Support » Plugins » I have been well and truly Hacked

Viewing 15 replies - 1 through 15 (of 53 total)
  • There is malware on your site.
    My friend’s site has also been hacked- I think that you’re best bet is to take this up with your hosting company.
    We tried cleaning the files via ftp but the malware simply reappeaared within 10 mins
    Also tried changing passwords and user name. Our thoughts were that the only way that htye could get in was through the hosting package.
    Good luck!

    Hello Wakeupandbreathe,
    What is the name of your hosting company? We encounter a similar problem on one of our blog, hosted on Dreamhost servers.

    BTW my friend’s host was Mid Phase

    Hi Phil,
    any idea what you hosting company did to resolve the issue?


    Hi Geog.r
    The problem has not been resolved as yet
    I found this thread elsewhere though.
    It relates to a VERY similar hack and points to a solution here

    How To Completely Clean Your Hacked WordPress Installation

    I haven’t been through the blog post as yet and there is another developer looking at this problem.

    If you find a solution, please post here,



    thank you for your answer and the links.
    I already did an update of wordpress and uploaded new wordpress source files as described in the article. I also noticed that they placed a .htaccess file in every directory, so I deleted them and replaced the htaccess in the root with the original one.
    It seems that they write a cooke on your computer too, so that you are rederected to their site when trying to reach the admin area. Deleting all Cookies and temporary Files of your Browser after cleaning the WordPress installation helps accessing the admin area again.

    I’ll wait some time now and see how things change.


    Thread Starter wakeupandbreathe


    Hi Everybody thanks for the immediate responses.
    I am with Hostgator have had a few problems before and told Hostgator who just told me it was because the wordpress software is not up to date. I do not accept this but have updated everything. I also had an “expert” look at this and give up.
    However I was able to (a certain extent) access the site I now can’t strangely enough Hostgator just told me they logged in without any problem so I send them a video of my login and showed them the redirect to an .ru site as above.
    I’ll keep you posted but my feeling is I need to crash the site and build a new one as this is ongoing.



    I was notified last week by Google about this exact malicious malware being on one of my websites. I started searching and found the malware (redirects) in every single .htaccess file under my account (about 20 different sites). I contact my hosting provider (Bluehost) and they were absolutely no help. I called them multiple times and live chatted but there answer was the same every time, “We don’t deal with malware, you might need to delete everything and start over”. That’s not an option seeing as how some of my sites I started over 3 years ago.

    I noticed, like Phil Gee, that even replacing the .htaccess files with clean files, the corrupted files came back within minutes. I have even deleted an entire website’s folder and rested from a clean backup and within minutes, a corrupted .htaccess file was back.

    I’ve decided that there is more files containing the malicious code that automatically builds the .htaccess files when they are changed or deleted. I just downloaded today’s backup of every file and will start scanning them. This literally could take weeks or months, but seeing as how there is no cheap service to do so and how Bluehost does not offer any help, this is what I will have to do.

    If anyone finds any more corrupts files besides the .htaccess files, please post it here.

    Thanks and hopefully we can figure this out!

    Screw you -> !!!!!!!!

    Same here! It seems that they have access to the FTP and it’s hard to prevent these htaccess files!! Any help welcome, my provider doesn’t help neither!!

    Thread Starter wakeupandbreathe


    Well Hostgator told me it was in my Safari Browser that was redirecting my pages and I cleared the cache and it seems OK
    now .
    I have put in Bullet Proof security and see if that helps.



    Thanks to wakeupandbreathe, I also installed the Bullet Proof Security plugin to the site Google notified be about and scanned my site using, Securi Sitecheck and it is now showing that my site is “CLEAN”! (Earlier, it had listed several pages on my site that were infected)

    I am going to install this plugin to the rest of my WordPress sites. While this isn’t a complete fix to the problem because it might not be ridding every file all of the malware, it’s a great free solution for the time being. Especially since the malware code are redirects and not actually software uploaded to the sites.

    I will write back once I have successfully installed the plugin to each site, checked for malware and scanned each .htaccess file to make sure they are clean.


    I had this same problem occur today. Same website and everything…and I also use BlueHost. Haven’t (to my knowledge) installed new plugins to any site listed on my server and no one else has access to my server except me.

    How did you go about cleaning it and fixing it and setting up bullet proof?



    Install BulletProof, then on the Settings page for BulletProof you’ll need to ‘Activate’ each security mode in a certain order. (or you will get ‘warnings’ for whatever reason)

    Under the ‘Security Modes’ Tab, Activate in this order:
    1.Create default .htaccess file
    2. Create secure .htaccess file
    3. Activate Deny All htaccess Folder Protection For The BPS Master htaccess Folder
    4. Activate Deny All htaccess Folder Protection For The BPS Backup Folder
    5. Activate Website Root Folder .htaccess Security Mode
    6. Activate Website wp-admin Folder .htaccess Security Mode

    Next you can click on the ‘Security Status’ tab and see if there are any errors. You can also run a scan at Securi Sitecheck. Just make sure if you have already scanned your site here, to click the ‘rescan’ button at the bottom of the page because the site caches your results for like 24 hours.

    The problem is, this seems to only work for a short time. Eventually the BulletProof plugin shows that there is no ‘bulletProof Secure .htaccess’ file in the root folder. I’m still learning the BulletProof plugin and all of its functionality and will keep posting when I find new things.

    That’s what I’m running into as well. BulletProof works for about 20 minutes then it rewrites the .htaccess file.

    A good post on it is here, but doesn’t contain any resolution thus far:

    Suggestions are that it’s a TimThumb hack, which is what BlueHost told me as well.

    Timthumb Vulnerability Scanner

    Actually did have loads of my sites running a vulnerable version and 1 out of 20 that seemingly had a vulnerability already loaded in my theme cache folder.

    Let me know if you experience the same.

Viewing 15 replies - 1 through 15 (of 53 total)
  • The topic ‘I have been well and truly Hacked’ is closed to new replies.