Title: constant malware problem!!! Last modified: August 30, 2016 --- # constant malware problem!!! * Resolved [Anond](https://wordpress.org/support/users/anond/) * (@anond) * [10 years, 6 months ago](https://wordpress.org/support/topic/constant-malware-problem/) * Hello, * Before anything let me say a BIG FAT THANKS for your perfect plugin. I used to use ELI before Wordfence and my website got hacked about 3 months ago. Since then I have scanned and removed malicious files every other day and have changed all my passwords (WP, db & ftp/cp) every time after removing suspicious files. I also created a full site backup and downloaded it to scan with anti-virus & anti-malware programs for any probable Trojan/malware generator with negative result. I’m really getting tired of removing 4 or 5 malwares every other day and changing all my passwords afterward. Would you please assist me to resolve this issue and get rid of the source which is still unknown to me? Thanks in advance for your time and help. * Regards, * [https://wordpress.org/plugins/wordfence/](https://wordpress.org/plugins/wordfence/) Viewing 15 replies - 1 through 15 (of 18 total) 1 [2](https://wordpress.org/support/topic/constant-malware-problem/page/2/?output_format=md) [→](https://wordpress.org/support/topic/constant-malware-problem/page/2/?output_format=md) * Thread Starter [Anond](https://wordpress.org/support/users/anond/) * (@anond) * [10 years, 6 months ago](https://wordpress.org/support/topic/constant-malware-problem/#post-6616442) * I forgot to say I already checked outside WP installation option as well with no security issues. * [WFBrian](https://wordpress.org/support/users/wfbrian/) * (@wfbrian) * [10 years, 6 months ago](https://wordpress.org/support/topic/constant-malware-problem/#post-6616452) * Hi, * Sounds like there is still a “leak” somewhere. The first thing to do is make sure WordPress and all of your plugins are updated. Is your theme up-to-date? Also, make sure to remove any unused themes and plugins. * Thanks! Brian * Thread Starter [Anond](https://wordpress.org/support/users/anond/) * (@anond) * [10 years, 6 months ago](https://wordpress.org/support/topic/constant-malware-problem/#post-6616493) * Hello Brian, * Thanks for your response! Everything is up to date and there’s no extra theme in there. Any clues? * Regards, * Plugin Author [WFMattR](https://wordpress.org/support/users/wfmattr/) * (@wfmattr) * [10 years, 6 months ago](https://wordpress.org/support/topic/constant-malware-problem/#post-6616559) * The next steps after what Brian recommended are included in our guide on cleaning hacked sites, here: [How do I clean my hacked site using Wordfence](http://docs.wordfence.com/en/How_do_I_clean_my_hacked_site_using_Wordfence%3F) * There is a lot to read, but it is the best way to clean a stubborn infection. There is a section that begins “If you have SSH access to your server…”, but if you don’t have SSH access, you may still be able to clean it by following the other steps. * The guide explains using “high sensitivity” scanning and other options in Wordfence— it is possible that you will find files that may not be bad during that process. It is usually best to save a copy of the file (or have a recent full site backup) in case you remove something that was still required. If you have questions on any of the files found by the scan, let us know here. * -Matt R * Thread Starter [Anond](https://wordpress.org/support/users/anond/) * (@anond) * [10 years, 6 months ago](https://wordpress.org/support/topic/constant-malware-problem/#post-6616568) * Hello Matt, * Appreciate your response! I’ve already read that section (another thanks for providing documents and info on your website). Also I’ve taken all your mentioned steps with no success (the worst luck). luckily, I had an old backup of the website back to the point that it hadn’t been hacked yet. After restoring, everything looks fine. Now I’m adding my new posts/pages from the most recent backup. BTW, thanks again for your great plugin and of course for your time and assistance. * Best regards, * Plugin Author [WFMattR](https://wordpress.org/support/users/wfmattr/) * (@wfmattr) * [10 years, 6 months ago](https://wordpress.org/support/topic/constant-malware-problem/#post-6616576) * Ok, glad to hear you got it back to normal again. If the hack comes back, let us know. Sometimes there could be a dormant file that doesn’t do anything until they try to access it again. * If it does come back, it may be a new one we haven’t seen yet, so we can help track down the file, and add it to future scans. * Thanks for the response and the feedback! * -Matt R * Thread Starter [Anond](https://wordpress.org/support/users/anond/) * (@anond) * [10 years, 6 months ago](https://wordpress.org/support/topic/constant-malware-problem/#post-6616596) * Dear Matt, * Sure, I will. I’ll let you know if it comes back. Thank you guys for following up and your support. * Regards, * [Matt](https://wordpress.org/support/users/mvincik/) * (@mvincik) * [10 years, 6 months ago](https://wordpress.org/support/topic/constant-malware-problem/#post-6616622) * Anond, * What theme are you using? And are you using a page builder? There were some recent security issues with a certain page builder which has been fixed. * Thank you * Thread Starter [Anond](https://wordpress.org/support/users/anond/) * (@anond) * [10 years, 5 months ago](https://wordpress.org/support/topic/constant-malware-problem/#post-6616653) * [@mvincik](https://wordpress.org/support/users/mvincik/), thanks for your concern! I’m already aware of Visual Composer security issues but fortunately I don’t have that plugin or any other page builders installed on my website. * & Wordfence, * There’s a bad news. After two days when I came back to work today, faced with 6 malware containing files on Wordfence security scan/warning page. It seems the big bad wolf is back or I’d better say it’s been there all the time. After removing all malwares I rescanned the website with high sensivity and images & binary files scanning enabled with no security problems found. So what’s the next step. I already changed all the passwords after scanning. * Best regards, * Thread Starter [Anond](https://wordpress.org/support/users/anond/) * (@anond) * [10 years, 5 months ago](https://wordpress.org/support/topic/constant-malware-problem/#post-6616660) * WordFence, * I scanned the website (with High Sensitive + Photo/Binary Files options on) today with no sign of infection but whenever I think it’s gone, it comes back and creates malware fake PHP files. Any ideas? * Regards, * Plugin Author [WFMattR](https://wordpress.org/support/users/wfmattr/) * (@wfmattr) * [10 years, 5 months ago](https://wordpress.org/support/topic/constant-malware-problem/#post-6616664) * There might still be a security hole in a theme or plugin that hasn’t been found yet, if all of your themes and plugins are up to date, or it could be a bad file that hides its code in a new way. * You can also enable “Scan files outside your WordPress installation” if you haven’t already, which helps find files placed in unusual places. * If you have multiple sites on the same hosting account, one of the other sites could cause the problem as well — if there are any other sites, make sure those are all up to date, too. * If you want, you can send me a copy of the site’s access log, I may be able to spot a bad file they’re using. If you don’t know where to find it, your host should be able to help. If you know about the time when the files came back, that might help narrow it down, too. My email address is mattr (at) wordfence. com * -Matt R * Thread Starter [Anond](https://wordpress.org/support/users/anond/) * (@anond) * [10 years, 5 months ago](https://wordpress.org/support/topic/constant-malware-problem/#post-6616667) * Thanks a lot for your response Matt! Actually that option is enabled and I’m running another scan session right now with no sign of infection SO FAR. Do you need my WP credentials or ftp? * Regards, * Plugin Author [WFMattR](https://wordpress.org/support/users/wfmattr/) * (@wfmattr) * [10 years, 5 months ago](https://wordpress.org/support/topic/constant-malware-problem/#post-6616673) * Ok, let us know how the scan went. If you find any files that are only detected in the thorough scans, you can send them to my email address mentioned in my last post. * We don’t need any login information; we currently don’t provide that type of support here, but if you do have an access log for the site that you can email to me, I may be able to spot the bad file that way. Thanks! * -Matt R * Thread Starter [Anond](https://wordpress.org/support/users/anond/) * (@anond) * [10 years, 5 months ago](https://wordpress.org/support/topic/constant-malware-problem/#post-6616679) * I couldn’t believe what I saw; 9 malicious files + 1 changed from original version. It’s so disappointing after two days of cleanliness. I will definitely send you the files. I really appreciate your help Matt. * Regards, * Thread Starter [Anond](https://wordpress.org/support/users/anond/) * (@anond) * [10 years, 5 months ago](https://wordpress.org/support/topic/constant-malware-problem/#post-6616680) * Dear Matt, * I just sent you all suspicious files as well as the raw access log. Thanks again for all your help and support. * Regards, Viewing 15 replies - 1 through 15 (of 18 total) 1 [2](https://wordpress.org/support/topic/constant-malware-problem/page/2/?output_format=md) [→](https://wordpress.org/support/topic/constant-malware-problem/page/2/?output_format=md) The topic ‘constant malware problem!!!’ is closed to new replies. * ![](https://ps.w.org/wordfence/assets/icon.svg?rev=2070865) * [Wordfence Security - Firewall, Malware Scan, and Login Security](https://wordpress.org/plugins/wordfence/) * [Frequently Asked Questions](https://wordpress.org/plugins/wordfence/#faq) * [Support Threads](https://wordpress.org/support/plugin/wordfence/) * [Active Topics](https://wordpress.org/support/plugin/wordfence/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/wordfence/unresolved/) * [Reviews](https://wordpress.org/support/plugin/wordfence/reviews/) ## Tags * [hacked website](https://wordpress.org/support/topic-tag/hacked-website/) * [leak](https://wordpress.org/support/topic-tag/leak/) * 18 replies * 4 participants * Last reply from: [WFMattR](https://wordpress.org/support/users/wfmattr/) * Last activity: [10 years, 5 months ago](https://wordpress.org/support/topic/constant-malware-problem/page/2/#post-6616688) * Status: resolved