0

This morning I got a message from an editor of a WordPress site on a domain that I manage. The wordpress site had reset to default.

I logged into the Plesk panel and the media content is still there as it should be, the database tables are there but all of the database content is gone.

There have been no recent backups of the site taken.

I've read through the logs in plesk but I'm unsure of what to look for and can't see anything obvious as to what happened.

There doesn't appear to be a log in phpMyAdmin where I can see logs of when the entries were deleted.

Can you advise me on what I should look for to try to identify the root cause of the issue?

James D
  • 117
  • 4

2 Answers2

1

You don't happen to be running the Themegrill plugin? It's been in the news today with a very similar symptom (https://arstechnica.com/information-technology/2020/02/hackers-exploit-critical-vulnerability-found-in-100000-wordpress-sites/).

The recommended fix for those who hadn't yet lost data was to wipe (not just disable) the plugin.

Otherwise the main lesson to take away is the usual one: Backups usually turn out to be a good idea, sooner or later.

Mikael H
  • 5,031
  • 2
  • 9
  • 18
0

You will want to first look in your MySQL logs to see if there's been any suspicious activity (Access from IPs you don't recognized). The path of the log file should be listed in your config at /etc/mysql/my.cnf.

If nothing suspicious there, then you should look at your Apache web server logs (/var/log/apache/access.log) to see who accessed PHPMyAdmin and WordPress around the time the database was deleted.

These logs should give you an idea as to the when/how/who of the incident.

slightly_toasted
  • 804
  • 5
  • 14