Continuous hacks

jehitch
(@jehitch)

8 years, 5 months ago

After discovering my five WP blogs were hacked, I followed the advice in

https://codex.wordpress.org/FAQ_My_site_was_hacked

I scanned my computer for viruses, and it came up clean.

I made sure all my installs were up to date, deleted unused plugins, and installed Wordfence to search for malware.

After scanning the site and cleaning up all the malware that Wordfence could find set to its most sensitive setting, I scanned again. When the site showed clean, I reset all the passwords for WordPress, my hosting account, my ftp account, as well as WP.org and WP.com using strong, complex passwords. I also changed the secret keys, generating unique sets of keys for each site.

And yet the next day, I found new malicious files and changes made to legitimate WP files.

I contacted my ISP, and they said the hackers must be getting in through one of my scripts, and the extent of their assistance was to try to sell me an additional security product to lock the site.

This is now a daily occurrence: I eliminate all the malware, only to get up the next morning and find new, different types of malware. Each time the malicious files are buried a little deeper in the file structure, or hidden in places where operating files don’t normally reside. I’m even finding files outside of the directories where the WP installs are housed.

There are no other registered users to the sites or the hosting account other than me, and no login attempts are being recorded by wordfence other than my own.

Any ideas as to the avenues these hackers are using to get in to make these changes?

Viewing 4 replies - 1 through 4 (of 4 total)

Moderator t-p
(@t-p)

8 years, 5 months ago
Try working your way through these resources:
Additional Resources:
Thread Starter jehitch
(@jehitch)

8 years, 4 months ago

I’ve worked my way through all the resources, and finally deleted all the website files except my uploaded images, and reinstalled fresh WP files and fresh plugin files. I did complete site audits with Winmerge to make sure there were no rouge files, created new complex passwords and new API keys.

The sites stayed clean for less than a week.

The hacks seem to be across all my domains, and include both added files (in the WP folders and root directory) as well as php code injected into existing WP files.

Anybody else having these persistent attacks even with everything up to date?

Thread Starter jehitch
(@jehitch)

8 years, 4 months ago

Oh, and I used a security plugin that scanned the image files I left on the site to see if there was executable code hidden in them, with negative results.

Mark Ratledge
(@songdogtech)

8 years, 4 months ago

I contacted my ISP, and they said the hackers must be getting in through one of my scripts, and the extent of their assistance was to try to sell me an additional security product to lock the site.

Your ISP really has very little to do with a hack on a website at your webhost. You need to find a more secure webhost. At a low quality and/or insecure host, a hacked account on the same server can access all other acounts on the server. See Recommended WordPress Web Hosting

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘Continuous hacks’ is closed to new replies.

Continuous hacks

Tags

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics