Hi guys, Ive been running a news publication site/blog for awhile now..

This is the second time I have been hacked..

Public HTML is the folder thats been hacked, first time it was shut down for phishing, this time it was spamvertisement. I am losing business here.

I have been using all of the reccomended security plugins..

Block Bad Queries
Bulletproof Security
Chap Secure Login
Login Lockdown
Ultimate Security Checker
WP Security Scan

I've also fixed timthumb vulnerability

Now last time this happened I went into R1 Soft and got one of my backups.. the past two days of backups had in the public html folder a bunch of new folders with random strings... and then i found a clean one (assumed it was clean) then I upped my security.

This time, I went through the R1 soft backups again, and like before todays and yesterdays public html were filled with random stringed folders with html pages inside of them. Only this time I went through all of the R1 backups, even the one a week ago has a folder named "2c5cf4" with an html inside of it, all the other folders are gone but im assuming that folder as well is mallicious - so I now have no safe backups..

How can I fix this, and how can i prevent this from happening again... I have a family member dying and I really dont have the time or the energy to be dealing with this right now

Are they getting in through htaccess? can i prevent that?

Also Im using a w-p-zoom theme that I got from these forums

If it matters the inside of my public html looks like such

_private
_vti_bin
_vti_cnf
_vti_log
_vti_pvt
_vti_txt
2c5cf4
cgi-bin
images
wp-admin
wp-content
wp-includes
.htaccess
_vti_inf.html
error_log
index.hawkhost
index.php
license.txt
postinfo.html
readme.html
wp-activate.php
wp-app.php
wp=atom.php
wp-blog-header.php
wp-comments-post.php
wp-commentsrss2.php
wp-config-sample.php
wp-cron.php
wp-feed.php
wp-links-opml.php
wp-load.php
wp-login.php
wp-mail.php
wp-pass.php
wp-rdf.php
wp-register.php
wp-rss.php
wp-rss2.php
wp-settings.php
wp-signup.php
wp-trackback.php
xmlrpc.php
zend_ioon_index.php

and that is from my R1 backup from about a week ago.

please help if you can, ill give you a hug or something.

Change all passwords, keep WP and all the plugins updated, stop using any nulled themes/plugins if you are, change your hosting provider and scan your computer with malwarebytes for keyloggers.

Here's what I'd advise.

1. First off run MalwareMalbytes on your PC in safe mode.
2. Run ComboFixer in Safemode (This is a big one, my favourite least used tool!)
3. Change password's to your WP blog, Cpanel, Mysql e.t.c.
4. Contact host and ask for FTP log's & find out what they changed/edited.
5. Check date stamp's on files.
6. You should be clean, run over your CHMOD's & make sure none are set to something stupid.

Thanks guys.. some of this is a bit new to me so I dont think I understood everything that was suggested...

like i dont know anything about CHMOD?

What should I do about my current backup since there is that unknown folder? I'd like to get the site up as soon as possible, i just need to make it safe, and then keep it safe

I am considering transferring hosting accounts because of the ongoing hacking! I currently have all my wordpress's 302'd to some polish website!

First talk to your web host about it, check the server security and activity log e.t.c..

Be aware that the problem might be on your PC, you might have spyware or malware e.t.c.. where they get your wordpress login info when you log in.

Chnage all password to long, meaningless random strings of characters like *&%^^%#IUgiuwge^^4$$##weif9^^)*60

Just out of interest, which web host is this?

Originally Posted by abusetheuser

Thanks guys.. some of this is a bit new to me so I dont think I understood everything that was suggested...

like i dont know anything about CHMOD?

What should I do about my current backup since there is that unknown folder? I'd like to get the site up as soon as possible, i just need to make it safe, and then keep it safe

The first thing you should be working on is finding out how they got the information. It's usually through some build in javascript on a website e.t.c. I'd scan exactly how I said in the post above & perhaps get yourself something that offers browser protection e.g. ESET NOD 32. Once your PC is clean, then focus on fixing everything.

I forgot to say: make sure that your actual theme is watertight, some themes you download from anywhere, even this forum have built in vulnerabilities where the purpose is to provide a back door into your site.

well if you are on Shared hosting it might not be cause of you, maybe someone rooted the server but I think you need to scan your files and check your theme files code too

If you're using a good host, just contact them and ask them to look into it. Hostgator has been great for me when my WP installs got hacked (about once a year).

Most has been answered but i agree about
using themes, plugins with potential problems.

Anything you're using (plugins, themes, hosting, etc.) need to be from a trusted source. Also as mentioned earlier, check your computer for any malware, keyloggers, etc.

And in future try to use virus/spyware software that supports your browser. My eset nod 32 stops everything JavaScript getting in and I get a hell of a lot from scrapebox!