Wordpress sites keep getting hacked

Discussion in 'Blogging' started by angelas111, May 16, 2017.

  1. angelas111

    angelas111 Elite Member

    Joined:
    Jan 4, 2009
    Messages:
    1,638
    Likes Received:
    1,043
    Location:
    ohio
    My sites keep getting hacked over and over. I googled some of the php from one of the injected files and this came up: https://pastebin.com/mC6bNh1V

    I've changed my root password, changed ftp password, updated all my plugins and wp versions but they still keep getting in.

    I even found the weird folders on one of my non-wp sites so it may not be because of wordpress.

    Has anyone seen this before and have an idea of how I can defend against it?
     
  2. virtualpurity

    virtualpurity Jr. VIP Jr. VIP

    Joined:
    Nov 12, 2012
    Messages:
    1,002
    Likes Received:
    585
    Occupation:
    SEO, Hosting
    Location:
    /root
    Home Page:
    Do you have other websites hosted on the same account ?

    Are you using a cracked/nulled theme ? Or any cracked/nulled plugin ?
     
  3. bartosimpsonio

    bartosimpsonio Jr. VIP Jr. VIP Premium Member

    Joined:
    Mar 21, 2013
    Messages:
    13,689
    Likes Received:
    12,301
    Occupation:
    MACHIN LURNIN
    Location:
    TUVALU
    Home Page:
    Are you using a common mysql password for multiple sites?
     
  4. Innovatorz

    Innovatorz Regular Member

    Joined:
    Sep 4, 2016
    Messages:
    375
    Likes Received:
    280
    Gender:
    Female
    Location:
    Internet
    Seen this before. You can use WordFence for starters. For cleaning ht access file, please hit me up on PM.
     
  5. angelas111

    angelas111 Elite Member

    Joined:
    Jan 4, 2009
    Messages:
    1,638
    Likes Received:
    1,043
    Location:
    ohio
    I'm using the same password for multiple sql but it has multiple letters and numbers, upper and lowercase
     
  6. angelas111

    angelas111 Elite Member

    Joined:
    Jan 4, 2009
    Messages:
    1,638
    Likes Received:
    1,043
    Location:
    ohio
    Nothing is cracked or nulled. Learned my lesson a long time ago with that.
     
  7. virtualpurity

    virtualpurity Jr. VIP Jr. VIP

    Joined:
    Nov 12, 2012
    Messages:
    1,002
    Likes Received:
    585
    Occupation:
    SEO, Hosting
    Location:
    /root
    Home Page:
    Well i have seen the exact same thing countless of times and mostly the source of the infection has been a rouge plugin or theme.

    They always leave a persistence scripts that checks if files are cleaned and if they are than the scripts re-downloads and re-infects. Try to find those first , than after deleting them clean all the php files from the malicious code.

    If the pastbin code is the exact one that you are infected with you can go trough it and check all the the actions it performs and which files it changes/generates for example :

    Code:
       chmod (".htaccess", 0777);
        $outht = fopen(".htaccess", "w");
    fwrite($outht, "# BEGIN WordPress
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    </IfModule>
     
    # END WordPress");
    fclose($outht);
    This part rewrites your htaccess file etc..

    I have found that removing the infection can be far more frustrating and time consuming than exporting the posts and wp data and re-creating the website again.
     
    • Thanks Thanks x 1
  8. SpoonFeeder

    SpoonFeeder Senior Member

    Joined:
    Mar 19, 2017
    Messages:
    1,096
    Likes Received:
    991
    Gender:
    Male
    Occupation:
    SpoonFeeding & Babysitting the Noobs.
    Location:
    Click the link below if you're new to BHW!
    Home Page:
    The reason why it keeps occurring is because the malware is loading from your DB. You'll have to clean the DB as well as the injected files manually to get rid of it.
     
    • Thanks Thanks x 1
  9. Billy Batts

    Billy Batts Jr. Executive VIP Jr. VIP

    Joined:
    Dec 16, 2016
    Messages:
    3,972
    Likes Received:
    4,193
    Gender:
    Male
    Occupation:
    CPA/eCommerce Beast!
    Location:
    Here and There
    Home Page:
    You got SSH access?
     
  10. bartosimpsonio

    bartosimpsonio Jr. VIP Jr. VIP Premium Member

    Joined:
    Mar 21, 2013
    Messages:
    13,689
    Likes Received:
    12,301
    Occupation:
    MACHIN LURNIN
    Location:
    TUVALU
    Home Page:
    But if they're all the same then there's a single point where the malware is at, when you clean you blogs, it spreads again because it can access all other databases.

    First thing is to get one unique username/password per blog.
     
  11. MisterF

    MisterF Moderator-In-Training Jr. VIP

    Joined:
    Nov 29, 2009
    Messages:
    10,515
    Likes Received:
    9,670
    Occupation:
    Conference Organiser, Business Advisor.,
    Location:
    JADIP
    Home Page:
    Was this a site you built yourself or outsourced ?

    I once bought a couple of MNS hackproof sites from a seller on here and they got hacked after a month (funny enough).
     
    • Thanks Thanks x 1
  12. suruchibali

    suruchibali Newbie

    Joined:
    Apr 19, 2016
    Messages:
    25
    Likes Received:
    0
    Gender:
    Female
    Hey Bud,

    Try to generate different passwords for your different websites using this http://pintient.com/1lnU.

    Thanks and regards
    Suruchi Bali
     
  13. bartosimpsonio

    bartosimpsonio Jr. VIP Jr. VIP Premium Member

    Joined:
    Mar 21, 2013
    Messages:
    13,689
    Likes Received:
    12,301
    Occupation:
    MACHIN LURNIN
    Location:
    TUVALU
    Home Page:
    Yeah maybe OP is using nulled theme, or a backdoored theme or some other infected installation (on purpose or by accident).
     
  14. virtualpurity

    virtualpurity Jr. VIP Jr. VIP

    Joined:
    Nov 12, 2012
    Messages:
    1,002
    Likes Received:
    585
    Occupation:
    SEO, Hosting
    Location:
    /root
    Home Page:
    He said he was not in the post above. But i have learned not to trust even the paid themes over time. If its not a popular theme or plugin , as soon as the sales drop or stop some of the developers sell their plugin to "blackhatters" because they are paying quite well for these kind of stuff.
     
  15. Charlievurt

    Charlievurt Newbie

    Joined:
    May 14, 2017
    Messages:
    17
    Likes Received:
    2
    Gender:
    Male
    I have suffered the same problem before it is time confusing and frustrating but as others mentioned clean your DB install a fresh WordPress and avoid nulled themes.
     
  16. bartosimpsonio

    bartosimpsonio Jr. VIP Jr. VIP Premium Member

    Joined:
    Mar 21, 2013
    Messages:
    13,689
    Likes Received:
    12,301
    Occupation:
    MACHIN LURNIN
    Location:
    TUVALU
    Home Page:
    You're right, I wouldn't trust the theme either. Anyway WP themes should not be used blindly. When you get a new theme, have a look at the source code. Check out what it does. If you see funny base64 coded stuff, that's a smell. Check what the base64 part does using a decoder and code pretty printer. Don't just trust themes, that's the main thing.
     
    • Thanks Thanks x 1
  17. Ninah

    Ninah Registered Member

    Joined:
    Aug 16, 2016
    Messages:
    82
    Likes Received:
    47
    Gender:
    Female
    Location:
    Europe
    I'm not an expert but creating an account on cloudflare might be helpful after you will clean your website. You will have free ssl certificate and lots of other great free stuff. I'm using cloudflare from the beginning so I don't know how it will be with your backlinks when you switch from http to https, so check this before. Good luck my friend, I know how frustrating this problem is.
     
  18. roki4ka

    roki4ka Senior Member

    Joined:
    Jun 20, 2016
    Messages:
    909
    Likes Received:
    688
    Use wordfence and loginizer and put some security in the htaccess
     
  19. Ninah

    Ninah Registered Member

    Joined:
    Aug 16, 2016
    Messages:
    82
    Likes Received:
    47
    Gender:
    Female
    Location:
    Europe
    I didn't know about it, very disturbing. I'm using now premium theme, I bought it when I was a complete newbie and now I regret my choice. I noticed lately my theme developers have been doing rarely updates. In the future, I'm planning to switch for something really safe like elegant themes or something like that.
     
  20. blackpayman733

    blackpayman733 BANNED BANNED

    Joined:
    Aug 9, 2009
    Messages:
    5,194
    Likes Received:
    1,234
    Gender:
    Male
    with wp always troubling, im getting hack 2 service always : D so always make backups :D