1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Wordpress sites keep getting hacked

Discussion in 'Blogging' started by angelas111, May 16, 2017.

  1. angelas111

    angelas111 Jr. VIP Jr. VIP

    Joined:
    Jan 4, 2009
    Messages:
    1,591
    Likes Received:
    1,026
    Location:
    ohio
    My sites keep getting hacked over and over. I googled some of the php from one of the injected files and this came up: https://pastebin.com/mC6bNh1V

    I've changed my root password, changed ftp password, updated all my plugins and wp versions but they still keep getting in.

    I even found the weird folders on one of my non-wp sites so it may not be because of wordpress.

    Has anyone seen this before and have an idea of how I can defend against it?
     
  2. virtualpurity

    virtualpurity Jr. VIP Jr. VIP

    Joined:
    Nov 12, 2012
    Messages:
    720
    Likes Received:
    415
    Occupation:
    SEO, Hosting
    Location:
    /root
    Home Page:
    Do you have other websites hosted on the same account ?

    Are you using a cracked/nulled theme ? Or any cracked/nulled plugin ?
     
  3. bartosimpsonio

    bartosimpsonio Jr. VIP Jr. VIP Premium Member

    Joined:
    Mar 21, 2013
    Messages:
    12,027
    Likes Received:
    10,817
    Occupation:
    WHEREZ MA
    Location:
    BITCOINS AT?
    Home Page:
    Are you using a common mysql password for multiple sites?
     
  4. Innovatorz

    Innovatorz Regular Member

    Joined:
    Sep 4, 2016
    Messages:
    335
    Likes Received:
    203
    Gender:
    Female
    Location:
    Internet
    Seen this before. You can use WordFence for starters. For cleaning ht access file, please hit me up on PM.
     
  5. angelas111

    angelas111 Jr. VIP Jr. VIP

    Joined:
    Jan 4, 2009
    Messages:
    1,591
    Likes Received:
    1,026
    Location:
    ohio
    I'm using the same password for multiple sql but it has multiple letters and numbers, upper and lowercase
     
  6. angelas111

    angelas111 Jr. VIP Jr. VIP

    Joined:
    Jan 4, 2009
    Messages:
    1,591
    Likes Received:
    1,026
    Location:
    ohio
    Nothing is cracked or nulled. Learned my lesson a long time ago with that.
     
  7. virtualpurity

    virtualpurity Jr. VIP Jr. VIP

    Joined:
    Nov 12, 2012
    Messages:
    720
    Likes Received:
    415
    Occupation:
    SEO, Hosting
    Location:
    /root
    Home Page:
    Well i have seen the exact same thing countless of times and mostly the source of the infection has been a rouge plugin or theme.

    They always leave a persistence scripts that checks if files are cleaned and if they are than the scripts re-downloads and re-infects. Try to find those first , than after deleting them clean all the php files from the malicious code.

    If the pastbin code is the exact one that you are infected with you can go trough it and check all the the actions it performs and which files it changes/generates for example :

    Code:
       chmod (".htaccess", 0777);
        $outht = fopen(".htaccess", "w");
    fwrite($outht, "# BEGIN WordPress
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    </IfModule>
     
    # END WordPress");
    fclose($outht);
    This part rewrites your htaccess file etc..

    I have found that removing the infection can be far more frustrating and time consuming than exporting the posts and wp data and re-creating the website again.
     
    • Thanks Thanks x 1
  8. SpoonFeeder

    SpoonFeeder Regular Member

    Joined:
    Mar 19, 2017
    Messages:
    394
    Likes Received:
    269
    Gender:
    Male
    Occupation:
    SpoonFeeding & Babysitting the Noobs
    The reason why it keeps occurring is because the malware is loading from your DB. You'll have to clean the DB as well as the injected files manually to get rid of it.
     
    • Thanks Thanks x 1
  9. Billy_Batts

    Billy_Batts Elite Member

    Joined:
    Dec 16, 2016
    Messages:
    1,923
    Likes Received:
    1,494
    Gender:
    Male
    Occupation:
    ♫♪.ılılıll|̲̅̅●̲̅̅|̲̅̅=̲̅̅|̲̅̅●̲̅̅|llılılı.♪♫
    Location:
    ı ̡̡͡|̲̲̲͡͡͡ ̲▫̲͡ ̲̲̲͡͡π̲̲͡͡ ̲̲͡▫̲̲͡͡ ̲|̡̡̡ *
    Home Page:
    You got SSH access?
     
  10. bartosimpsonio

    bartosimpsonio Jr. VIP Jr. VIP Premium Member

    Joined:
    Mar 21, 2013
    Messages:
    12,027
    Likes Received:
    10,817
    Occupation:
    WHEREZ MA
    Location:
    BITCOINS AT?
    Home Page:
    But if they're all the same then there's a single point where the malware is at, when you clean you blogs, it spreads again because it can access all other databases.

    First thing is to get one unique username/password per blog.
     
  11. MisterF

    MisterF Jr. VIP Jr. VIP

    Joined:
    Nov 29, 2009
    Messages:
    6,259
    Likes Received:
    4,763
    Occupation:
    Conference Organiser, Business Advisor.,
    Location:
    JADIP
    Home Page:
    Was this a site you built yourself or outsourced ?

    I once bought a couple of MNS hackproof sites from a seller on here and they got hacked after a month (funny enough).
     
    • Thanks Thanks x 1
  12. suruchibali

    suruchibali Newbie

    Joined:
    Apr 19, 2016
    Messages:
    25
    Likes Received:
    0
    Gender:
    Female
    Hey Bud,

    Try to generate different passwords for your different websites using this http://pintient.com/1lnU.

    Thanks and regards
    Suruchi Bali
     
  13. bartosimpsonio

    bartosimpsonio Jr. VIP Jr. VIP Premium Member

    Joined:
    Mar 21, 2013
    Messages:
    12,027
    Likes Received:
    10,817
    Occupation:
    WHEREZ MA
    Location:
    BITCOINS AT?
    Home Page:
    Yeah maybe OP is using nulled theme, or a backdoored theme or some other infected installation (on purpose or by accident).
     
  14. virtualpurity

    virtualpurity Jr. VIP Jr. VIP

    Joined:
    Nov 12, 2012
    Messages:
    720
    Likes Received:
    415
    Occupation:
    SEO, Hosting
    Location:
    /root
    Home Page:
    He said he was not in the post above. But i have learned not to trust even the paid themes over time. If its not a popular theme or plugin , as soon as the sales drop or stop some of the developers sell their plugin to "blackhatters" because they are paying quite well for these kind of stuff.
     
  15. Charlievurt

    Charlievurt Newbie

    Joined:
    May 14, 2017
    Messages:
    7
    Likes Received:
    2
    Gender:
    Male
    I have suffered the same problem before it is time confusing and frustrating but as others mentioned clean your DB install a fresh WordPress and avoid nulled themes.
     
  16. bartosimpsonio

    bartosimpsonio Jr. VIP Jr. VIP Premium Member

    Joined:
    Mar 21, 2013
    Messages:
    12,027
    Likes Received:
    10,817
    Occupation:
    WHEREZ MA
    Location:
    BITCOINS AT?
    Home Page:
    You're right, I wouldn't trust the theme either. Anyway WP themes should not be used blindly. When you get a new theme, have a look at the source code. Check out what it does. If you see funny base64 coded stuff, that's a smell. Check what the base64 part does using a decoder and code pretty printer. Don't just trust themes, that's the main thing.
     
    • Thanks Thanks x 1
  17. Ninah

    Ninah Newbie

    Joined:
    Aug 16, 2016
    Messages:
    19
    Likes Received:
    4
    Gender:
    Female
    Location:
    Europe
    I'm not an expert but creating an account on cloudflare might be helpful after you will clean your website. You will have free ssl certificate and lots of other great free stuff. I'm using cloudflare from the beginning so I don't know how it will be with your backlinks when you switch from http to https, so check this before. Good luck my friend, I know how frustrating this problem is.
     
  18. roki4ka

    roki4ka Senior Member

    Joined:
    Jun 20, 2016
    Messages:
    864
    Likes Received:
    633
    Use wordfence and loginizer and put some security in the htaccess
     
  19. Ninah

    Ninah Newbie

    Joined:
    Aug 16, 2016
    Messages:
    19
    Likes Received:
    4
    Gender:
    Female
    Location:
    Europe
    I didn't know about it, very disturbing. I'm using now premium theme, I bought it when I was a complete newbie and now I regret my choice. I noticed lately my theme developers have been doing rarely updates. In the future, I'm planning to switch for something really safe like elegant themes or something like that.
     
  20. blackpayman733

    blackpayman733 BANNED BANNED

    Joined:
    Aug 9, 2009
    Messages:
    5,194
    Likes Received:
    1,232
    Gender:
    Male
    with wp always troubling, im getting hack 2 service always : D so always make backups :D