Wordpress - build your own website - howto, tips & links - beginners to advanced

[ljp]

Quote:

Originally Posted by Psycho

Thanks!

I'll probably leave things as they are for now but will have a read up on it.

Psycho

I have been unlucky enough to end up sorting out other peoples attempts to convert from HTTP to HTTPS. Before you do start anything email your hosting company and ask if they have a script to do it for you, it could save you a lot of hassle.

[Psycho]

Quote:

Originally Posted by ljp

I have been unlucky enough to end up sorting out other peoples attempts to convert from HTTP to HTTPS. Before you do start anything email your hosting company and ask if they have a script to do it for you, it could save you a lot of hassle.

Thanks!

I was thinking that if I were to do it then I'd contact my hosting company first.

Psycho

[driver8]

I implemented https on one of my sites a while ago - it was only a new/small site, but it did go smoothly.

I used Let's Encrypt (free) and WP plugin Really Simple SSL.

[Psycho]

I've seen GDPR (General Data Protection Regulations) mentioned quite a bit recently, that will be enforced from May 2018.

I don't really know much about it but I was wondering if it might affect small WordPress websites and what could be done to make sure you comply with the new laws?

Would this be covered by having an https and SSL certificate or should more be done?

I'm assuming this would be more of a concern with an ecommerce WordPress website?

Would WooCommerce have to make sure their plugins complied with the new laws or would a new plugin be needed?

Thanks,

Psycho

[Chris Locke]

More advertising 'noise' than anything, but this could be useful?
https://www.splunk.com/pdfs/white-pa...compliance.pdf

(ironic I had to sign up for that, giving my phone number and email address....)

"The GDPR does not simply apply to EU domestic business, but to companies worldwide that target their goods and services to European citizens."

If anything, there are a plethora of 'What does the GDPR mean to you? Get your website checked with us!!!!" type companies springing up, jumping on the bandwagon. This is a big money spinner for companies!

[Psycho]

I'd notice an increase in companies offering (paid) advice and help, which always makes me question actually how important or how hard it will be to comply without the advice or help.

A bit like all the companies that sprung up to "help" you with your PPI claim, even though it's not that hard to claim, from what I've heard.

I'm always suspicious when people want to "help" and charge.

Psycho

[Chris Locke]

I get loads of calls each day from companies wanting us to give 'em money for their GDPR advice. Some are horribly pushy. "I can arrange a meeting for next Tuesday? Is 10am OK? Yes? Can you confirm it'll be just you in the meeting?" "No, I don't need a meeting, thanks." "No, but you need to be compliant - its not just optional. Its these things we need to discuss..." etc. *click*.

[douglasb]

The authorities are hardly breaking down the doors of the local plumbers because their website cookie policy is a bit shonky. Why would this be any different?

[Chris Locke]

Data breaches are more common and cause more 'damage' than someone moaning that they've got an extra cookie they weren't expecting. If Sid the Plumber has a 'contact us for a quote' on their website which (most email, so this is a silly scenario) is in a database which gets compromised, it would be a nice list of names with email addresses. The authorities won't test/check every website, but if the Plumber does get hacked and someone complains, *thats* when the authorities get involved, and the brown stuff hits the whirly thing.
I've used partsGateway in the past (intermediate site which contacts garages and breakage yards for car parts). You had to submit a wodge of personal details - name, address, car ddetails, etc. They got hacked, so Those details are now 'out there', and I now get targeted spam emails with my details on. OK, the GDPR isn't going to magically stop that, but if it happens again, I've someone to moan to who can actually do something about it. Maybe. Hopefully. *scratches head*

[driver8]

Quote:

If you have a plugin called “Display Widgets” on your WordPress website, remove it immediately.

The last three releases of the plugin have contained code that allows the author to publish any content on your site. It is a backdoor.

[Psycho]

I'm not sure how easy this would be to resolve but I thought I'd ask here...

A friend of mine has a WordPress website that I built for them last year but they didn't maintain it and the end result was it was suspended by the hosting company due to hosting phishing attacks and malware detections.

I've now been left with the task of resolving this and I'm trying to think of the best way to do so without losing any data.

I can't login to the WordPress dashboard, so everything has to be done manually.

My first thought was to roll the website back to before the problem and to update WordPress, plugins and the theme but it is well past the 30 roll back period.

I've tried updating all the plugins with up-to-date versions via FTP and I've updated WordPress to the latest version via Softaculous.

The hosting company has listed the files that they believe to be the problem and have asked me to delete them but for some reason I can't see then when using the FTP with show hidden files selected.

Luckily I still have the test version of the website live on my hosting account (with the same hosting company) and I have everything up-to-date. It is just missing all of the data collected after it went live (customer orders, etc).

Rather than deleting the website and just transfer the test website over and losing any data, I thought it might be possible to transfer the test website over and then relink it with the database they were using.

Would that work and pull in all of the data that was collected after it originally went live?

Or can anyone think of another solution?

Once sorted I might just offer to maintain the website myself, rather than be lumbered with sorting out the problems!

Thanks,

Psycho

[ljp]

Psycho, it sounds like you have been caught on a Vidahost server there. I've done the same thing several times and now do virtually the same thing. Before you do anything are you using a theme that you purchased? Have you been to check that the theme itself has been updated in the last month or so - if it is old an not maintained I would be tempted to find another. Has the hack altered the core files of wordpress by any chance - including altering the htacess file?

You should be able to get into MYSQL to grab a copy of the latest database for the site and then put that into MySQL on a local machine to check for anything dodgy.

I would then suggest you wiped the site, started another SQL database (import the clean / checked data into it) and changed all the previous passwords associated with it. Then I'd install a new WP install and link it to the SQL database to see what happens.

It sounds far too dodgy to me to just try and update something that could be broken.

[driver8]

It would take so long to unpick everything, so just start again, especially as you have a clean backup copy of the old site. They can put down the lost data to experience. (Won't there be emails anyway ?)

[Psycho]

Thanks for the replies!

It's a total nightmare and I could have done without it being dropped on me, as they also need it fixed urgently.

The theme that was used has been updated and looks to be well maintained. I downloaded the new version and tried it on my clean test website. It seemed okay.

I'm not sure how to check what the hack has actually done and whether it has altered the core files... without comparing every single file!

Vidahost have flagged up a few files but I can't see them (show hidden files is turned on) when looking in the correct place via FTP, so I can't deleted them.

I've already downloaded the database but I'm not sure how you'd go about checking that for anything dodgy?

As suggested, it might just be easier to delete everything and then reinstall the clean version via Duplicator, which is how I transferred it over last year.

They will lose some data but there's not much that can be done.

Psycho

[ljp]

I do wonder if Vidahosts have had a problem at some stage, I know at least 10 different people with different accounts that have all had problems with their WP sites on Vidahosts.

The trouble with just downloading the old SQL database and putting it online again is that it could have stuff in that you don't know about, like hacked pages, links etc. You could download a free version of SQL or Microsoft SQL (Express version) import the data in, look in the tables and see if there is any rogue stuff in there. It would be a shame to go to all the hassle of putting WP back, importing the SQL into a new database only to find that pages have content they shouldn't or indeed you have new pages advertising everything from drugs to essay writing (seems to be a common one for the installs I have corrected).

I'd honestly reinstall Wordpress, check all the files and folders are CHModded correctly and then check things like the access file wasn't altered before I installed a theme, let alone any content.

You should be able to ask Vidahosts to firewall the site to stop ANY outgoing traffic and then give you access to the wp/admin screen to log in. If they do that you can export the data from the site, which may be easier for you to read as SQL can be a bit confusing if you haven't used it much. Then ask them to change all the passwords for the account (if you have access to the control panel you can do it yourself).

Sounds like you may have a busy day tomorrow - I hope they are paying you!

[Psycho]

I've been having a look at the databses in phpMyAdmin and I can't see anything unusual with the data. No unusual email addresses and the list of WordPress users seems correct... even though I can't login*

But I noticed that the full database name ended "_newVIDA" and the individual databases start "wpdy_".

Usually the databases that I've seen would end "_wpXXX" (X = numbers) and the individual databases start "wp_".

Maybe this is something new?

*I was going to look at manually adding a new user via the database but the tutorial I saw mentioned "wp_users" rather than "wpdy_users", which made me questions this.

Psycho

[Psycho]

New Update!

I remembered this morning that I set up iTheme Security after the website went live in November 2016 and I've got the database backup for January and March 2017, which should be well before the site got hacked... my friend had an email from Vidahost warning him in July that something was up.

If I do a clean install with backup version I created in November 2016, can I then install the iTheme Security database backup?

I've never done that before and just want to see if that might be possible.

Psycho

[Psycho]

I think I'm back up and running with all the data recovered!

I've updated everything and made another Duplicator backup.

Fingers crossed that is everything!

Thanks for the help!

Psycho

[Psycho]

I spoke too soon. I got hacked again on Friday and again today.

I'm not sure how they are doing it but I can no longer login and when I look at the "wpdy_users" database all the "user_login" (username) data has been changed to "XCA" and all the encrypted "user_pass" (password) data has been changed so that they all look the same for each user.

Every part of the website was updated and the database was restored from Feb 2017. Maybe the problem is with the Feb 2017 database and I'll have to just re-build the website from scratch and lose all the database data, as was already suggested?

Psycho

[zharrt]

Really surprised you still got hacked with iThemes, I am really impressed with the logs it shows me on the attack attempts.