Hi,
Unfortunately, that’s normal. You need to install the firewall before getting hacked, not after. Hackers have backdoored your site, which means they have full access to it, just like you. The firewall still can help to trace back to the problem, but that’s all.
1. You need to find how you were hacked and to fix that problem. If you don’t, hackers will come back again.
2. You need to find and remove backdoors. There could be one, or dozens or even more.
When your site is clean AND safe, then you use the firewall to keep it safe and clean.
In the meantime, you can use NinjaFirewall to get some precious info about the hack:
1. Make sure “File Check” is enabled, and is running every hour. Use it to detect modified files. Check when the files were modified (use only the Change ctime date). Download your HTTP logs and check what happened at that time. Be careful, your HTTP log timezone may be different than the one displayed by WordPress/NinjaFirewall.
2. Make sure “File Guard” is enabled too. Its detection works in real time and could be useful.
3. Lock up the admin dashboard by enabling the “Login Protection” (set it to “Always ON”).
3. There are several options from the “Firewall Policies” than can be enabled too, but that depends on your websites, its themes and plugins:
a) Enable “Sanitise GET variable”.
b) Enable “Decode Base64-encoded POST variable”.
c) Enable “Block suspicious bots/scanners”.
d) Enable “Block HTTP requests with an IP in the HTTP_HOST header”.
e) If your theme does not require any POST request, you can enable the “Block POST requests in the themes folder /wp-content/themes” option.
f) Enable the “Disable the plugin and theme editor DISALLOW_FILE_EDIT”.
Don’t forget also to check the firewall log, there may be some interesting things in it.
