• GoDaddy Community
  • Managed WordPress Hosting
  • Managed WordPress Hosting

    cancel
    Showing results for 
    Show  only  | Search instead for 
    Did you mean: 
    Go to solution
    Getting Started

    Website hacked and all links redirect to bit.Ly destinations

    I now got hacked several times. Someone injected files and/or manipulated key WordPress files to redirect to other pages. This is what I see when clicking on any link on my website https://axurewidgets.com/

     

    Screen Shot 2020-09-11 at 12.11.49 PM.png

     

    Did anyone experience the same issues?

    3 ACCEPTED SOLUTIONS
    Super User IV

    @hellomarcoliver 

     

    I have not personally had this issue, but I've helped others with it. A couple things to do

     

    1) Check the wp-config and index files in the root of the site  - these are writable and can be affected

     

    2) I would recommend deleting and re-installing all the plugins and theme(s) - make sure you have the latest versions

     

    3) Install / Activate the Sucuri Security plugin and enable the diff detection - this will at least check the core WordPress files.

    I am a GoDaddy End User - Just Like You
    Check out my site! | I currently manage over 300 WordPress Websites
    * Please note that I offer free advice on this forum. Thank You Info If you would like personalized help, please contact me. Otherwise, please ask your question in the proper forum so the answer can assist EVERYONE in the community and not just you. Thanks! *

    Once your issue is resolved,
    please be sure to come back and click accept for the solution

    Get Better Support on the Community Boards!
    Etiquette When Asking for Help from the Community

    View solution in original post

    @PL281 Thanks for your response. So I managed to recover the site and found several places where a hacker injected code pieces below (disabled these bit/ly links).

     

    1. created a folder named "blog" with several files
    2. added .htaccess in wp-content/uploads/mk_assets
    3. in the plugins folder

     

    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteRule ^.+\.txt$ https:// bit.ly/2ZsMHxE  [L]
    RewriteRule ^.+\.htm$ https:// bit.ly/2ZsMHxE  [L]
    RewriteRule ^.+\.html$ https:// bit.ly/2ZsMHxE  [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . https:// bit.ly/2ZsMHxE  [L]
    </IfModule>
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index.php$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . index.php [L]
    </IfModule>

     

     

    View solution in original post

    Is there a way to stop this from happening permanently?

    I'm having this happen to my site over and over again since moving my site to Godaddy and they seem clueless to help me other than trying to upsell me a $100+ file monitoring product.

    I've changed passwords and locked down every access to my website with security plugins 2fa etc but it still happens. PLEASE HELP

    View solution in original post

    8 REPLIES 8
    Super User IV

    @hellomarcoliver 

     

    I have not personally had this issue, but I've helped others with it. A couple things to do

     

    1) Check the wp-config and index files in the root of the site  - these are writable and can be affected

     

    2) I would recommend deleting and re-installing all the plugins and theme(s) - make sure you have the latest versions

     

    3) Install / Activate the Sucuri Security plugin and enable the diff detection - this will at least check the core WordPress files.

    I am a GoDaddy End User - Just Like You
    Check out my site! | I currently manage over 300 WordPress Websites
    * Please note that I offer free advice on this forum. Thank You Info If you would like personalized help, please contact me. Otherwise, please ask your question in the proper forum so the answer can assist EVERYONE in the community and not just you. Thanks! *

    Once your issue is resolved,
    please be sure to come back and click accept for the solution

    Get Better Support on the Community Boards!
    Etiquette When Asking for Help from the Community

    View solution in original post

    @PL281 Thanks for your response. So I managed to recover the site and found several places where a hacker injected code pieces below (disabled these bit/ly links).

     

    1. created a folder named "blog" with several files
    2. added .htaccess in wp-content/uploads/mk_assets
    3. in the plugins folder

     

    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteRule ^.+\.txt$ https:// bit.ly/2ZsMHxE  [L]
    RewriteRule ^.+\.htm$ https:// bit.ly/2ZsMHxE  [L]
    RewriteRule ^.+\.html$ https:// bit.ly/2ZsMHxE  [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . https:// bit.ly/2ZsMHxE  [L]
    </IfModule>
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index.php$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . index.php [L]
    </IfModule>

     

     

    View solution in original post

    Is there a way to stop this from happening permanently?

    I'm having this happen to my site over and over again since moving my site to Godaddy and they seem clueless to help me other than trying to upsell me a $100+ file monitoring product.

    I've changed passwords and locked down every access to my website with security plugins 2fa etc but it still happens. PLEASE HELP

    View solution in original post

    @Taino 

     

    So there are a couple of things

    1) You need to make sure you keep your theme and plugins up to date

    2) Remove any unused themes / plugins as even if they aren't active they can still be exploited

    3) Check the last time your theme was updated - If you are using an older theme - there may not be an update for it and there could be a vulnerability in it.

    4) If this is in a cPanel account, double check the other sites in the account - as one of them could be compromised giving access to all the sites in the account

    I am a GoDaddy End User - Just Like You
    Check out my site! | I currently manage over 300 WordPress Websites
    * Please note that I offer free advice on this forum. Thank You Info If you would like personalized help, please contact me. Otherwise, please ask your question in the proper forum so the answer can assist EVERYONE in the community and not just you. Thanks! *

    Once your issue is resolved,
    please be sure to come back and click accept for the solution

    Get Better Support on the Community Boards!
    Etiquette When Asking for Help from the Community

    done 1 and 2 and many other tips over months of troubleshooting. 3. very recent theme - went through a whole redesign of the blog and removed all unused themes. Not a Cpanel account.

    @Taino 

     

    That seems odd then - Are you on Managed WordPress - since that would lock down the core WordPress files and prevent those from being compromised 

     

    You mentioned you did a redesign - did you build it from the ground up - I found that on one site I had to delete and manually reinstall (fresh download) of each of the plugins I had installed as there was a compromised file in one of them and just updating the plugin wasn't solving the issue.

     

    Also if there are any premium plugins make sure those are up to date as well - sometimes the premium plugins don't prompt for updates

     

    Lastly  - I suggest running the Sucuri Plugin which can scan for file changes

    I am a GoDaddy End User - Just Like You
    Check out my site! | I currently manage over 300 WordPress Websites
    * Please note that I offer free advice on this forum. Thank You Info If you would like personalized help, please contact me. Otherwise, please ask your question in the proper forum so the answer can assist EVERYONE in the community and not just you. Thanks! *

    Once your issue is resolved,
    please be sure to come back and click accept for the solution

    Get Better Support on the Community Boards!
    Etiquette When Asking for Help from the Community

    Same here – I also starting to believe that 'someone' acts in the interest of GoDaddy to 'motivate' customers to buy into their security package. 

     

    My site just got hacked again – in 7 years – never happened. Just in the last 10 months 5 times. 

     

    I fixed it by deleting the injected .htaccess files – thousands of them ...

    Screen Shot 2020-09-30 at 9.57.16 AM.png

    I now noticed that some hacker injected htaccess files in any folder inside the UPLOAD folder on wp-content. Please be aware of this hack. Seems GoDaddies security does not work well.