Live a Reply

Social engineering content detected- Site phishing

Few days ago I received email from Google Search Console Team with title “Social engineering content detected”. On one of the sites that I was working some small fixes, was detected site phishing. Someone used site’s domain and added link to phishing page with plenty download’s links. URL looked like this:


As security was never my part of the job I was thinking that installing free version of Wordfance plugin would be good enough. Though I received notice that some files are being changed I ignored because site owner was working with some plugin developers so I though that must be it and beside that site was working fine.

Clean up infected site

So I consult experienced developer Ryan Paul and here is what we did to clean up site:

  • Change the salt keys in the wp-config.php (you can use iThemes Security plugin)
  • Change database user (cPanel)
  • Change database prefix (you can do it trough phpMyAdmin or you can use iThemes Security plugin which is much faster)
  • Erase all users except the main administrator and then change the admin username and password through phpMyAdmin
  • Delete everything except wp-content folder and wp-config.php file and then reupload WordPress files from scratch
  • Deactivate all plugins and replace it with fresh installations (you can upload in folder “newPlugins” into wp-content folder and then just to delete plugins folder and to rename current one or you can use Force Plugin Updates)
  • Lastly Ryan HIGHLY recommend¬† Bulletproof Pro plugin (it checks your site very often but still doesn’t slow it down)

Issue creating user trough phpMyAdmin after changing db prefix

While I was working on this I had problem creating new user trough phpMyAdmin after changing database prefix. I was going to copy existing user, to do some changes and to delete original one. But when I tried to login into WordPress dashboard it didn’t work. Me panic! Then I did some search and find perfect solution. Just be careful to replace all “wp” prefixes in the code with your new prefix.

INSERT INTO `wp_users` (`user_login`, `user_pass`, `user_nicename`, `user_email`, `user_status`)
VALUES ('newadmin', MD5('pass123'), 'firstname lastname', '', '0');

INSERT INTO `wp_usermeta` (`umeta_id`, `user_id`, `meta_key`, `meta_value`)
VALUES (NULL, (Select max(id) FROM wp_users), 'wp_capabilities', 'a:1:{s:13:"administrator";s:1:"1";}');

INSERT INTO `wp_usermeta` (`umeta_id`, `user_id`, `meta_key`, `meta_value`)
VALUES (NULL, (Select max(id) FROM wp_users), 'wp_user_level', '10');

Security plugin important notices

Ryan did plugin setup so I don’t have to worry about anything until I get notification. The only thing that I need to take care for is to turn off ARQ Cron when I change site files. So when you open BPS Pro/AutoRestore you should make everything looks like on this image and once you finish editing delete the wp-content backup files, back them up again and turn ARQ Cron back on.

BulletProof Security Pro plugin

Then I reported problematic URL to Google. As site was blacklisted on Google and all other important places, after all this done I checked site again. Google Safe Status Check reported that site is clean and on some other places where I checked everything was ok but Securi site checker still detected that site is on one blacklist. It was Norton black list which detected SWBPL threat. I couldn’t find what SWBPL threat is but solution for this Norton issue is to submit site for review on Norton’s security central.

So what we WordPress security beginners  learned?

  • Your site can work just fine and still to be infected!
  • Backup. Always backup. And do some more backup.
  • Use Pro version of security plugin.
  • Update. Update WordPress, plugins and theme. Always keep files update.
  • React fast and keep your passwords safe.

If you have some good advice, please share and if you want to know more about email phishing check Pixelprivacy and BroadbandSearch.