Title: Compromised server running WordPress advice Last modified: August 30, 2016 --- # Compromised server running WordPress advice * [domainscanners](https://wordpress.org/support/users/domainscanners/) * (@domainscanners) * [10 years, 7 months ago](https://wordpress.org/support/topic/compromised-server-running-wordpress-advice/) * I have a fully patched Windows 2008R2 Server running IIS 7.5. Recently, the server was compromised and I found “cron.php” files located in a number of WordPress root directories on the server. When called over http these cron files would create thousands of .html files within sub folders that link to a Chinese site. * I enabled IIS logging and have blocked the offending IP addresses via Windows firewall and via IIS 7.5 IP restrictions. * I have cleaned the WordPress directories and reinstalled WordPress within all effected sites. * I have also revoked write access to the root WordPress folders. * However, I am still seeing post requests attempting to reach the cron.php file within each WordPress site (which no longer exists). Here is an example log entry… * 2015-09-15 20:54:51 xxxxxxxx POST /cron.php – 80 – 142.0.132.25 Mozilla/5.0+( Windows+NT+5.1)+AppleWebKit/537+(KHTML,+like+Gecko) 403 6 5 374 2015-09-15 20: 54:52 xxxxxxxxx POST /cron.php – 80 – 142.0.132.25 Mozilla/5.0+(Windows+NT+5.1) +AppleWebKit/537+(KHTML,+like+Gecko) 403 6 5 136 * The 403 tells me that the request was denied. * My question is, is there any further action I can take to stop these requests being attempted? Any advice would be most helpful. * Please let me know if I can provide any further information. * Thanks, * Paul. Viewing 1 replies (of 1 total) * Moderator [James Huff](https://wordpress.org/support/users/macmanx/) * (@macmanx) * [10 years, 7 months ago](https://wordpress.org/support/topic/compromised-server-running-wordpress-advice/#post-6566059) * If they’re all coming from the same IP, you could trying blocking it: [https://codex.wordpress.org/Combating_Comment_Spam/Denying_Access](https://codex.wordpress.org/Combating_Comment_Spam/Denying_Access) * Otherwise, remain calm and carefully follow [this guide](https://codex.wordpress.org/FAQ_My_site_was_hacked). When you’re done, you may want to implement some (if not all) of [the recommended security measures](https://codex.wordpress.org/Hardening_WordPress). Viewing 1 replies (of 1 total) The topic ‘Compromised server running WordPress advice’ is closed to new replies. ## Tags * [IIS7.5](https://wordpress.org/support/topic-tag/iis7-5/) * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) * 1 reply * 2 participants * Last reply from: [James Huff](https://wordpress.org/support/users/macmanx/) * Last activity: [10 years, 7 months ago](https://wordpress.org/support/topic/compromised-server-running-wordpress-advice/#post-6566059) * Status: not resolved ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics