the password may solve the problem entirely.
I don’t know if the password retrieval method is a common way to hack a site. But it’s a sneaky way to gain access. You may have a 25 digit hexadecimal alphanumeric password for your web host account, but probably not for your email. And do you really use different passwords for email, Facebook, Twitter, and the 75 other websites you log into? Guess one password and you probably have access to nearly all of them. With access to email, all you have to do is retrieve the password from the web host, and within minutes you have access to the MySQL database, where all posts and pages are stored.
What I’ve learned from the experience is to immediately look at the log files. As hard as log files are to read, log files allow you to trace the path of the last visitor to the site. You can look at the origin of the IP address through who.is. The log files tell you what part of your site the hacker visited. If the entry point is cPanel rather than your site, you might ask support if someone retrieved the password on your account. (The information about the password retrieval is something only tech support knows — it’s not in the log files.)
So after hours of looking at WordPress for the security vulnerability, going through theme code, plugins, and everything else, it turns out the vulnerability was with Bluehost”s password retrieval and the client’s email account. The hacker was getting in through cPanel, not WordPress.
It’s not such an alarming problem, though. Because even if your entire site gets hacked and deleted, the web host usually backs up the site once a week or so. The worst scenario is that you’ll lose the last couple of posts (which you can retrieve via email if you’re subscribed to email delivery of your posts).
The real issue is getting hacked repeatedly and not knowing where the security vulnerability is. My advice is to look at the log files, who the last visitor was, and where they entered the site. Did they hack into WordPress or cPanel? Find out if someone retrieved the password. Is your email password easy to guess? Is it the same password that you use everywhere?
3/2/2010 update: A user in the comments informs me that the password retrieval tool is not part of cPanel but rather Bluehost. I had assumed otherwise. Sorry cPanel.
Free Resource from I'd Rather Be Writing: Get an easy-to-implement WordPress tip delivered to your inbox each week by signing up for my free Weekly WordPress newsletter.
Comments
Trackbacks/Pingbacks
-
-
Jul 15, 2010
[...] Hacking WordPress through Bluehost’s cPanel | I’d Rather Be … (WordPress) When I talk to Bluehost, they always put the guilt on me, saying WordPress is insecure, your plugins or theme or database aren’t up to date, or your password to your email was hacked, etc. I’m curious to know if the hack I experienced is a pattern with Bluehost and their password retrieval too. … more… [...]
-
-
Jul 15, 2010
[...] Hacking WordPress through Bluehost’s cPanel | I’d Rather Be … (Cpanel) I looked at the log files and noticed that an IP address from Calgary rifled through the client’s cPanel and finally deleted the database. After about 30 minutes with Bluehost tech support, the support person mentioned that someone had requested … more… [...]
Tom, what do I look for in the log files and which log files are you refering to? I have 3 blogs on the same host service with Bluehost and they’ve all been destroyed this week by some damn b@st@*d! I would say another lesson learned here but there still doesn’t seem to be a way to make wordpress hackproof. Any advice would be appreciated. Thanks, Jules
Interesting. I’m wondering how many other people this has happened to. First, change the email address on your account. You can do this through the contact information section in your cPanel. Second, as Mike said, change your other passwords. Third, contact BlueHost support and ask if anyone requested to retrieve the password lately. This information is in their account notes, not the log files. Fourth, access your cpanel log file. There’s a log section in cPanel, but I’m not sure if it has cPanel logs. Ask the bluehost support person for the cPanel logs. (By the way, you can ask Bluehost to restore your account to the previous backup point. Probably easier to do this than to rebuild everything.)
The log file is tough to read. But first identify your IP address. You can do this by going to whatismyipaddress.com. Then look for other IP addresses that aren’t yours. (I assume you only access your cPanel from one location. If multiple, find the other IP addresses for your multiple locations.) If you identify the other IP addresses in the cPanel log file, look to see what the person has been accessing. The log file is cryptic, but it’s apparent when someone else accesses your cPanel because you’ll see things like ftp, mysql, and other cPanel features.
To solve the problem with my client site, I ended up transferring to a host that doesn’t have cPanel (Enginehosting).
By the way, let me know what you find through your investigation. When I talk to Bluehost, they always put the guilt on me, saying WordPress is insecure, your plugins or theme or database aren’t up to date, or your password to your email was hacked, etc. I’m curious to know if the hack I experienced is a pattern with Bluehost and their password retrieval too.
Assume all of the client’s relevant passwords have been compromised… FTP, cPanel, WordPress *and* email account. All of them should be changed immediately. I’m guessing the primary password that was compromised would have been the email account password.
Bluehost have now restored everything from a backup made 10 days ago so that’s all fixed for now
There were no password retrievals made. They’ve told me they don’t have a cPanel log file so that ones out. I’ll now do all the things you’ve recommended on this site. Thanks so much Tom, it’s great that guys like you can share your knowledge and help guys like me out. I was pretty much lost until I found your site. I’m moving to a new host soon but for now Bluehost shared hosting will have to do. It’s a steep learning curve for me. Thanks again, Jules
Despite the experience I had with the client site getting hacked on bluehost, I still use bluehost for other sites (mainly because transferring all my content will be a pain). I think you can secure the password retrieval from happening again by putting in a gibberish email for your contact email, and then making your gmail password tough to guess (and different from your other passwords).
Re the cPanel log file, it’s interesting that they don’t provide this, because I have a log file showing cPanel access. Maybe the support guy didn’t know about it.
Tom, this post is full of useful information. Thank you!
You stated:
“I pressed the support rep about the security and encryption for the password retrieval tool, and he did say that you can request the password for any domain by plugging in https://www.bluehost.com/cgi/forgot?domain= or http://www.bluehost.com/cgi/forgot?domain= and adding your domain after the = sign.”
Then later claimed that this problem was a cPanel issue. That password recovery tool is not in any form or fashion a cPanel product or service, it is a product of Bluehost.
The BlueHost rep even states, and you quote them:
“He then said, ”I think our issue might be from our password request tool. I am reporting it now.” But he also suspected that the client’s email account had been compromised. He said changing the password may solve the problem entirely.”
BlueHost is not a representative of cPanel.
Sorry about that. I thought the password retrieval tool was through cPanel since it retrieves the password I have storied in cPanel. I’ll try to update this post later to reflect that separation.
Thank you very much, and sorry to hear about your troubles, hope you get everything worked out.
I updated the post with a little note, a couple of other tweaks, and changed the title.
Speaking of bluehost, when I wrote an investigative report about green hosting services , I found that bluehost relied mainly on fossil fuels to power their data centers. Nowadays green hosting is just as cheap as dirty hosting. There’s no excuse to use coal-powered hosting centers anymore. (See also: Part 2 of the article).
I didn’t even know there was such as thing as green hosting services. Thanks for the link.
I find it interesting that Bluehost just changed all their customers’ passwords today and requires stronger passwords. Either a lot of sites were getting hacked or they’re adding new features to cPanel. Or both.
This has nothing to do with Bluehost. It’s Googlemail. Their security flaw continues. I have been using Gmail from the beginning and trusted them. Until today. What we have in common, Tom, is Gmail used as e-mail for contact with Bluehost.
Tom, you haven’t changed generated passwords for all those hacked WordPress blogs, have you?
I am not going to discuss the rest in public. Just write me, please if you interested.
Cheers,
Al
Actually, my site that was hacked was a client site using another mail client other than Gmail.
I am locked out of my account as I type. Now waiting for my account to be reset. Not at all happy with Bluehost. Way too much downtime due too ddos lately.
I’m hosted on bluehost and my wordpress blog has been hacked in recent days as well. It keeps redirecting me to other sites. I don’t really have time to deal with it right now, so I supposed I’ll just take my blog down.
last week, I’ve recieved a mennsagge from bluehost to enter a new password, so much complex than the previous.
symbols, caps, an 8 characters
may be this situation was because of those hack bluehost users had!
regards!
Well the hackers had a field day with my sites. It seem as soon as I’ve corrected the problem, they were back at me.
At one point they did indeed delete my entire site and BlueHost had to restore me.
Then as I start to read and learn where they might be coming in at and how they would diguise files as .php’s and even use the favicon to run scripts, I started to close those doors.
When I read from this blog that it seem that they may be getting in through FTP, I disabled my anonymous FTP login and deleted ALL of the FTP accounts that I could since my fiancee and me are the only ones allowed to add files to the server.
We are now just using the unlimited FTP option through BlueHost which is all we really need.
We decided to use the password generator option to all of our sites and email addresses and get them in a Word document which resides on a flashdrive that hangs around my neck and on a flash drive that she keeps out of her workstation until she needs it.
What’s nice about this method is that I can just copy the password out of the paswword document file and paste it in so I don’t have to remember all of those strange characters.
Hopefully this is all I need to do so we shall see!
If it does fix my problem then to the hackers I am saying Nya, Nya!
I think in this post I said the hackers entered through cPanel, not necessarily FTP. But one could lead to the other. They could grab your FTP information from cPanel and then enter via FTP. Some people also claim that hackers find out your FTP information through some kind of attack on your FTP client, and then they use that information to access your site. In that case, they don’t even attack through cPanel at all. I haven’t experienced that form of attack, though.
Thanks Tom,
I did see a cpanel.php file which I promptly deleted among other foreign files.
This is the longest I have been unaffected since my previous post and I have just checked (05-14-10 1:02am est)
It was my joomla sites and my fiancee wordpress sites that were hacked.
We both are newbies to the CMS world and come from HTML/CSS designing and do not know PHP.
It would be nice if there was a way to get a set of the files and folders on both CMS; that way we could easily identify the interlopers.
I know that would not be a cure all because a hacker could append to an exsisting file (perhaps) but it would slow the attacks and would indeed stop a lot of them.
Just my four cents (inflation)
I switched to a different host and haven’t had an attack since then. I know that sounds like an attack against Blue Host. It’s not entirely. I still hold my own personal web host account there. It’s never been hacked. But for some reason, the client site I described in this post just kept getting hacked (it was on a different server). I transferred that account Template Enginehosting, which is really geared for Expression Engine. But it worked. It’s been about 4 months now — no hack.
Now that’s interesting because my fiancee’ and I just dicussed the possiblity of transferring to a different host.
However, we are reluctant because we have many sites (less than 10) but enough to be concern about a smooth transition or even how to go about doing it.
It would be rather simple if our sites were just plain old static pages but they are interactive (CMS’es) with users.
Did you have any problem with your transfer?
Thanks for taking the time, your kindness will visit you multiple times.
Best regards,
Site transfers are a huge pain. That’s why I did it with the client site but left my own [unhacked] site alone. The exporting of the mysql database is the easy part. It’s transferring a domain that is held by the web host that is tough.
You should definitely check this link…
http://25yearsofprogramming.com/blog/2008/20080311.htm
With this you will come to know how they attack and why they keep attacking again-n-again.
Well in my case it was RFI (remote file inclusion) attack. Using un-secure wordpress plugin can cause to vulnerability.
Most WordPress sites get hacked through unsecure plugins. I am sorry your site got hacked through the cpanel. I deal with hacked sites on a daily basis. Bluehost does have logs.. they are located under the ‘Raw Access Logs” link in the cpanel. They only cover that day though. Most hackers will install a backdoor as well. A restore through Bluehost is like a copy/replace. It does not wipe out the public_html and install the backed up files. Any files the hacker uploads will still be there. Lately hackers are gaining access to sites and installing backdoors weeks before they initiate their attack, That way the backups are infected as well with their backdoors. You can stay on top of hacked plugins by watching http://wordpressexploit.com. The red files have no current fix for them.
Scott, thanks for the note about hackers installing back doors weeks before the attack. I didn’t know that, but it makes sense.
Scott,
You are exactly right on the restores from Bluehost being compromised as I found that out as well with one of my sites that i will have to rebuild from scratch but since that appears to be the only one affected so severe like that, I don’t mind as all of my other sites have been unaffected since that terible attack initially.
I have spoken with the admins at Bluehost and they are currently working on an customer intrusion detection system, that should be able to stop malicious files from being either uploaded or executed. They are also working on a way to scan the backups as well for malicious code that slips though. They were not able to give me time for rollout, but they did say it should be implemented by years end. I also asked them about the password retrieval, and they did mention that their system was less secure months ago, but Matt Heaton has made it a personal quest to secure their systems from attack. I guess the L1 techs now have no access to view customer passwords even just in case a hacker did gain remote access to a tech’s workstation, they would have limited access to do anything. Their shell access has also been stripped of alot of the commands that were available as well.
Bluehost since it was brute forced attacked a few months ago, has been awful. In 4 years never had client or my websites attacked. In last 45 day had 4 sites hacked, taken down and two of them have hard porn on them.
I feel your pain!
Most of my sites that were hacked on BlueHost were not paying accounts but I had one that was just about to generate income through paid ADS and then it got hacked bad!!!!
Although, I did recover the sites, I wasn’t able to regain the credibility with my prospective customer.
But I was later happy it happened before I went commerce.
They probably have a lot of backdoor files on your site(s) but I realy hope you will be able to detect the bad files and recover without much drama.