I have a wordpress site which is acting strange lately. It seems like the database is spontaneously rolling back a few hours from time to time. I have noticed it happen at least four times.
- When I updated to wordpress 3.5, after a short time, maybe 30-60 minutes I noticed the nag to upgrade was back. I ran the upgrade a second time, even though I was certain that I had already upgraded.
- I added a new category and changed a widget on one of my sidebars, only to find that my changes were gone the next day and I had to redo them.
- I added a post yesterday, linked to it in various places and then returned several hours later to find the post missing. I rewrote the post from memory and put it back on the site.
- This morning when I went to the site, the original post was back and the one that I had recreated from memory was gone. The post’s id number was the same as the previous day. I think there was also a draft post that disappeared and reappeared as well.
One last clue which may or may not be related is that when I go to a page on the blog that should generate a 404 message I get a single piece of text which says: “defaced by t3ll0” I noticed this recently, within the last few weeks. I’m not sure how long it has been like that.
I ran Sucuri Scanner, and it found no evidence of malware. Any suggestions of how to troubleshoot this? Could this be a problem with my database rather than wordpress?
UPDATE: It appears that the primary problem I was noticing was because of two versions of the site being up simultaneously. The DNS settings had not been updated to the new site. I’m still investigating if the site was hacked.
You got hacked. “defaced by t3ll0” is the clue. Someone has control of your site and your hosting account.
Work your way through these resources and follow all instructions to completely clean your site or you may be hacked again. See FAQ: My site was hacked « WordPress Codex and How to completely clean your hacked wordpress installation and How to find a backdoor in a hacked WordPress and Hardening WordPress « WordPress Codex.
Change all passwords. Scan your own PC for spyware that may have grabbed your login and password.
http://sitecheck.sucuri.net/ is a good resource, but it scans for malware and not accounts that were hacked and are not being used to distribute malware or have spam links.
Tell your web host you got hacked; and consider changing to a more secure host: Recommended WordPress Web Hosting
You have not applied security may be at number of places.
1. File permissions, folder permissions.
2. Upload folder permissions.
3. Execute permissions.
Now, if you are not a developer how would you check for these vulnerabilities?
I am suggesting you to take a backup of your DB(Export it). Get rid of the existing WP core and reinstall it from fresh.
Delete all plugins and install them all from fresh sources.
If you have used a custom theme then get the backed up version of it and delete the current one as there is a deface to it.
And you can check for a lot of vulnerabilities with plugins like this: http://wordpress.org/extend/plugins/better-wp-security/
Rename your administrator account. Harden your password. Remove write permission from .htaccess and wp-config.php file.