I was working in one of my ATA sites (I have 7) today and out of the blue 6 out of 7 of those sites seemed to automatically update to the current version of ATA. (No, I don't update ATA because it's a pain transferring over theme options. It's easier to leave things alone.)

In a panic I called Bluehost and they were able to restore from the version that was on their servers at 2am this morning (although I do have my own backups to restore from).

I've checked the access logs and nothing seems fishy - at least that I can see. And the Bluehost tech couldn't see anything from their end, either.

Does anybody have any info on a forced update that came from ATA? This is the first time this has happened. And, yes, I've now changed passwords at Bluehost and the individual sites.

There is nothing in the theme that can force an update

Hmmm, someone else on BlueHost just reported the same thing happening
see http://forum.bytesforall.com/showthr...9755#post99755

I had the same "auto update" on Bluehost too... A bit of a surprise, and yes I have to go through and change over the header and favicon - but with the new coding, that should be eliminated.

Any idea what Bluehost did to force the update?

Gail_NK

(followed up with a comment in that thread)

Bluehost is great, but they were very naughty to do an auto update of ATA without our consent! Despite this I've had great service with them.

Well, I'm not sure what they're doing over at Bluehost, but my sites are all messed up again.

Is there any way a single version of ATA could be offered? Or at least one that doesn't send a notice to WP that a new version is available. Them maybe Bluehost would leave it alone.

I really don't want this to happen again. I'd hate to have to abandon ATA and create custom themes for all my sites. ATA is fabulous, but if a web host is able to go in and do an update without our consent or notification I'm going to have to find another theme

here is an idea, download the version of Atahualpa you need to your computer unzip it and rename the folder to atahualpannn where nnn=version number. Next upload this to the themes folder.

You can have multiple versions of a theme in the theme folder as long as (1) they are different versions and (2) the folder name is different,

in the four years that I've been a moderator, this (and the other therad) are the onl time I've heard of this AND it happened on the same day AND the host is the same. Coincidence?

If BlueHost is forcing udates to this theme, you've got to expect they are doing it to alll themes.

Dreamhost auto-updates for you as well.. I think its to ensure people are not using old templates with security issues..

All But another reason to have bytesforall look into some sort of feature/rewrite to save changes when doing updates.

1) the theme options are stored in the database so they remain across updates (this doesn't include any changes to the theme code)
2) as of 3.7.12 there is an option to store your logo, favicon and header images in a folder in the 'wp-content' folder so it will not be effected by theme upgrades

Ok, just got off the phone with Bluehost support again. What they found is that the header.php file was hacked in all of my sites, as well as a malicious file being planted in wp-content. One site also had a hidden, malicious plugin added named "837c". This happened on my own sites (under one account) as well as my clients' sites (each on their own account).

The support person could not see anything in the access log, but the modification of all the header files was done at 8:24pm last night. The best he could offer is that the hacker gained access through the theme somehow.

So I guess I'll be updating ATA for all the sites now.

Is there any place or route that someone could gain access to a WP site through ATA itself? Any ideas?

what version of Atahualpa were you on?

I'm unaware of any way you could hack the header.php and install a plugin and plant a file in the wp-content folder via visiting the site.

It's happened to me two days in a row to the same site. This is going to become more than a pain in the ass and start costing me future jobs if I don't get this fixed.

What is going on for real? I use Justhost.com

I was running various version of ATA (except the current one) - none were the same.

Well, someone was able to gain access to all my ATA sites, no matter what version and no matter if they were separate accounts.

Bluehost sent me a follow up email with information on hiring a professional security team to look into it. I just may do that.

Yes, this is costing me money, too. Mostly in the form of time I have to spend to fix this.

are the various accounts on the same server?

I did a little research and found that hackers are targeting wordpress sites with admin screen names for the administrator. It's a massive hacking that is going widespread now. So it's not Atahualpa. Thank God, I do love this theme.
Here's a link to an article about whats going on...

http://www.informationweek.com/secur...dmin/240152864

Screen names for the administrator? You mean the admin login name is "admin"? I definitely change that right away when I start a new WP site.

I had that thought, too, that all my and my clients' sites were on the same server. I will inquire with Bluehost.... and let you know.

Quote:

Originally Posted by johnnyinstereo

I did a little research and found that hackers are targeting wordpress sites with admin screen names for the administrator. It's a massive hacking that is going widespread now. So it's not Atahualpa. Thank God, I do love this theme.
Here's a link to an article about whats going on...

http://www.informationweek.com/secur...dmin/240152864

We have several different Blue Host sites, all on the previous version of ata. All were zapped. All did not have "admin" logins.

It's not just ata it's updating. I had some unused plugins it also updated. What I don't get is that it didn't zap my theme modifications, as far as I can tell. (Still looking into that)

UPDATE: I did a comparison between my exported ata file and my saved one, and they're the same, so whatever it did, specific mods weren't affected. I'd like to know how it managed that! :D
Beyond annoying, to say the least.

Has anyone heard if it's doing it to other themes?

Is there any way to delete the update notification? I've done the "rename the folder" bit and still gotten the notifications.

The theme settings are stored in the database. What was updated was teh theme code. This is one of the best features of Atahualpa, you don't have to change the theme CODE.