Hacked wordpress website, hacked again the day after showing as clean with wordfence.

Forums › IT Pro and developers › Hacked wordpress website, hacked again the day after showing as clean with wordfence.

1 | 2 | 3

20581 posts

Uber Geek

Trusted

Lifetime subscriber

#1735855 13-Mar-2017 16:32

I still recommend CloudFlare. It can block by country as well, blocks some exploits as soon as they become known, and accelerates your website.

jarledb

Webhead
3257 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#1735857 13-Mar-2017 16:33

You will be fighting an uphill battle if the host itself is being hacked. If they do not keep Plesk and other systems updated, and that part of the server is hacked - its free reign for the hackers to do what they want.

That said, if everything is good on the host, this is what I always do:

1) Lock down the site so only your own ip-address have access.

2) Find files that have been infected, check when they were updated, and look through the logs to find out how the site was hacked. This also includes things like making sure there are no php files in the uploads directories, checking through theme files etc.

3) Remove all WordPress files and reinstall from the WordPress.org repository.

4) Remove all plugins and reinstall from the WordPress.org repository.

5) Go through the themes being used. If you have unused themes, get rid of them. If you do not know the theme you are using well, remove it and install an updated version of the theme from a trusted source.

Jarle Dahl Bergersen | Referral Links: Want $50 off when you join Octopus Energy? Use this referral code
Are you happy with what you get from Geekzone? Please consider supporting us by making a donation or subscribing.

MadEngineer

4291 posts

Uber Geek

Trusted

#1735898 13-Mar-2017 17:38

^ +1 for 1)

You're not on Atlantis anymore, Duncan Idaho.

bigalow

566 posts

Ultimate Geek

#1735967 13-Mar-2017 19:50

if the host server is getting hacked the move hosting asap

i would go with a VPS cloud the prices are so cheap from $5 a month

darylblake

1162 posts

Uber Geek

Trusted

#1736011 13-Mar-2017 21:11

michaelmurfy:

Also check the .htaccess file as this is a common target for malware and overlooked. It honestly sounds like you're needing to find a new host if your one keeps getting owned.

.htaccess files should never exist. All this should be in the nginx or apache vhost settings, it shouldn't be set by the application. The server should be tweaked for the app.

Unfortunately this happens all too often. Why? because people get a website made. Then just leave it. Then they pay some minimum hosting fee of a couple of bucks a month, and never update it. Or install extremely poorly written plugins, which have security holes.

If you are going to put a high traffic application on the web you need to constantly update things like openssl, php, the webserver and the database. Also its worthwhile constantly apply security updates to the host.

martyyn

1971 posts

Uber Geek

ID Verified

#1736167 14-Mar-2017 09:16

It's happened again !

Spam started at 9pm last night. I'm just going to build something somewhere else.

timmmay

20581 posts

Uber Geek

Trusted

Lifetime subscriber

#1736168 14-Mar-2017 09:18

Maybe try wpengine.

Sharesies

Trade NZ and US shares and funds with Sharesies (affiliate link).

martyyn

1971 posts

Uber Geek

ID Verified

#1736250 14-Mar-2017 11:33

jarledb:

That said, if everything is good on the host, this is what I always do:

1) Lock down the site so only your own ip-address have access.

Ok, given I am on a dynamic IP and Chorus are up the road hooking up a new subdivision and my connection has dropped a couple of times in the last week, whats the best way to achieve this ?

jarledb:

2) Find files that have been infected, check when they were updated, and look through the logs to find out how the site was hacked. This also includes things like making sure there are no php files in the uploads directories, checking through theme files etc.

I can see a POST request last night to a genuine file in the themes directory and the status code returned is 200. Immediately after that (from a different IP) there is a POST request to the wp-content dir (for what I assume is a plugin dir but its not a plugin we have installed) with a php file. About an hour later it all kicks off with multiple IP's all trying to post the same php file to the same directory and all receiving 200 status codes.

Is that enough to think the theme/plugin directory is the problem ?

jarledb:

3) Remove all WordPress files and reinstall from the WordPress.org repository.

4) Remove all plugins and reinstall from the WordPress.org repository.

5) Go through the themes being used. If you have unused themes, get rid of them. If you do not know the theme you are using well, remove it and install an updated version of the theme from a trusted source.

This will all be done next. Thanks.

darylblake

1162 posts

Uber Geek

Trusted

#1736252 14-Mar-2017 11:36

You need to find out HOW they got in if you want to prevent them from getting in again.

First, I would set the correct permissions on all the directorys. And change the database password.

I would also look at the web server access log, see what they went in for. Obviously there is a hole in a plugin or something.

Find out what it is, and update or remove it.

EDIT:

Post the access log for the time period.

askelon

879 posts

Ultimate Geek

ID Verified

#1736253 14-Mar-2017 11:40

Ive had this happen to a couple of peoples websites. In the end I scrapped the sites, moved the hosting and just remade the websites. Never had a problem again. Once was from nobody ever updating anything ever, the other times were crappy servers constantly being hacked. The cleanup is a pain and just not worth the hassle, Ive found it quicker to just re-do everything elsewhere in almost every case.

amanzi

Amanzi
1299 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#1736305 14-Mar-2017 12:44

I've sent you a PM @martyyn.

MadEngineer

4291 posts

Uber Geek

Trusted

#1736329 14-Mar-2017 13:44

martyyn:
jarledb:

That said, if everything is good on the host, this is what I always do:

1) Lock down the site so only your own ip-address have access.

Ok, given I am on a dynamic IP and Chorus are up the road hooking up a new subdivision and my connection has dropped a couple of times in the last week, whats the best way to achieve this ?

VPN to your work connection and only allow connections from work.

You're not on Atlantis anymore, Duncan Idaho.

mattwnz

20164 posts

Uber Geek

#1736339 14-Mar-2017 14:11

Move to a new host for a start. Guessing you are just using the cheapest shared hosting, but not all hosting is the same. I have never encountered this problem before, but I don't use cheap hosting.

jarledb

Webhead
3257 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#1736381 14-Mar-2017 15:49

martyyn:

jarledb:

1) Lock down the site so only your own ip-address have access.

Ok, given I am on a dynamic IP and Chorus are up the road hooking up a new subdivision and my connection has dropped a couple of times in the last week, whats the best way to achieve this ?

Well, either update .htaccess or the place you can restrict access every time your ip-address changes. Or go the route of a VPN if you are able to.

I can see a POST request last night to a genuine file in the themes directory and the status code returned is 200. Immediately after that (from a different IP) there is a POST request to the wp-content dir (for what I assume is a plugin dir but its not a plugin we have installed) with a php file. About an hour later it all kicks off with multiple IP's all trying to post the same php file to the same directory and all receiving 200 status codes.

Is that enough to think the theme/plugin directory is the problem ?

That makes me think there is either a known vulnerability in the theme you are using, or there is a backdoor injected there.

You should go through that file with a fine comb. You could download the original theme and do a diff to check the differences with your theme file vs the original, or just replace it.

There should be no need for executing php directly in a theme folder, so you could try to stop that happening with server rules. Mind you, if there is a backdoor that is a bandaid on a big wound if that is whats happened.

You can see if there is known vulnerabilities by searching for your theme at WPScan Vulnerability Database

amanzi

Amanzi
1299 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#1736403 14-Mar-2017 16:28

With martyyn's help, I had a look at this site. As I suspected there was malware hidden in a temp directory. For those interested, here's the idenitification of one of the malware files: https://www.virustotal.com/en/file/6704ee4feec361c4cf382b637313b74e5ea20e800536d4d59497ec8df004ec66/analysis/1489454473/

Though there are other valid reasons for moving away from this hosting provider, this particular malware was almost certainly installed due to an out of date Wordpress version, and so it's not directly the hosting provider's fault.

1 | 2 | 3