1. Home
  2. Forums Index
  3. WebmasterWorld / Website Security for Webmasters 10:58 pm May 20, 2026

Forum Moderators: open

Ever been hacked?

What happened? what were you using for your web? how did you solve it?

         

explorador

4:14 am on Nov 22, 2025 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



Hi webmasters, any stories or interesting pieces of data to tell?

Used to work on a company that managed multiple big website, I was in charge of 5 of them, and as you would expect from classic devs, I created the CMS for those websites (from scratch, using Perl). The websites were NEVER hacked over the course of 10-11 or more years in a row, that's quite a clean record.

Another department had one website, fully created using just html (every page made by hand), never hacked.

Other departments used Wordpress, and they were constantly hacked, yeah, time after time. If it wasn't a hacking problem, then pretty sure whey would be offline due to overloads, even having WAY less traffic than the sites I managed, and they were constantly moving to larger and faster servers (while my sites were all at the same server using very low resources).

One department used a custom JSP solution and Oracle, and somehow experienced rollbacks, that's a diff story, not hacked, just configuration issues.

Before leaving (about 2 years prior) we discussed a transition (for the websites I managed), because they were using my code, and this could create conflicts when new people arrived, so... I proposed DRUPAL, the websites worked fine over those 2 years, no speed or overload issues.

Then I left and the main site got hacked. Naturally, they hired a super-master webmaster who fixed it... nope, he just restored a backup and the site got hacked again, and then he was removed from the company. Eventually the company faced a crisis and killed all the websites except 1, but that's a diff story.

What about you?

thecoalman

3:59 pm on Nov 22, 2025 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



I also had a Drupal site hacked, they released a patch addressing a major security vulnerability allowing remote file upload and sent out emails. I might of read the email 12+ hours later and it was already hacked. What the hackers did was very interesting.

They uploaded a Google search console .html verification file and then added a sitemap in the console to .php page creating dynamic links. The links went to bitcoin mining script that was also uploaded to my site. Basically they were using Google as cron job to execute the mining script on my server. I have to admit I was impressed with the ingenuity.

mack

9:02 pm on Nov 22, 2025 (gmt 0)

WebmasterWorld Administrator 10+ Year Member Top Contributors Of The Month



With WordPress, you really need to stay on top of security updates. Enable auto updates for everything and remove any themes or plugins you are not using. A Web Application Firewall is also a smart move.

Mack.

thecoalman

11:45 pm on Nov 22, 2025 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



Is Wordpress as bad as it used to be? The reason I ask is twofold.

I still occasionally hear people stating phpBB being bad but not nearly as much as I used too. It was phpBB2 that had a lot issues and the last release for that was around 2007. phpbb3 is the opposite with a security track record from 2007 onward that is envious. Once you get that badge it can be hard to get rid of.

The other reason is I was considering switching my Drupal install to WP. I just don't need the flexibility Drupal has. The comment I read here on Webmasterworld from someone familiar with both and to paraphrase "WordPress makes easy things easy and Drupal makes hard things easy". I need to make easy things easy. I've only played around with Wordpress a few times but I liked what I saw relative to Drupal. I'm not dissing Drupal but it seems it's getting more complicated as the years go by and I'm not getting younger.

tangor

5:23 am on Nov 23, 2025 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



Site hacked? No. A weak password associated email server? Yes. Solution was to address the original error!

Have been HTML with occasional Perl since the beginning. Never used other until requested by clients (and whichever the way the wind blows and one needs to earn a living), in which I did my dang level best! Over 25ish years only one other site was hacked---and that was due to the STUPIDITY of management giving ADMIN permissions to one of their own, who was an IDIOT not vetted for ordinary security.

You can't fix STUPID.

But you CAN earn extra money putting out the fire!

Kendo

9:58 pm on Nov 23, 2025 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



Only a couple of times that I recall. About 10 or more years ago, maybe even more, there was a vulnerability in Windows server which allowed page injection. Some new web pages were added to one site by an SEO spammer. I still see requests for nike***** in our logs.

Another time someone managed to inject data into a client's sql database. That was a really dumb effort because instead of creating backlinks it corrupted the database.

With CSS like WordPress, I never liked allowing automatic updates - those sites are locked down and core and plugin updates can only ever be updated manually by the administrator on the server.

explorador

8:05 pm on Nov 26, 2025 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



@thecoalman: I've read a few stories on how some sites got hacked. Drupal cases felt confusing, how they manage to break the walls is both surprising and scary (and I must say, most times out of my understanding capacity). ++ Yes, Drupal has become increasingly complex, it often reminds me of things I've read on the web (and they were serious: "how to read Fiódor Dostoyevski", in fact, there are books that prepare you to read that book)

@mack: true, I managed a few websites running WP, the problem is... there are many cases where the updates break the websites due to incompatibilities with plugins, I always warned clients against this.

mack

11:31 pm on Nov 26, 2025 (gmt 0)

WebmasterWorld Administrator 10+ Year Member Top Contributors Of The Month



@mack: true, I managed a few websites running WP, the problem is... there are many cases where the updates break the websites due to incompatibilities with plugins, I always warned clients against this.


This is very true. I also have a recovery process. Copy public_html to public_html_bk when you have the site operating correctly. Then, if you do have a mess caused by an update, you can recover the file system to a known good state.

The problem of updates breaking sites is more of an issue with sites that are several versions out of date with a specific plugin or template. Several years back, it used to be more of an issue, and it was terrifying visiting a site after you got the "some plug-ins were updated" email notification. :-)

Mack.

Kendo

12:50 am on Nov 27, 2025 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



By concidence I had a termite trying to get at one of our databases yesterday. After about 2,000 attempts at submitting form data like "10XOR(1if(now()sysdate()sleep(15)0))XORZ" he was blocked at the firewall. Those strings have already been filtered, rendering them useless. No damage is ever done, but it is annoying to be remided that such idiots exist.

William555

11:11 am on Nov 27, 2025 (gmt 0)



Yeah, I’ve been hacked once. It happened on a WordPress site I was running an outdated plugin created a security hole. The site started redirecting to spam pages and some files were injected with malicious code.
I solved it by restoring a clean backup removing the vulnerable plugin updating everything & adding proper security tools "firewall malware scanner 2FA". Learned my lesson keep everything updated and dont ignore security alerts.

tangor

4:20 pm on Nov 27, 2025 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



@William555... Welcome to Webmasterworld!

Having backups is ESSENTIAL! (Reminder to all: the time to BACKUP was YESTERDAY!)

Sandros

3:41 pm on Jan 29, 2026 (gmt 0)



For 16 years of service that we build we never been hacked. We have 4 VPS custom made servers managed from our trusted IT support family friend. Was a lot of tryes over logs seen each day, but never succesfull. Affcorse, we use all custom made systems no WP and best practice, as we start back in 2009. Let it stay that way.

ImLittleWhite

8:12 am on Feb 26, 2026 (gmt 0)

Top Contributors Of The Month



2016? Maybe some attacks, you didn't notice.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. WebmasterWorld / Website Security for Webmasters 10:58 pm May 20, 2026