Support » Fixing WordPress » iFrame Injection on Fresh Download/Install/DB Everything

  • We had an issue with our server being hacked and our WP site having an inframe injected into the code. So, we did the responsible thing and wiped, EVERYTHING.

    Deleted all databases, deleted db users, files, folders, everything. Fresh server.

    So we download the latest version of WordPress, new db, new passwords for cpanel/root/users/everything. The absolute instant that we install WP, manually of course, I view page source and find that there is an iframe injection on every page, including all wp-admin pages as well. Each iframe links to rifcity dot net.

    I simply have no idea what to do. We’ve tried looking at it from different computers, different IP’s, different States, still there. We have no idea what course to take at this point.

    Server side we are using a managed VPS through WiredTree and they are falling back now that it’s software side.

Viewing 5 replies - 1 through 5 (of 5 total)
  • esmi


    Forum Moderator

    That sounds like the server has been compromised.

    @esmi, kind of what we are thinking. But it’s been a struggle convincing WiredTree.



    Forum Moderator

    All I can suggest is that you send them timestamped logs that show the infection immediately after a vanilla install. If they still won’t investigate it thoroughly, consider moving hosts asap.

    I had the same thing happen a couple days ago. All my websites, all .htm files were injected an iframe script with a variety of URLs all ending up as counter.php after my sites went down for many hours, after they got restored they all had injected iframe code. All my sites are hosted on a managed VPS at WIREDTREE.

    Been having huge troubles of all kinds of sorts in the past couple months at WiredTree. They seem to be friendly and helpful and at the same time there’s something going on with their servers etc. I had so much downtime and my sites were deleted, then returned; now some are still not online after a day or two. One site was defaced and never restored, now another is defaced and those defacings are not done by hackers but by the WiredTree staff in order to “reroute the IP addresses” as they told me. It’s a mess.

    @birchtree – I’m sorry to hear of your difficulties, but if you want help here, you need to start a new thread.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘iFrame Injection on Fresh Download/Install/DB Everything’ is closed to new replies.