DE
EN
A hacked WordPress shop is a nightmare: Suddenly, visitors land on phishing sites, Google devalues the domain, and customer trust crumbles. wp-sleeps-hack This is one of the most well-known examples of how attackers can use a plugin vulnerability to turn an entire shop into a redirect trap. We'll show you how to detect the infection, react immediately, and then secure your shop to protect it from similar attacks.
Here's how to tell if your shop is affected by the wp-sleeps hack
Typical symptoms:
- Visitors are redirected directly from the homepage to external domains (e.g.
studentswimcorn-5.live, Telekom fake competitions, “€1000 Amazon Gift card”). - The following appears in the WordPress error output or error log:
wp-sleeeps/wp-sleeeps.php on line 26. - In the plugin directory
/wp-content/plugins/wp-sleeps/There are files that you haven't installed. - In
wp-config.phporindex.phpunknowneval()- orbase64_decode()-views. - Google Search Console reports a "security problem" or spam URLs are suddenly being indexed.
What happened on December 26, 2020 (original report)
Hackers have exploited a security vulnerability in [software/industry] Wordpress We discovered a vulnerability in our website and a plugin called wp-sleeps was installed. We can help you here!
Immediate assistance available at 04122/9669868
Yesterday at 6:10 PM (December 26, 2020) we received this error message on a WordPress website:
wp-sleeeps/wp-sleeeps.php on line 26
The WordPress site is redirected to https://studentswimcorn-5.live/ and a Telekom message appears, for example:
Dear Telekom (T-Mobile) @C customer! We would like to thank you for your trust in Telekom (T-Mobile) @C and are therefore giving you the exclusive opportunity to win a €1000 Amazon gift card on Sunday, December 27, 2020. All you have to do is choose the right gift. Good luck!
Or:
You have made the billionth search
Or:
| You are today's lucky winner: December 27, 2020 | |
| Please complete this short survey. As a thank you, you will have the chance to win a €1000 Amazon gift card to win! | |
It appears that hackers have discovered a security vulnerability in WordPress and injected a plugin called wp-sleeps.
We first deleted all data in the wp-sleeps folder (path: /wp-content/plugins/wp-sleeps).
We need to analyze exactly how the hackers hacked WordPress. The hacked WordPress Homepage But it's running normally again.
Do you urgently need help?
Call us on 040-53206688 or via E-mailjhk@storetown-media.de
Or write to us here using the form:
Immediate action — the right order matters
- Take site offlineMaintenance mode plugin or a
.htaccess-Locked down to prevent further visitors from being harmed. - Full backup of database and file system — status near the cleanup, so that forensics remains possible.
- Plugin folder
/wp-content/plugins/wp-sleeps/Clear. - All core files overwrite freshly from the official WordPress ZIP (except
wp-content/). - Scan database:
SELECT * FROM wp_options WHERE option_value LIKE '%base64_decode%'and%eval(%Manually check suspicious rows. - All passwords (Admin accounts, FTP, MySQL, hosting panel) change.
- Salt Keys in
wp-config.phpregenerate via the official WP Salt API — invalidates all existing login cookies and sessions.
Prevention: so that the next attack bounces off.
After the cleanup comes the more important work — securing the shop so that attackers cannot score a second hit:
- Plugin hygieneNo nulled plugins, no plugin without updates in the last 12 months, as few plugins as possible active.
- Auto updates Activate for WordPress core and plugins (at least for security releases).
- Web Application Firewall such as Wordfence, iThemes Security or a server WAF (e.g. ModSecurity).
- 2-factor authentication for all admin accounts.
- Login hardening:
/wp-admin/Move it to a different path, set brute-force limits. - File integrity monitoring: Daily hash checks of the core files.
- Regular backups — automated, stored off-site, tested.
Frequently asked questions about the wp-sleeps hack
Do I really have to reinstall everything after a hack?
Not mandatory, but recommended. If the infection is detected early and you only see file manipulation, a core file refresh and database scan are often sufficient. For deep backdoors (multiple plugins affected, database injections), a clean rebuild from a backup is often faster and safer.
How do I prevent Google from marking my domain as unsafe?
Act immediately: Clean up in under 24 hours, then request a "Security Issue Review" in Search Console. Google typically disables the warning within 72 hours.
What about customer data — do I have to report it?
When personal data is affected could (Orders, email addresses, password hashes) are subject to a 72-hour reporting obligation to the data protection authority according to GDPR Article 33. If in doubt, contact the data protection officer.
Is penetration testing worthwhile after a hack?
For productive online stores generating revenue: definitely. An external audit will find the vulnerability that the attacker exploited and reveal further vulnerabilities.
Do you need help immediately?
We typically clean compromised WordPress and WooCommerce shops within a few hours — including root cause analysis, a hardening plan, and search console cleanup. Learn more on our service pages. WordPress agency Hamburg and Maintenance & support.
Unfortunately, our site was also affected by the virus. But thanks to the quick help, everything is working again now!
Thank you, Mr. Kummert, otherwise we would have had a big problem! I'll gladly contact you again about another matter…
Greetings,
Jenny Hardenberg