Support » Fixing WordPress » Being hacked

  • Resolved madflute

    (@madflute)


    Hi, I am no expert nor have access to someone who can help in person.

    One of the visitors warned me that my WP4.9.11 site is flagged as virus. I contacted the ISP. They found several malware and cleaned them for me. This was a day before WP4.9.12 was released. My ISP blames me not upgrading to WP5, which I have a hard time understanding.

    My ISP isn’t giving me straight answers. I’d like to know if not upgrading to WP5 really caused this as my ISP blames? Anyone have any idea what these files being infected mean?

    /home/xxxxxxxxx/public_html/wp-inclade
    -rw-r–r– 1 xxxxxxxxx xxxxxxxxx 491 Oct 14 00:30 0.php
    -rw-r–r– 1 xxxxxxxxx xxxxxxxxx 96632 Sep 14 19:43 808514.php
    -rw-r–r– 1 xxxxxxxxx xxxxxxxxx 1092 Oct 14 00:30 error_log
    -rwxr-xr-x 1 xxxxxxxxx xxxxxxxxx 184 Apr 27 07:24 index.php

    /home/xxxxxxxxx/public_html/huge-it-google-map-custom-icons/
    -rwxr-xr-x 1 xxxxxxxxx xxxxxxxxx 217 Mar 11 2019 index.php

    /.mp-C937E412-F452-41DD-87DB-C4C4861C4FBA
    rw-r–r– 1 xxxxxxxxx xxxxxxxxx 1995 Oct 2 19:15 xueopnvc.php

    Any help would be appreciated, especially how to prevent this in the future. Thank you.

    • This topic was modified 1 month, 3 weeks ago by madflute.
    • This topic was modified 1 month, 3 weeks ago by madflute.
    • This topic was modified 1 month, 3 weeks ago by madflute.
    • This topic was modified 1 month, 3 weeks ago by Jan Dembowski.
Viewing 12 replies - 1 through 12 (of 12 total)
  • Moderator James Huff

    (@macmanx)

    Volunteer Moderator

    It’s hard to say without isolating the cause, but I do believe your ISP is wrong.

    4.9.11 contained the same security fixes as 5.2.3, and 4.9.12 contains the same security fixes as 5.2.4. You can compare this via the release dates on https://wordpress.org/download/releases/

    So, at the time, you were just as safe on 4.9.11 as you would have been on 5.2.3.

    With that said, plenty of sites are hacked via compromised plugins, themes, and even sever-level things, all of which would be outside of the security fixes provided by WordPress core, so you especially need to make sure that your plugins and themes are always up to date too.

    Now, as for the hack, carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures and start backing up your site.

    Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    Moved to Fixing WordPress, this is not an Everything else WordPress topic.

    Thank you for your response. I have some serious studying to do. And sorry for putting this to a wrong category. Will report back.

    -Hiro

    Oh, I forgot to ask.
    Is there any recommended anti-virus software to monitor daily so I can catch it before any visitor sees the warning?

    -Hiro

    Moderator James Huff

    (@macmanx)

    Volunteer Moderator

    There are some plugins for that, but plenty of sites get along without it too.

    Hi, I placed WordFence. I removed unused plugins. I also changed cPanel password and WP admin password. However, it seems I got malware again. My ISP says my WP instance is completely compromised and it needs to be clean-reinstalled.

    Is there any easier way? If I need to reinstall keeping the db, uploads dir, and config.php, I am wondering what is the best way to proceed. Unzip a fresh WP to the root but then I don’t really know how to proceed for reinstalling plugins before moving db and config.php. Any advice would be appreciated.

    Moderator James Huff

    (@macmanx)

    Volunteer Moderator

    From Dashboard > Updates in your site’s Dashboard, click the “Re-install Now” button.

    Hi @macmanx, Thank you for your response. I tried it but it finished in 5 seconds. I was monitoring the site with a different browser but the site never went offline. I don’t think it did anything. Any thought? Thank you again.

    Moderator James Huff

    (@macmanx)

    Volunteer Moderator

    Ok, try downloading WordPress again, access your server via SFTP or FTP, or a file manager in your hosting account’s control panel (consult your hosting provider’s documentation for specifics on these), and delete then replace your copies of everything on the server except the wp-config.php file and the /wp-content/ directory with fresh copies from the download. This will effectively replace all of your core files without damaging your content and settings.

    Some uploaders tend to be unreliable when overwriting files, so don’t forget to delete the original files before replacing them.

    Yes, that was my original plan and hoping for an easier way out. I guess I have to do that way.

    One big question remains. Plugins. There is a chance one of the plugins became the doorway so I must reinstall all the plugins.

    Do I understand correctly Delete > Reinstall will not lose the plugin-specific data? Every document I found tells me
    1) deactivate
    2) delete
    3) reinstall
    Is this the way? And all plugin data should come back?

    And Do I assume correctly the steps I should take are
    1) reinstall all the plugins one by one
    2) Unzip fresh core next to the public_html
    3) copy config and content dir over to the fresh core
    4) rename the new WP dir to public_html
    5) delete old public_html

    Thank you for your help!

    Moderator James Huff

    (@macmanx)

    Volunteer Moderator

    Do I understand correctly Delete > Reinstall will not lose the plugin-specific data?

    For re-installing the plugins in this case, I recommend deleting them via SFTP or FTP, or a file manager in your hosting account’s control panel (consult your hosting provider’s documentation for specifics on these), and uploading new copies freshly downloaded from https://wordpress.org/plugins/

    And Do I assume correctly the steps I should take are

    No, public_html is a very special directory and can’t simply be renamed. You’ll need to follow the steps as I listed them.

    Thank you for your help. It seems all worked well. Will report back if I see anything suspicious again.

Viewing 12 replies - 1 through 12 (of 12 total)
  • You must be logged in to reply to this topic.