Something I learned About WP Security, Fake Admins & Hackers

It happened to me in 2020, after I had a difficult time with lockdown, and losing my elders. It was such a difficult period. On top of which I ended up losing around 20 websites. The unlimited hosting I had moved to was slightly cheaper than renewing my usual unlimited hosting account, which had gone up considerably in price. And this is something to look out for guys… Beware of cheap hosting offers. The new host I later found out were not a hosting company at all, but merely a company who had extra hosting/disk space/packages.

They told me that I had a bad script in one of my headers, but they could not tell me the domain or WP application. They deleted it all.

It took me a couple of years desperately trying to get back on my feet. But of course Googles algorithms had began to change by then.

Random Admins New Users

Recently one of my sites I logged in and found many users (admins). I then manually logged them out/deleted them. This was such a big mistake, as they ended up deleting me. I should have used a plugin to deal with the threat.

This has now happened again within my reseller hosting account. And while I can’t simply blame the host, I do feel they should have firewall & malware scans activated. Or at least allow you to activate security apps yourself from direct admin, or c panel. I did try to, but it said I did not have permission to use these apps. I managed to save only 1 site out of a dozen. And in part, it is my own fault.

How To Fix A Hacked Site

I have been doing some reading today. As I wanted to learn more about these fake admins, and bad header scripts, and what could be done about it. First of all I discovered that you don’t have to delete the website. But you do need to back up even a broken copy of your site. You can either pay to have your website fixed/cleansed, or you can install plugins that will let you know about recent file changes. These need to be deleted.

Awestats Shows Anonymous Users!

Go to your cPanel and click on AweStats. There on the left hand side you’ll see a list of options. Go to WHO/HOSTS and view anonymous authenticated users. After you have used your rescue plugins below, return tomorrow, and check again. Daily should read as 0 (zero) I hope. You can also read the IP addresses of repeat users, and the page count, maybe the region/country (locale). Maybe you can lock them out.

Two Useful Plugins To Use Are:

WP Security/AIOS & Headers Security Advanced & ASTS WordPress By Andrea. He is an official WP core expert. And you can trust the plugin will work as it should. Apparently it is a must now for all WP sites to show search engines that their headers are secured, and that they can be preloaded. Well, you learn something new every day!

Other Steps You Can Take:

Move to Namecheap. They have security options, Sitefix costs £134, but it could be worth it if you run a serious business, or have many clients. Another option is WordFence plugin have premium care, and that costs around the same. Be willing to pay and keep your hard work.

If you install the plugins and set them up in time, you may be able to override the new users, and find the files, and block the bots & bad IPs. If you can’t do this, do transfer to NameCheap, get their hosting, and then if you want you can add packages for security, marketing, and more. You can’t go wrong, as they seem to be leading in this area. And they always stay cheap. I will be comparing these services soon. But in the meantime, install those if you can. Set up every setting including Users, Firewall, Scan, Bot Blocking, and everything else.

Move To A New Web Host That Disinfects Your Damaged Website

I believe that Verpex will clean your site when you migrate over to them. I don’t know if there’s an additional charge for this. For a basic site, I don’t think there’s a charge at all. Or they may refer you to a site fix specialist otherwise.

How Are They Hacking Your WordPress Site?

I had a good look through my files tree, and I found some very strange files (the new JS & CSS files) And a couple of new plugins. Also I found some PHP header that says anyone can log in from anywhere. I made a screenshot of those. Apparently WordPress 5.6 and above have a vulnerability when it comes to logins. I read this in an app, which gives you the option to turn the vulnerability off (already mentioned). And I also read it’s called something header forgery. There are two names for it, and it’s more common than you think.

I wanted to know exactly how thy are doing this. I am going to upload some screenshots, so that people understand how they do it. Maybe they just put a call in your website, and hook it in with their other websites. I’ve also seen an attempt at multisite, and WP network. I often wonder who has the time to cause these attacks? This particular redirects attack from my menu, and all my websites hosted in Europe were all redirecting to Russia. But I get many hackers from all over the globe to be fair. Particularly China, Russia, India, and USA. Clickjacking is the new one, it is also done via HTTP security redirection. There are many different types of hacking & leaches is off the charts. VPN is now essential, as is website security.

What To Do Immediately

Follow the steps I have advised. Regular users install the apps, and notify your host. Advanced users, use advanced plugin settings, and delete all the new files & logins (via plugins). Beginners/novices, switch over to Namecheap, or migrate to Verpex, or order website fix.

  1. Download older backup/s (labeled)
  2. Download todays backup (labeled)
  3. Install Headers Advanced Security Plugin
  4. Install WP Security/AIOS OR Wordfence
  5. Set up users security & firewall options
  6. Scan for recent file changes (note them)
  7. Be notified of file changes by email
  8. Notify your host & change your passwords
  9. Move hosting companies if you wish
  10. Have them scanned/fix when you move

I am now planning to do the same. Move some sites back to Verpex and see if they can be recovered. And for my main sites, I will be using Namecheap, so I can make use of security, marketing, and additional apps that I need. Other websites provide these, but Namecheap seem to offer many on a month to month basis, so you can try by subscription, no contract.

I think it’s really important to determine which sites are important to you – businesses, test sites, sites in progress, or just for fun. Everyone should secure their business websites. Why risk all the hard work you’ve done for the sake of a few $?

Verpex hosting is built in with immunity & firewall systems. They can sort your website in a couple of clicks when you migrate to them. Also, you shouldn’t expect any of this to happen when you use their hosting. I already have a platinum account there for 100 websites. And nothing has happened. I feel pretty confident that all attempts have been blocked. But the fact I had a cheaper hosting account elsewhere I was going to go, instead of renewing my annual contract, this is how it happens. Stick with the top hosting companies, and reliable ones. The ones who provide support, free backups, and free security. Likewise, Namecheap are tough on security, and offer free SSL and free CDN. A great option for security apps.

Advanced SSL is also an option. Whichever type of hosting or website you have, make sure you have correctly set up your SSL. And if you run a business, use a product that gives you the shield of approval. It’s best so that you can protect your customers.

I hope you enjoyed this post. While I’m certainly no expert, I know a thing or two about hosting companies, and hosting in WordPress. Wishing you the best of luck. 🙂


Life Coach, Blogger, Web Developer