1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Wordpress sites keep getting hacked

Discussion in 'Blogging' started by angelas111, May 16, 2017.

  1. angelas111

    angelas111 Jr. VIP Jr. VIP

    Joined:
    Jan 4, 2009
    Messages:
    1,605
    Likes Received:
    1,030
    Location:
    ohio
    My sites keep getting hacked over and over. I googled some of the php from one of the injected files and this came up: https://pastebin.com/mC6bNh1V

    I've changed my root password, changed ftp password, updated all my plugins and wp versions but they still keep getting in.

    I even found the weird folders on one of my non-wp sites so it may not be because of wordpress.

    Has anyone seen this before and have an idea of how I can defend against it?
     
  2. virtualpurity

    virtualpurity Jr. VIP Jr. VIP

    Joined:
    Nov 12, 2012
    Messages:
    800
    Likes Received:
    471
    Occupation:
    SEO, Hosting
    Location:
    /root
    Home Page:
    Do you have other websites hosted on the same account ?

    Are you using a cracked/nulled theme ? Or any cracked/nulled plugin ?
     
  3. bartosimpsonio

    bartosimpsonio Jr. VIP Jr. VIP Premium Member

    Joined:
    Mar 21, 2013
    Messages:
    12,633
    Likes Received:
    11,301
    Occupation:
    CHEAP
    Location:
    DATASETS
    Home Page:
    Are you using a common mysql password for multiple sites?
     
  4. Innovatorz

    Innovatorz Regular Member

    Joined:
    Sep 4, 2016
    Messages:
    356
    Likes Received:
    225
    Gender:
    Female
    Location:
    Internet
    Seen this before. You can use WordFence for starters. For cleaning ht access file, please hit me up on PM.
     
  5. angelas111

    angelas111 Jr. VIP Jr. VIP

    Joined:
    Jan 4, 2009
    Messages:
    1,605
    Likes Received:
    1,030
    Location:
    ohio
    I'm using the same password for multiple sql but it has multiple letters and numbers, upper and lowercase
     
  6. angelas111

    angelas111 Jr. VIP Jr. VIP

    Joined:
    Jan 4, 2009
    Messages:
    1,605
    Likes Received:
    1,030
    Location:
    ohio
    Nothing is cracked or nulled. Learned my lesson a long time ago with that.
     
  7. virtualpurity

    virtualpurity Jr. VIP Jr. VIP

    Joined:
    Nov 12, 2012
    Messages:
    800
    Likes Received:
    471
    Occupation:
    SEO, Hosting
    Location:
    /root
    Home Page:
    Well i have seen the exact same thing countless of times and mostly the source of the infection has been a rouge plugin or theme.

    They always leave a persistence scripts that checks if files are cleaned and if they are than the scripts re-downloads and re-infects. Try to find those first , than after deleting them clean all the php files from the malicious code.

    If the pastbin code is the exact one that you are infected with you can go trough it and check all the the actions it performs and which files it changes/generates for example :

    Code:
       chmod (".htaccess", 0777);
        $outht = fopen(".htaccess", "w");
    fwrite($outht, "# BEGIN WordPress
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    </IfModule>
     
    # END WordPress");
    fclose($outht);
    This part rewrites your htaccess file etc..

    I have found that removing the infection can be far more frustrating and time consuming than exporting the posts and wp data and re-creating the website again.
     
    • Thanks Thanks x 1
  8. SpoonFeeder

    SpoonFeeder Senior Member

    Joined:
    Mar 19, 2017
    Messages:
    999
    Likes Received:
    803
    Gender:
    Male
    Occupation:
    SpoonFeeding & Babysitting the Noobs.
    Location:
    Click the link below if you're new to BHW!
    Home Page:
    The reason why it keeps occurring is because the malware is loading from your DB. You'll have to clean the DB as well as the injected files manually to get rid of it.
     
    • Thanks Thanks x 1
  9. Billy_Batts

    Billy_Batts Elite Member

    Joined:
    Dec 16, 2016
    Messages:
    2,383
    Likes Received:
    1,842
    Gender:
    Male
    Occupation:
    ♫♪.ılılıll|̲̅̅●̲̅̅|̲̅̅=̲̅̅|̲̅̅●̲̅̅|llılılı.♪♫
    Location:
    ı ̡̡͡|̲̲̲͡͡͡ ̲▫̲͡ ̲̲̲͡͡π̲̲͡͡ ̲̲͡▫̲̲͡͡ ̲|̡̡̡ *
    Home Page:
    You got SSH access?
     
  10. bartosimpsonio

    bartosimpsonio Jr. VIP Jr. VIP Premium Member

    Joined:
    Mar 21, 2013
    Messages:
    12,633
    Likes Received:
    11,301
    Occupation:
    CHEAP
    Location:
    DATASETS
    Home Page:
    But if they're all the same then there's a single point where the malware is at, when you clean you blogs, it spreads again because it can access all other databases.

    First thing is to get one unique username/password per blog.
     
  11. MisterF

    MisterF Jr. VIP Jr. VIP

    Joined:
    Nov 29, 2009
    Messages:
    7,542
    Likes Received:
    6,012
    Occupation:
    Conference Organiser, Business Advisor.,
    Location:
    JADIP
    Home Page:
    Was this a site you built yourself or outsourced ?

    I once bought a couple of MNS hackproof sites from a seller on here and they got hacked after a month (funny enough).
     
    • Thanks Thanks x 1
  12. suruchibali

    suruchibali Newbie

    Joined:
    Apr 19, 2016
    Messages:
    25
    Likes Received:
    0
    Gender:
    Female
    Hey Bud,

    Try to generate different passwords for your different websites using this http://pintient.com/1lnU.

    Thanks and regards
    Suruchi Bali
     
  13. bartosimpsonio

    bartosimpsonio Jr. VIP Jr. VIP Premium Member

    Joined:
    Mar 21, 2013
    Messages:
    12,633
    Likes Received:
    11,301
    Occupation:
    CHEAP
    Location:
    DATASETS
    Home Page:
    Yeah maybe OP is using nulled theme, or a backdoored theme or some other infected installation (on purpose or by accident).
     
  14. virtualpurity

    virtualpurity Jr. VIP Jr. VIP

    Joined:
    Nov 12, 2012
    Messages:
    800
    Likes Received:
    471
    Occupation:
    SEO, Hosting
    Location:
    /root
    Home Page:
    He said he was not in the post above. But i have learned not to trust even the paid themes over time. If its not a popular theme or plugin , as soon as the sales drop or stop some of the developers sell their plugin to "blackhatters" because they are paying quite well for these kind of stuff.
     
  15. Charlievurt

    Charlievurt Newbie

    Joined:
    May 14, 2017
    Messages:
    7
    Likes Received:
    2
    Gender:
    Male
    I have suffered the same problem before it is time confusing and frustrating but as others mentioned clean your DB install a fresh WordPress and avoid nulled themes.
     
  16. bartosimpsonio

    bartosimpsonio Jr. VIP Jr. VIP Premium Member

    Joined:
    Mar 21, 2013
    Messages:
    12,633
    Likes Received:
    11,301
    Occupation:
    CHEAP
    Location:
    DATASETS
    Home Page:
    You're right, I wouldn't trust the theme either. Anyway WP themes should not be used blindly. When you get a new theme, have a look at the source code. Check out what it does. If you see funny base64 coded stuff, that's a smell. Check what the base64 part does using a decoder and code pretty printer. Don't just trust themes, that's the main thing.
     
    • Thanks Thanks x 1
  17. Ninah

    Ninah Newbie

    Joined:
    Aug 16, 2016
    Messages:
    44
    Likes Received:
    13
    Gender:
    Female
    Location:
    Europe
    I'm not an expert but creating an account on cloudflare might be helpful after you will clean your website. You will have free ssl certificate and lots of other great free stuff. I'm using cloudflare from the beginning so I don't know how it will be with your backlinks when you switch from http to https, so check this before. Good luck my friend, I know how frustrating this problem is.
     
  18. roki4ka

    roki4ka Senior Member

    Joined:
    Jun 20, 2016
    Messages:
    887
    Likes Received:
    648
    Use wordfence and loginizer and put some security in the htaccess
     
  19. Ninah

    Ninah Newbie

    Joined:
    Aug 16, 2016
    Messages:
    44
    Likes Received:
    13
    Gender:
    Female
    Location:
    Europe
    I didn't know about it, very disturbing. I'm using now premium theme, I bought it when I was a complete newbie and now I regret my choice. I noticed lately my theme developers have been doing rarely updates. In the future, I'm planning to switch for something really safe like elegant themes or something like that.
     
  20. blackpayman733

    blackpayman733 BANNED BANNED

    Joined:
    Aug 9, 2009
    Messages:
    5,194
    Likes Received:
    1,232
    Gender:
    Male
    with wp always troubling, im getting hack 2 service always : D so always make backups :D