Support » Fixing WordPress » Malware keeps popping up. Help!

  • Resolved agoraphone

    (@agoraphone)


    I’ve got 5 wordpress sites on the same host, and they’ve all been compromised with malware. I’ve done everything I can think of but my virus scans are still turning up new malware every day. Here’s what I’ve done:

    Changed to strong passwords for WP login and Cpanel

    Installed iThemes Security plugin, (turning on settings like Brute Force login, Protect System Files, Disable Directory Browsing, Filter Request Methods, Filter Suspicious Query Strings in the URL, Filter Non-English Characters, Filter Long URL Strings, Remove File Writing Permissions, Disable PHP in Uploads, plugins & themes, Remove the Windows Live Writer header, Remove the RSD header, Disable File Editor, Disable XML-RPC

    Set directory permissions to iThemes’ suggestions. Later, somehow my root directory permissions changed from 755 to 750 on their own. Not sure if this is relevant, since that’s less permissions?

    Installed Anti-Malware from GOTMLS plugin and turned on all protection settings

    Scanned using the GOTMLS plugin, and discovered 60+ malware files, many of which my hosting service didn’t discover.

    Removed all malware files

    Changed WP login and Cpanel passwords again

    So I’m no longer getting boatloads of malware files, but I am getting several backdoor scripts with names like “w43875196n.php” uploaded every day.

    Not sure what to do at this point. Any ideas?

Viewing 7 replies - 1 through 7 (of 7 total)
  • Moderator Steve Stern (sterndata)

    (@sterndata)

    Forum Moderator & Support Team Rep

    Remain calm and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

    If you’re unable to clean them, there are reputable organizations that can clean your sites for you. Sucuri and Wordfence are two.

    Thread Starter agoraphone

    (@agoraphone)

    I think I have followed every step of that guide except for changing the MySQL database passwords. So now I am trying to do this and running into problems.

    I changed the MySQL DB user password using Cpanel. My site then gave me the “can’t connect to database” error, as I would expect. I then downloaded my wp-config.php, replaced the password, and re-uploaded the file. I would expect the site to work now, but instead, I’m getting an error 500. What did I do wrong?

    Thanks

    Moderator Steve Stern (sterndata)

    (@sterndata)

    Forum Moderator & Support Team Rep

    You fudged something when you changed the password. Is it delimited by apostrophes?

    Thread Starter agoraphone

    (@agoraphone)

    Nice job, smartypants! Apparently Apple’s TextEdit puts in curly apostrophes instead of straight ones. All set now.

    Thread Starter agoraphone

    (@agoraphone)

    So I’ve changed all passwords multiple times, and now changed my database passwords as well. Also disabled access to wp-config.php in my .htaccess file and disabled php file editing in my WP config file.

    Still every day I scan my sites and find a new backdoor script or other piece of malware. Short of wiping everything clean and starting fresh, I’m at the end of my rope.

    Anyone have other specific suggestions?

    Moderator Steve Stern (sterndata)

    (@sterndata)

    Forum Moderator & Support Team Rep

    Remain calm and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

    If you’re unable to clean them, there are reputable organizations that can clean your sites for you. Sucuri and Wordfence are two.

    Thread Starter agoraphone

    (@agoraphone)

    Alright I think I finally purged all the malware. Here’s what worked for me – hope it can be of help if someone finds this thread in the future:

    The Wordfence plugin found malware that my hosting provider, and all other plugins could not.

    Anti-Malware from GOTMLS.NET plugin found a lot of malware, but not all of it – so every day I would run a search and find new malware had propagated. It also takes a long time to scan – about 4 hours compared to Wordfence’s scan of about 1 hour.

    iThemes security plugin seems to provide some good hardening security measures, and when you’re changing passwords, it provides an easy way to update your salts (secret keys) and ensure any cookied logins are logged out.

    I could not get the Sucuri plugin to scan for malware – pressed the scan button and nothing happened.

    Hope someone finds these specifics helpful.

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Malware keeps popping up. Help!’ is closed to new replies.