WordPress.org

Ready to get started?Download WordPress

Forums

Vulnerabilities with wordpress update (12 posts)

  1. eventjubilee
    Member
    Posted 1 year ago #

    Hi there,

    My site continues to be hacked after upgrading to wordpress 3.4.1. I have gone through extensive hours of trying to figure out how hackers are getting through and infecting my website with malware. I have installed clean versions of wordpress, rebuild databases, uninstalled all plugins, installed clean wordpress templates-- and they are still getting through. I've paid my webhost hours upon hours of fees to try and determine what is going on, and we've come to the realization that there is some kind of vulnerability in wordpress itself. I'm not sure if this is a known issue or if anyone else is experiencing this problem?

  2. Krishna
    Volunteer Moderator
    Posted 1 year ago #

    Vulnerabilities are not specific to WordPress. All content management systems and all types of sites are sometimes vulnerable. Can you make a site more secure than Google's? Will you believe if I tell you that Google is infected with malware? See THIS REPORT.

  3. esmi
    Forum Moderator
    Posted 1 year ago #

  4. eventjubilee
    Member
    Posted 1 year ago #

    Thank you for the info. I've deleted my blog and I am working on a fresh version and hopefully that will help!

  5. racer x
    Member
    Posted 1 year ago #

    For what it's worth, 99% of the wordpress hacked sites I fix for people were due to "lazy" passwords. So, if for example, you own a bakery and your password is "bakery1", you're going to be hacked.

    Make sure your new install has secure passwords and a user other than "admin".

  6. eventjubilee
    Member
    Posted 1 year ago #

    Thanks racer x. To be honest, at this point, I am at a loss. The malware keeps appearing on my main website. I have followed all the steps and even deleted administrators and added a clean administrator with a random password and it still keeps interjecting itself into my header file. Is there any advice you can give me? This is so frustrating.

  7. eventjubilee
    Member
    Posted 1 year ago #

    So, as an update, in my DB files I found something called _transient_random_seed. Thoughts?

  8. racer x
    Member
    Posted 1 year ago #

    in my DB files I found something called _transient_random_seed

    That is normal to see in a WP database.

    If you re-install the wordpress core files, that does not mean any harmful files outside of the wordpress core updates will be removed. It also does not update your wp-content folder. In many cases these back door hacker access files are located in various areas including uploads, plugins, etc.

    The first thing I normally check is the index.php files at the root of each folder. These are normally just a small php comment with the famous "// Silence is golden." text. If you see anything like base 64 or other executable code in these particular index files, that's a hack.

    I also like to check wp-config.php. This is another file that will not be overwritten in a re-install.

    Let us know what you find.

  9. @ eventjubilee,

    Are you the only person who requires login to your website? I too had problems with hackers... so I set up a conditional which redirects everyone except me (using ip logic) back to the homepage if trying to access the login screen.

    Basically, my IP is the only one which will allow access to the login screen.

    This could work for you IF:

    - You are the ONLY person logging into the admin panel.

    Or if there are only one or two other people loggin in... you can allow their IP addresses also.

    This put a complete STOP to my site being hacked.

    You might also want to check into WP Wordfence Security. It creates a protected .htaccess file... another backdoor for hackers.

  10. eventjubilee
    Member
    Posted 1 year ago #

    Hi Everyone,

    Thanks for all your helpful feedback. After many hours of sorting through all the folders looking for hidden files, reuploading all wordpress files, I finally found some weird base64 code in my databases. If anyone else is running into this problem, do a search in your PHP for base decode PHP strings and your bound to find something malicious in the wp_options table. I dumped that information, reinstalled wordpress, updated my passwords, and it's been clean for about 4 hours (it would reinstall itself every 30 minutes upon clearing it from the main index template and also instantly re-upload a file that was tracking visitor IPs every time I deleted it). Right now it seems to be clear-- fingers crossed!

    I can't thank you enough for all your responses. I know there are a ton of threads on here with issues, and for everyone you respond and offer your valuable time to help, people like me really do appreciate it.

  11. racer x
    Member
    Posted 1 year ago #

    Good luck to you. In case you are not aware, you can test your site for infections at Sucuri

    It will give you a full report of any infections.

    Note: if you check it multiple times, you need to select "re-scan" or you are just viewing cached results.

    Also, keep in mind, I am fairly sure there is a couple places where WordPress core files use base64 legit. Of course, I can't remember what file.

  12. s_ha_dum
    Member
    Posted 1 year ago #

    Also, keep in mind, I am fairly sure there is a couple places where WordPress core files use base64 legit. Of course, I can't remember what file.

    I just grepped an install. 'base64_encode' or 'base64_decode' shows up about 49 times in about 9 files. :) My cursory search isn't enough to tell if those values end up in the database though.

Topic Closed

This topic has been closed to new replies.

About this Topic