WordPress.org

Ready to get started?Download WordPress

Forums

How to get rid of iframe hack (7 posts)

  1. wordpressuser_21
    Member
    Posted 1 year ago #

    I am having trouble finding the source of this iframe hack. It always changes the .htacess and the same 238 files. I replace the .htaccess and re-install the blog and a few minutes later the problem starts all over. I have WordFence and Sitelock and still the problem occurs. I can see live traffic on my site so I know that there is a program sitting somewhere. I also know that it is not an FTP or DB issue as they are clean. Visiting the site it doesn't look like there is a problem, but it is annoying.

    Has anybody found a solution?

  2. andyimages
    Member
    Posted 1 year ago #

    Are you blacklisted for malware? Check your uploads folder first....

  3. wordpressuser_21
    Member
    Posted 1 year ago #

    No. Uploads folder is clean.

  4. wordpressuser_21
    Member
    Posted 1 year ago #

    I deleted my htaccess file to see what would happen. Within just a few minutes the hacker's htaccess file appears. So there is something somewhere that is watching the htaccess file.

  5. Krishna
    Volunteer Moderator
    Posted 1 year ago #

  6. wordpressuser_21
    Member
    Posted 1 year ago #

    Hi Krishna, already did that too. The only thing that I haven't done yet is to do a fresh install in a different directory. However, I would like to find the solution to the problem first so that it can be prevented.

  7. wordpressuser_21
    Member
    Posted 1 year ago #

    Ok. I think that I fixed the problem. During my quest to find a solution I read about a suggestion to check the access logs from the host because the htaccess hack will affect every domain and folder on the host and not just the wp domain.

    When I looked at my access log, I found the offending IP address and the PHP files that were changing the files were actually located outside my WP site. I replaced the hacked htaccess with my clean htaccess and denied the offending ip address in the htaccess file. Then I read that you need to have permissions set to 604 to prevent the htaccess from getting replaced again. So far, it is working and I haven't had any more problems.

    You also have to go through all of the folders on your site to get rid of those extra htaccess files that the hack writes. I noticed that the php files that cause the havoc were usually in the image directories.It adds an iframe to the end of most js files. So once you remove the hacker's php files, replace and secure the htaccess and check for additional htaccess files in different directories then you need to go through every JS file and remove the iframe that is appended to the bottom.

Topic Closed

This topic has been closed to new replies.

About this Topic