A client I’m dealing with is hosting with HostPapa and the more I have to ask their support people for help the more I’m trying to drive people away from them. So right now, if you’re using HostPapa please, please, please save yourself some headaches and consider moving as soon as possible.
The Back Story
This client is using WordPress and wasn’t always vigilant about keeping everything up-to-date. Eventually that became an issue and his site was hacked. While we attempted to fix it we noticed that we could not access all the logs we would have liked to.
We asked HostPapa for information from these logs and just got the run around. Site was back up and running the best we could do and a few days later it was down again. Put it up again, it came down a few days later. Each time we asked for logs and more info and got nothing.
Today the site went down again and this time I called them…
This latest hack changed out the index.php file in the root directory as well as the index.php file in the wp-admin directory. The database had the main user name and password changed. And there was a file called ‘MYSql.php’ in the wp-admin directory as well. Not a shell script this time but a database interface file. So they could do as they pleased to the database. Thankfully they only changed the user name and password (from what we could find so far).
On the phone with support I asked if they could let us know how the file was put in place. Was it through FTP or a WordPress upload? They wouldn’t help and told me to open a support ticket. When I asked how likely I was to get an answer to my question that way I was told, “Not very likely.”
Since the log files that we can see are only kept a short amount of time I thought it would be a good idea to set up a cron job which would copy the log file every few hours but give it a new name with a date/time stamp on it. This way I could see things developing over time.
Cron job wouldn’t run. The log files sit outside the client’s root web folder so I thought that might be why it wasn’t working.
Good time to jump on HostPapa’s live support chat and get some answers…. or not.
Here’s the support chat:
JonathanM: Hi there, how may I help you?
Me: I have a quick question that I hope you might be able to help me with.
Me: I notice that the raw access logs are only kept for a short amount of time. Is there a way to keep them for longer on an account by account basis?
JonathanM: unfortunately our log system is fairly simple – to not say old, and I’m not sure you can do that
Me: Okay…. a different question then….
Me: My initial thought was to setup a cron job that would copy the log file but give it a name with a date and time stamp.
Me: I tried this but it wasn’t working. Can I even run a cron job on the directory where the log files are stored? Or is access limited to just the public_html files?
JonathanM: I’m not sure… you can send us this question to firstname.lastname@example.org and we’ll make sure a technician will look at it
Me: Ummm okay… I thought I was talking with support here. No one there can answer this question now?
JonathanM: Not at this moment unfortunately
Me: Okay… well then thank you for your time.
I’m talking to support and they tell me to email support for the answer? Why even bother having a live support chat then?
Anyway… this is more of a rant and a warning than anything useful to others. Just keep in mind that I believe WordPress recommends only 4 different web hosts on their site because they’re the one’s who offer great support and have servers set up properly. Might want to make the move to one of those and protect yourself and your site.
Site was ‘hacked’ again today – a shell script injected into the theme’s style sheet.
On a brighter note – thanks to this post I was contacted by someone (Rick) who’s friend is have the same exact issue with her website. He website appears to be on the same HostPapa shared server as my client’s. Rick also mentioned that the information left in the hacked files he looked at showed domain names in the files. When he looked at those site they were hacked as well. All sitting on HostPapa’s shared server.
So however these hackers got in the first time it’s apparent they can get to other sites on this shared server. Not the best security measures there HostPapa… might want to fix that.
Rick was kind enough to send me some excellent information last night that was sort of alarming. Seems his friend’s site that was hacked had a bunch of text files on them last night. All of these files were HostPapa user names followed by ‘wordpres.txt’ or ‘shop.txt’ (ZenCart) or … you get the idea. These were basically the configuration files for these programs and contained user names, database names and database passwords.
A quick call to HostPapa about this finally made them perk up enough to look at this as a server issue and not something that was just our fault. A ticket is in place with HostPapa now and we’ll see what they actually do about it.