September 24, 2015 at 11:15 pm #12889
Recently the site I built with the ACCIO theme was taken completely offline (blank white page) and after contacting GoDaddy hosting support we determined that malicious code was installed on all the sites in my shared hosting account. Each site had fake or modified php files installed into its root directories (ex. files called setup.php) which allowed the hackers access to redirect the urls.
I then had to pay several hundred dollars to get SSL & SiteLock services added and were able to get the initial infection fixed. But now a week later there is new malicious code that has been installed on the sites and upon inspection it apears that the ACCIO theme is the entry point for the hackers (see attached screenshot of SiteLock diagnostic report showing all the infected files are related to the ACCIO theme).
I have made sure to keep the theme and all the plugins installed on this and all sites in my shared hosting account up to date at all times, but yet this hacking continues to happen. Please let me know what I can do to protect/secure the site or I will definitely be wanting my money back to get a different theme. Thank you.
Attachments:You must be logged in to view attached files.September 25, 2015 at 9:30 am #12894
We have replied to your email already.
JackSeptember 25, 2015 at 1:33 pm #12896
I didn’t know if it made more sense to reply to the email or do it here in this thread, but I figured it would do it here in the forum so that other ACCIO site owners can have the details of this infection so they can look into it on their end as well as it is a pretty nasty infection.
In your response you asked how I deduced that the virus/malicious code was injected into the site was due to the ACCIO theme, that you didn’t feel it was due to the fact you guys have previously tested for it, that it was most likely due to security issue on the hosting end and that I should contact the hosting provider to address this with them.
First it is a pretty well known fact that one of the primary targets hackers go after is either the theme or plugins (many often associated with or provided by the theme) due to the open source nature of WordPress.
Second, I did not deduce this myself. As my post indicated, after the infection was deiscovered, I spent a considerable amount of time first with my hosting provider GoDaddy and then spent a lot of money to have the security vendor SiteLock installed on all my sites in the GoDaddy shared hosting account. And SiteLock’s role is to discover and remove all malicious code and try to protect the site going forward.
After several calls with GoDaddy & SiteLock (so your suggestion to contact them has already been done multiple times before this attempt to contact you), they both deduced based on the malicous files found by SiteLock, the fact that based on time stamps the files were first injected on the site with the ACCIO theme and that it was the site in my shared hosting account that was most infected (more details below, but in short it was the only site that was fully taken offline) that the point of entry for the infection was the ACCIO theme. They indicated that without further forensic work (which can costs thousands of dollars) it is hard to figure out the exact source of the problem, but that it was at least related to the theme and suggested that I contact you to figure out what can be done to help better secure the theme.
And to give you more detail on the virus infection (as other ACCIO theme owners might want to look for this in their site accounts):
– The htaccess files was manipulated meaning they have full remote access to do anything they want to the account including writing (and re-writing, as the virus has resurfaced a few days after being initially removed by SiteLock) and injecting malicious code into the full account
– For example each site’s root directory folder had a file called setup.php which is not native to WP sites and there were several more alien files in the root and sub folders.
– Based on time stamps, the site in my shared hosting account with ACCIO theme was the first one things were installed on and was also the most infected
– The site with the ACCIO theme was the only one in my shared hosting account that was fully taken offline (other sites in my account had the malicious code injected but were not taken offline by the time SiteLock removed it, but as stated the code has been reinstalled again)
– There was a 7 day period from the time of injection to the point when the site with the ACCIO theme was taken offline (so the other sites in my account that didn’t have the ACCIO theme might have been taken offline at anytime if we hadn’t acted so quickly by adding SiteLock)
– Once we got the site with the ACCIO theme back up and running, all the child pages were producing 404’s due to the fact it changed the permalink structure.
So as my post indicated we have already explored this in detail with the site hosting vendor (GoDaddy) and the security firm (SiteLock) and they both indicated the site with the ACCIO theme is the point of entry. So please let me know if there is anything that can be done to better secure the ACCIO theme going forward.September 30, 2015 at 2:33 pm #12933
Thank you for all the details provided. I am going to address all this information to our dev guys so they could double check on all theme source files for more detailed investigation.
JackSeptember 30, 2015 at 4:39 pm #12938
Please get back to me as soon as possible on this. As it has been 5 days since our last communication and during that time the site with the ACCIO theme has been attacked 3 more times (luckily SiteLock keeps catching and removing the malicious code before it has done real damage) but it is pretty obvious that this virus is allowing the hackers backdoor access to re-write as they continue to try to attack this site.
And to clarify and provide another detail, while the original infection was infecting malicious code to all the sites in my shared word press hosting account, the recent attacks are affecting the site with the ACCIO design (as SiteLock is stopping it from spreading to the others) which I would think is further proof the entry point is the ACCIO design/theme.October 2, 2015 at 4:07 pm #12982
I will let you know as soon as I get any updates from our dev guys, but it might take time since we need to do troubleshooting in order to find the main culprit.
JackOctober 8, 2015 at 3:31 pm #13023
Jack can you give me an idea how long it is going to take your team to figure this out. As you know it has been over 2-weeks since I initially reported it and again this is a pretty intense virus/hack and to date you have not really given me any potential solutions. Thank you.October 16, 2015 at 4:27 pm #13128
Jack, I have tried to be professional & patient about this, but the first time I reported that my site with the ACCIO theme had been hacked was back on 9/24. You quickly dismissed it saying the issue (site being hacked) wasn’t on Thememakers side and that I needed to address it with GoDaddy the site host.
After doing so and investing in SiteLock, on 9/30 I provided you proof that the issue is related to the ACCIO theme and that the only site in my shared hosting account that continues to be hacked is the one with the ACCIO theme.
It has been almost a month since this ticket was opened and over 2-weeks since I provided you proof that the issue may be due to the ACCIO theme.
Please provide me an update on this asap as I need to know what to do here going forward as the site continues to get hacked and the other sites in my shared hosting account are in jeaproady as well.October 19, 2015 at 1:16 am #13165
Alex here to help you. I’m very sorry for delay in replying yo your request. Jack had an issue with his health and suddenly went to the hospital.
I’m happy to let you know that we finally issued a release that fixes your previously reported security problem. So please download and update your theme to the latest version.
Then let us know if you have any further questions.
p.s. just don’t forget to make a site bachup before the update.
Have a nice day!
AlexOctober 19, 2015 at 9:35 pm #13179
While I am sorry to hear that Jack is having health issues, I am glad to hear that your team created an update to the theme. Can you please confirm that the security issues I was reporting are legit and that the update will hopefully stop the hacks from happening going forward (and if not is there any additional measures I should be taking and that your team will provide to do so). Thank you.October 26, 2015 at 12:27 pm #13228
Thank you, I am getting better now. As per Alex post above the security issues were solved in the latest theme update. You can update the theme and them re-check with SiteLock if needed.
JackDecember 2, 2016 at 4:47 am #15732
A year ago I reported that the ACCIO theme was the source of entry for malicious code that was allowing it and all the sites on my server to get hacked. At first you dismissed it, but after I provided you substantial proof that it was due to the ACCIO theme. A month later you created an update to the theme to address the security issues. Well a year later I am letting you know it has happened again and once again the ACCIO theme is the source/entry point for the attacks. So my question is have you stopped updating this theme (and if not will you do another update asap to address this) or should I just look for a different theme and theme provider as this theme continues to have security issues.
CraigDecember 2, 2016 at 5:51 am #15733
To provide you an update not only has the hack happened again, it has totally trashed the ACCIO theme. GoDaddy did a full site restore and basically the site works fine when a base theme 2016 is applied. Turn ACCIO back on and its back to the white screen of death. So not only is it the source of the virus attack again, it appears this theme is now useless and I will most likely have to buy another theme and redo the site due to this. Please let me know asap if there is any fix to this, otherwise I will be leaving a very unhappy customer and will leave a very negative of this theme as it has been a major security issue from day one.December 3, 2016 at 8:25 am #15744
Too many words instead of something that could really help detecting your problem…
Seems like you’re the copywriter, who wants to negatively spread and low the rank of our theme.. I hope not!
Just wanted to mention that 99% it’s usually happening because of third party plugins since the ACCIO is pretty safe to be used. All the places that could be hacked are protected. Even the LayerSlider was recently updated to it’s latest version.
You must be logged in to reply to this topic.