My wordpress website got hacked, multiple times. (17 posts)

  1. v00d0
    Posted 3 years ago #

    Hi guys since yesterday my website it's been hacked 2 times. They add an iframe in all the php file in the root of my website they don't go further. I uploaded new root files but nothing they hacked it again.

    Anyone know why? and how?

  2. s_ha_dum
    Posted 3 years ago #

    Did you upload all new files? Or just some new files?

    Did you change passwords for all of your non-subscriber users? That is, all of your users with better than read-only permissions.

    Why? Fun and/or profit.

    How? Hard to say without access to the server, which no one here has. Perhaps your host can help. If it is a flaw in your site it is usually either a bad passwords or a vulnerability in a plugin or theme. If you are on a shared server, a vulnerability in any of the sites, not just yours, can allow a hacker access to all or some of the other sites too.

    FAQ: My Site Was Hacked

  3. Sugar Apple
    Posted 3 years ago #

    as long as i know, there is a bug exploit within wp-config.php via sy*l*nk or ju*pl*nk.

    i get this info from my friend about few hours ago. Try to protect your wp-config.php with .htaccess so your wp-config.php only accessible from your cpanel only.

  4. s_ha_dum
    Posted 3 years ago #

    What is the exploit and how is it prevented? Mentioning it in passing doesn't really help anyone. If you are referring to what I think you are, that is really an Apache (mis)configuration problem, but something to be aware of nonetheless.

  5. Sugar Apple
    Posted 3 years ago #

    deny access to your wp-config.php, just it.

  6. v00d0
    Posted 3 years ago #

    ye fresh files. anyway they put this iframe that link to a trojan that jump into ur tmp local folder.

  7. esmi
    Forum Moderator
    Posted 3 years ago #

    Could perhaps be the result of an FTP leak. Have you changed all of your passwords - including FTP?

  8. v00d0
    Posted 3 years ago #

    ye im doing it right now. thanks for the advice ill let you know if they do it again.

  9. s_ha_dum
    Posted 3 years ago #

    @blacklizt, I know how several different ways to deny access to wp-config. People posting here asking for help, probably don't know. That is why they are asking. What you are saying is probably correct, but not very helpful and it is a 'help' forum. So, exactly what would you do to deny access to wp-config.php?

    It would also help if you could explain the exploit because I only see one line that might be vulnerable and it would be very, very difficult to pull off.

    @v00d0, you aren't really giving enough information for anyone to help you. Please try to be more specific. For example, do you know what the trojan was? Can a scanner like Sucuri identify it? This should help: http://codex.wordpress.org/Hardening_WordPress

  10. v00d0
    Posted 3 years ago #

    the tojan was identified by my ESET Antivirus. I can put here the iframe that link to the trojan but i don't know if i can do it.

    These are all the information i got:

    - wordpress 3.4.1
    - iframe inside root website files that link to a trojan
    - if i reupload all the files they still can access my site
    - i changed all the password.

    this is the website:


  11. s_ha_dum
    Posted 3 years ago #

    Be sure to clear the Hyper Cache data.

    I don't know that posting the iframe would help. I am trying to find out the name of the trojan/exploit, if it has a name, in order to help identify how it got there.

    If you re-uploaded all files then the problem is a bad password in the database, you missed a few files, you have a vulnerable plugin or theme, or there is a bigger problem with your server configuration/environment. You are running several plugins and your theme has some custom Javascript. Is everything up-to-date?

    What are the file permissions on your server?

  12. v00d0
    Posted 3 years ago #

    the permissions are Ok folder 755 files 644

    this was the ifrAME

    iframe src="http://starttraffik.**/" width="2" height="3" frameborder="0"></iframe>

    check the website at ur risk (is .net). the theme was developed for my website they never updated it.
    this is the list of my plugins:

    advertising manager
    contact foorm 7
    google analyticator
    google xml sitemaps
    hhyper cache
    my brand login
    new admanplatinum seo packreally simple captcha
    related post category widget
    shadowbox js
    shadowbox js- use title from image
    static random post widget
    widget logic
    wordpress database backup

  13. Sugar Apple
    Posted 3 years ago #

    to prevent wp-config.php exploit via symlinks.

    add code below within your .htaccess

    <Files wp-config.php>
    order allow,deny
    deny from all

    you can find many articles about symlinks on google. It's old issue but still happen now.

    actually wordpress codex already explain how to secure wp-config.php
    http://codex.wordpress.org/Hardening_WordPress but not all wordpress users know about this.

  14. v00d0
    Posted 3 years ago #

    really thanks

  15. s_ha_dum
    Posted 3 years ago #

    How about your plugins? Are they all updated? Are any of them really old and haven't been maintained?

    I am assuming you are shared hosting? Is that correct?

  16. v00d0
    Posted 3 years ago #

    no! i pay a dedicated server, plugins are all Uptodate, it seems.

  17. s_ha_dum
    Posted 3 years ago #

    Do you trust your friends? :)

    Have you checked the passwords on your MySQL database? There may be more than one user. You are getting to the point that you have to start thinking about a broader range of hacks-- FTP, as Esmi mentioned. I am not sure what ports are open on your machine, or exactly what is running on them.

Topic Closed

This topic has been closed to new replies.

About this Topic