My new website has been hacked twice!

[Rainy_State]

Hello,

I am after advice from people who know about website development.

I came up with an idea for a website after reading the Millionaires Fastlane. It took me about a year to bite the bullet, save up money and hire a team of developers to create a website. I researched the wed design companies thoroughly and went with the one that had headquarters in the USA and India and had a big portfolio of serious projects.

Eight months later my website went live. It took three times longer to complete than estimated as it had complicated algorithms and other things designed. It's not a two-page website to display products, there is a lot built into it.

Three days after the website went live, my developer in India I liaised with, got in touch to ask why I changed my website. I went online to check it and boom!... my website was gone, replaced with a basic one page template. I couldn't access the admin site... My initial reaction was something went wrong with the hosting server... But no, it was hacked. The developer blamed me for disclosing the passwords to someone else. But the only people who knew about the website was the developers team and myself. I have not told anyone while I was deciding on my next steps. The website was not being used to process any money or services and I have not advertised it anywhere. The developer fixed it there and then; within 10 minutes I had my website back. "That was very strange" I thought to myself but was happy it was resolved so quickly. I changed everything I could think of - all emails, passwords. I backed up the website on the server.

Today (one month later) I go on my website ...and it's gone. Replaced by a one page template saying "Hacked by Mr. Green". Again, I cannot access the website admin site. Same style as before...

The question that bugs me is who would go to such length hacking a literally unknown, small-scale website that is not affiliated with any big company and not a lot of money can be made off? I still have not told anyone about the website since it's completion as I was busy with other things. How did they bypass the new passwords?

Is it possible that the developers left a backdoor access and are messing with me trying to squeeze some money out of me? I know nothing of website development which they know and they are the only ones that know about it other than me. Obviously, it was live but so are the millions of other unknown sites that no one bothers to hack.

What is my best course of action? How easy is it to find if there is a backdoor access left somewhere and how costly would it be? Has anyone had it happened to them?

Thanks in advance!
Rainy State

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[RazorCut]

It’s probably an automated hack (not aimed at you specifically but all sites that have a certain vulnerability). What platform is it built on?

 

[Tubs]

My first thought is the developer, like you said they're probably trying to squeeze more money out of you.

On the other hand it could be an independent person who figured out a backdoor into your account. Might be best to hire someone reputable from upwork to check through your sites code to make sure it's secure.

 

[MitchM]

Do you know what is being used to host the site and how it was coded? You should be able to download the files for the site wherever it is being hosted and use it elsewhere.

Because you aren't too technically savvy, I would just pay someone trusted on UpWork $50 and get them to take care of everything.. either by transferring it or figuring out what the issue is.

Whether or not it was the developers... I have no clue but it doesn't seem like they'd have any incentive to do this unless they want you to contact them and pay them again to fix it.

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[Dan_Cardone]

As someone who was a dipshit hacker back in his teens...

Probably some bored teenager who randomly hacks any site that has an easy and known vulnerability.

Get an expert on upwork to take care of it for you.

 

[FastLaneSage]

This is a big issue of trust... I have been making sites for years and the devs should have all the security in check for sites...Seems fishy that it has happened like that BUT it can happen....So many possible things you can do...I would suggest using a cloud based service like wix or squarespace/shopify for online selling etc....But if you are too deep in $$$$ you may want to change your dev team and then take over control of the entire thing and move on...

Hacking is everywhere but if you have more control you should not encounter these issues...

Sage

 

[Rawiri]

Considering you had developers working on it I'm presuming it is hosted on a private server and not a shared server?

It could be developers but I wouldn't jump to that conclusion...as for why, like Dan Cardone said...there are lots of people out there who do that "for the lulz" and just cause they can. Not to actually get money or data.

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[Here]

Looks like a prank. "hacked by mr green - Google Search

 

[Mark Trade]

Would I be close, by saying you are using wordpress as a blog feature on your website.??

 

[Process]

Hello,

I am after advice from people who know about website development.

I came up with an idea for a website after reading the Millionaires Fastlane. It took me about a year to bite the bullet, save up money and hire a team of developers to create a website. I researched the wed design companies thoroughly and went with the one that had headquarters in the USA and India and had a big portfolio of serious projects.

Eight months later my website went live. It took three times longer to complete than estimated as it had complicated algorithms and other things designed. It's not a two-page website to display products, there is a lot built into it.

Three days after the website went live, my developer in India I liaised with, got in touch to ask why I changed my website. I went online to check it and boom!... my website was gone, replaced with a basic one page template. I couldn't access the admin site... My initial reaction was something went wrong with the hosting server... But no, it was hacked. The developer blamed me for disclosing the passwords to someone else. But the only people who knew about the website was the developers team and myself. I have not told anyone while I was deciding on my next steps. The website was not being used to process any money or services and I have not advertised it anywhere. The developer fixed it there and then; within 10 minutes I had my website back. "That was very strange" I thought to myself but was happy it was resolved so quickly. I changed everything I could think of - all emails, passwords. I backed up the website on the server.

Today (one month later) I go on my website ...and it's gone. Replaced by a one page template saying "Hacked by Mr. Green". Again, I cannot access the website admin site. Same style as before...

The question that bugs me is who would go to such length hacking a literally unknown, small-scale website that is not affiliated with any big company and not a lot of money can be made off? I still have not told anyone about the website since it's completion as I was busy with other things. How did they bypass the new passwords?

Is it possible that the developers left a backdoor access and are messing with me trying to squeeze some money out of me? I know nothing of website development which they know and they are the only ones that know about it other than me. Obviously, it was live but so are the millions of other unknown sites that no one bothers to hack.

What is my best course of action? How easy is it to find if there is a backdoor access left somewhere and how costly would it be? Has anyone had it happened to them?

Thanks in advance!
Rainy State

I see 3 possibilities:

1. The devs may be incompetant/crooked.

2. The hosting service has a lax security standard.

3. The site is using out of date security standards.

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[Sadik]

I have freelanced in web development for many years. It is probably not your developer. It looks like you hired an agency and unless they are planning to close shop the risk of a client calling them out as a hacker would collapse their reputation and future business. But it's possible, I am not denying that. But low in probability.

If you are using something like wordpress, it's possible that they used a plugin which has a known security issue and someone targets all websites which have that plugin. Another possibility is your web host. One thing I would check is if other websites on the same host (through shared IP, if you are on shared) are also hacked.

In either case, your developers most certainly shouldn't have blamed you. If a developer builds a site, he is responsible for it's security. There are some basic security things needed to be taken care of which reduce the chance of your site getting hacked to minimal. If you are on a shared host, move to a VPS. Use a server firewall, implement access logs for all users etc.

 

[Roli]

Hello,

I am after advice from people who know about website development.

I came up with an idea for a website after reading the Millionaires Fastlane. It took me about a year to bite the bullet, save up money and hire a team of developers to create a website. I researched the wed design companies thoroughly and went with the one that had headquarters in the USA and India and had a big portfolio of serious projects.

Eight months later my website went live. It took three times longer to complete than estimated as it had complicated algorithms and other things designed. It's not a two-page website to display products, there is a lot built into it.

Three days after the website went live, my developer in India I liaised with, got in touch to ask why I changed my website. I went online to check it and boom!... my website was gone, replaced with a basic one page template. I couldn't access the admin site... My initial reaction was something went wrong with the hosting server... But no, it was hacked. The developer blamed me for disclosing the passwords to someone else. But the only people who knew about the website was the developers team and myself. I have not told anyone while I was deciding on my next steps. The website was not being used to process any money or services and I have not advertised it anywhere. The developer fixed it there and then; within 10 minutes I had my website back. "That was very strange" I thought to myself but was happy it was resolved so quickly. I changed everything I could think of - all emails, passwords. I backed up the website on the server.

Today (one month later) I go on my website ...and it's gone. Replaced by a one page template saying "Hacked by Mr. Green". Again, I cannot access the website admin site. Same style as before...

The question that bugs me is who would go to such length hacking a literally unknown, small-scale website that is not affiliated with any big company and not a lot of money can be made off? I still have not told anyone about the website since it's completion as I was busy with other things. How did they bypass the new passwords?

Is it possible that the developers left a backdoor access and are messing with me trying to squeeze some money out of me? I know nothing of website development which they know and they are the only ones that know about it other than me. Obviously, it was live but so are the millions of other unknown sites that no one bothers to hack.

What is my best course of action? How easy is it to find if there is a backdoor access left somewhere and how costly would it be? Has anyone had it happened to them?

Thanks in advance!
Rainy State

Oh man, I feel for you. Why do people do this? I've had this done to me as well and it just sucks, recently somebody in China stole my domain name which I'd forgotten to re-register. It is my personal name and I use it for email and now I can't because a random Chinese person who won't talk to me wants my name :-(

I guess spend a bit more money on some different developers and get all the latest security plugins.

 

[RazorCut]

Looks like a prank. "hacked by mr green - Google Search

This. It's not targeted. Just an automated hack. That's why I asked what platform it was built on. It's preying on a Wordpress or WP plugin vulnerability.

Change the default WP install directory and make sure WP and all your plugins are fully up to date.

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[Mark Trade]

Oh man, I feel for you. Why do people do this? I've had this done to me as well and it just sucks, recently somebody in China stole my domain name which I'd forgotten to re-register. It is my personal name and I use it for email and now I can't because a random Chinese person who won't talk to me wants my name :-(

I guess spend a bit more money on some different developers and get all the latest security plugins.

There's 244 ways to register your domain name via different extensions, using your personal name.

 

[Napoolion]

Is it running on Wordpress? If yes, it means that they are targeting a plugin / theme. They have automated scripts running that search for those stuff, they don't really care whose site it is. If it is hackable, they will hack it. Message me if you want me to help tighten the security.

 

[Rainy_State]

It’s probably an automated hack (not aimed at you specifically but all sites that have a certain vulnerability). What platform is it built on?

Hi, it is a possibility. It used HTML5/CSS3/ Bootstrap for the front end, PHP CodeIgniter for the backend and MySQL as database. Thanks!

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[Rainy_State]

Would I be close, by saying you are using wordpress as a blog feature on your website.??

No Wordpress at all on the website. The hosting company Krystal.co.uk got back today saying I must have left some outdated WordPress files that were vulnerable but as far as I know, the developers did not use a Wordpress at all.

 

[LittleWolfie]

I guess spend a bit more money on some different developers

 

[Mark Trade]

No Wordpress at all on the website. The hosting company Krystal.co.uk got back today saying I must have left some outdated WordPress files that were vulnerable but as far as I know, the developers did not use a Wordpress at all.

Those old WordPress files would be the instigators then. WordPress has more vulnerabilities and security holes, than a block of Swiss Cheese. Fingers crossed you have it sorted.

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[Sadik]

Those old WordPress files would be the instigators then. WordPress has more vulnerabilities and security holes, than a block of Swiss Cheese. Fingers crossed you have it sorted.

That is incorrect. Latest versions of wordpress are always free of any known security vulnerabilities. It is usually plugins and themes which may have open security issues.

 

[Mark Trade]

That is incorrect. Latest versions of wordpress are always free of any known security vulnerabilities. It is usually plugins and themes which may have open security issues.

Correct, until someone finds a vulnerability and the problem starts all over again.

 

[100ToOne]

There are many possibilities.

Maybe it's one of the dodgy developers on the team, maybe you've got a Trojan on your computer, maybe the host etc. etc.

Answering your questions on why would someone hack an unknown website like yours, as mentioned by the posts here, there is a vulnerability searching program that just keeps sweeping the internet looking for websites that has vulnerabilities like SQL injections and so on. So it could be that.

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[Einfamilienhaus]

There is something I don't understand. You have a team of devs and they needed 8 months for one website?Even this sounds really suspicious for me. Or they dint know what to do or they just want to make a lot of money with you.

There are pages like fiverr, freelancer.com and upwork where you can get full responsive website for less than 50$.

As long you dont have a great product you shouldn't invest too much time and money into a website.

Look, you could invest 50$ into a new website. You would get one in less than 3 days and the last more than 7 months you would have invested your time into a great product. Where would you be now in your process?

I know the last part has nothing to do with your question, but you should think about why your dev team need 8 months! for one website.

My advice, learn how Wordpress works and do it by your own. The more security you have about your website the better it is. You will save money and you don't have to give vulnerable data about your website. Always keep in mind, you can't catch people who are sitting 1000 miles away from you.

 

[lowtek]

There is something I don't understand. You have a team of devs and they needed 8 months for one website?Even this sounds really suspicious for me. Or they dint know what to do or they just want to make a lot of money with you.

There are pages like fiverr, freelancer.com and upwork where you can get full responsive website for less than 50$.

As long you dont have a great product you shouldn't invest too much time and money into a website.

Look, you could invest 50$ into a new website. You would get one in less than 3 days and the last more than 7 months you would have invested your time into a great product. Where would you be now in your process?

I know the last part has nothing to do with your question, but you should think about why your dev team need 8 months! for one website.

My advice, learn how Wordpress works and do it by your own. The more security you have about your website the better it is. You will save money and you don't have to give vulnerable data about your website. Always keep in mind, you can't catch people who are sitting 1000 miles away from you.

She already said it's not wordpress, and not some 2 page site that can be tossed together for pennies. There are some moving parts that required custom dev work, which can indeed take time.

 

[Brewmacker]

There are many ways to hack your website. It is why it is taking me so long to build my do my own. Via multiple routes a hacker can grasp sensitive information. For example forgetting to hash an API passworld, SQL injection techniques, methods of injecting and running javascript programs which are sneaked in and executed every time a page is loaded and/or button is pressed, thus giving a hacker views of passwords.

The fact that your server is being breached is raising some concerns though. This means someone is hacking you specifically as an admin and not exploiting other peoples accounts, or maybe they are able to gain access to admin routes via exploiting the INSIDERS PHP code.

I am FAR from an expert but as I am trying to avoid the same thing desperately I am studying my butt of over this topic. Even if I out source the work eventually I need to have the ability to test the code and website security.

I will definitely outsource this testing to the professional ethical hackers before launching.

If you like you can PM me a link to your website and I can try and to exploit it from my side. As i mentioned I am no expert, but I would love to help each other out on this one and by me helping you I will be helping myself in the long term. Up to you!

Thanks for sharing, good luck and keep us posted on your progress.

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[Tourmaline]

Sounds like target practice to me.

She already said it's not wordpress, and not some 2 page site that can be tossed together for pennies. There are some moving parts that required custom dev work, which can indeed take time.

and leave holes!

 

[ravenspear]

Sounds like it’s time for an external security assessment from another dev/security team.

 

[Rainy_State]

Hi guys,

Really appreciate all your suggestions and recommendations. I am partially relieved to think that this was likely part of an automated hacking rather than a specific targeting... or at least I hope so.

I spent the last two days researching security specialists and just hired someone to get my website back on track. This is a lesson learnt in a big way. I was too lax and took the security for granted. I cannot fathom the embarrassment if I was hacked in the midst of investor pitch or while having it used by early testers. Would have been a huge blow to my reputation.

Moving onward and upward...
Many thanks,
RS

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[Einfamilienhaus]

She already said it's not wordpress, and not some 2 page site that can be tossed together for pennies. There are some moving parts that required custom dev work, which can indeed take time.

Still I cant imagine that it takes so long for backend development. For a Website with the opportunity to buy directly a service/product you dont need complex backend knowledge.

But maybe I'm completely wrong.

@Rainy_what kind of product or service are you offering? Maybe you can show us your page✌

 

[Dereklacrone]

I always like to believe the best in others and that a developer would never do that because they would hope for referrals and a positive experience. With my company (website development for brand building and scaling ecommerce is a healthy portion of our services), we sometimes use off-site people and teams but they never actually get access to our files or clients info, we use systems that allow them to upload to "fake" sites the work that they have done so that we can go and extract the code and apply it like a puzzle piece to what we are already doing, and our in house team reviews it. If you would like to talk more about this please feel free to message me and we can schedule a call or see how I can help. Best wishes.