Title: Compromised website
Last modified: August 24, 2016

---

# Compromised website

 *  [csysinc](https://wordpress.org/support/users/csysinc/)
 * (@csysinc)
 * [11 years, 1 month ago](https://wordpress.org/support/topic/compromised-website/)
 * Hi,
 * My website was recently compromised and sent out lots of spam. I did a sweep 
   of the files, changed all passwords and added additional security plugins. However,
   2 days later I found new files added to the public.html folder in my cpanel. 
   Does anyone have an idea how this is happening? Thanks!
 * —–
 * This is what I did the first time the website was compromised.
 * – Remove the malicious files added & an unauthorized ftp account
    – Scan the 
   website using Sucuri – Ensured all plugins are updated to the latest versions–
   Changed my secret keys – Changed all passwords(email account, cpanel, wp-admin,
   ftp accounts) – Installed WP simple firewall and activated login protection
 * However, I check back this morning and Sucuri showed me that there were still
   files added after what I did. The files contained the base64_decode functions
   and I have removed them.
 * The wp-admin site itself was completely bypassed so i’m guessing the issue is
   within the cpanel. We are on a shared hosting and our provider does not provide
   us with the cpanel access logs.
 * These are the changes Sucuri show:
 *  Warning April 7, 2015 7:48 pm
    system ::1 File modified: (multiple entries):
 *  wp-content/plugins/wp-simple-firewall/icwp-wpsf.php (old size: 6389; new size:
   6389)
    wp-content/plugins/wp-simple-firewall/plugin-spec.php (old size: 1670;
   new size: 1670) wp-content/plugins/wp-simple-firewall/views/snippets/state_summary.
   php
 * Warning
    system ::1 New file added wp-content/plugins/simple-fullscreen-responsive-
   slider/languages/include.php (size: 2843)
 * Warning
    system ::1 New file added wp-content/plugins/contact-form-7-modules/
   languages/defines.php (size: 2855)
 * Warning
    system ::1 New file added wp-content/ngg_styles/.login20.php (size: 
   118267)

Viewing 6 replies - 1 through 6 (of 6 total)

 *  [Lalit Nagrath](https://wordpress.org/support/users/laliz/)
 * (@laliz)
 * [11 years, 1 month ago](https://wordpress.org/support/topic/compromised-website/#post-5991179)
 * >  system ::1 New file added wp-content/ngg_styles/.login20.php (size: 118267)
 * this folder looks odd. what is in .login20.php file?
 * reconfirm if you have correct permissions
    [https://codex.wordpress.org/Changing_File_Permissions](https://codex.wordpress.org/Changing_File_Permissions)
 *  Thread Starter [csysinc](https://wordpress.org/support/users/csysinc/)
 * (@csysinc)
 * [11 years, 1 month ago](https://wordpress.org/support/topic/compromised-website/#post-5991184)
 * Hi laliz, I’ve deleted the file so I’m not exactly sure what its contents were.
   It looked like a backdoor of some sort. I used this article as reference. [http://aw-snap.info/articles/find-backdoor.php](http://aw-snap.info/articles/find-backdoor.php)
 *  [martcol](https://wordpress.org/support/users/hotmale/)
 * (@hotmale)
 * [11 years, 1 month ago](https://wordpress.org/support/topic/compromised-website/#post-5991234)
 * Sorry to hear of your troubles. You might benefit from taking a look at this 
   guide:
 * [https://codex.wordpress.org/FAQ_My_site_was_hacked](https://codex.wordpress.org/FAQ_My_site_was_hacked)
 * After that, check out these recommended security measures:
 * [https://codex.wordpress.org/Hardening_WordPress](https://codex.wordpress.org/Hardening_WordPress)
 *  [barnez](https://wordpress.org/support/users/pidengmor/)
 * (@pidengmor)
 * [11 years, 1 month ago](https://wordpress.org/support/topic/compromised-website/#post-5991240)
 * To add to the advice from martcol, some WordPress forum users have reported that
   admin level users have been added to the database where they do not show up in
   WP dashboard >> Users.
 *  Thread Starter [csysinc](https://wordpress.org/support/users/csysinc/)
 * (@csysinc)
 * [11 years, 1 month ago](https://wordpress.org/support/topic/compromised-website/#post-5991251)
 * Thanks Martcol I’ve gone through the first link the first time the website was
   compromised. I will go through both again in case I missed anything.
 * Barnez, I have done a check but there are no additional admin level users. Thanks
   for letting me know about that though.
 *  [barnez](https://wordpress.org/support/users/pidengmor/)
 * (@pidengmor)
 * [11 years, 1 month ago](https://wordpress.org/support/topic/compromised-website/#post-5991252)
 * Might be worth mentioning this to your host, to check if here are any other issues
   on the server that may have allowed the attack to move sideways.
 * Also, restoring from a known safe backup of site files and database can be an
   option if the content is static.
 * Good luck!

Viewing 6 replies - 1 through 6 (of 6 total)

The topic ‘Compromised website’ is closed to new replies.

 * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
 * 6 replies
 * 4 participants
 * Last reply from: [barnez](https://wordpress.org/support/users/pidengmor/)
 * Last activity: [11 years, 1 month ago](https://wordpress.org/support/topic/compromised-website/#post-5991252)
 * Status: not resolved

## Topics

### Topics with no replies

### Non-support topics

### Resolved topics

### Unresolved topics

### All topics