Support » Fixing WordPress » Sites keep getting hacked

  • Hi,

    I’ve been developing WP sites for a while now (around 5 years), but I’ve never encountered many problems with hacking until now. I’m hosting around 25 sites on a Shared package on Hostgator (which is probably a bad idea!) and keep getting hacked.

    I paid someone to clean up my HG account as I assumed that was the entry point, but he said it was old Aksimet plugins that were the problem. I’ve cleaned all of them out and upgrade all my installs since this guy cleaned up the hacked files / my HG account, but the hackers have come back again…

    Seems they’re putting these files into the root of all my WP installs:

    ajax.php
    id.php
    index.php
    problem.php
    w.html

    And I also saw these ones in the root of my HG account:

    index.html
    cans.php

    What’s the best way of going about diagnosing the entry point for these hacks and preventing them (as much as possible) in future? This is the 3rd time it’s happened so I really need to fix the issue…

    Thanks for any pointers.

    Osu

Viewing 5 replies - 1 through 5 (of 5 total)
  • What I wound up having to do was
    1. move the wp-config file up a level.
    2. make the .htaccess file lock logins to specific IP or IP ranges
    3. lock php5 to specific IP ranges
    4. block xmlrpc.php
    5. Block indexes

    what I learned also was changes to the .htaccess must be outside the begin/end wordpress or they get changed every time some programs update removing the code.

    also added in wordfence plugin. not only will it warn you about file changes and allow you to see and compare what the file was and is now, but it’s verbose in the file changes.

    I was getting hit every 3 to 5 days and one of my usernames with admin access was getting changed repeatedly. good for months now I locked it down.

    what to add to as an example to .htaccess (IP’s are an example. not my actual file)

    after this

    # BEGIN WordPress

    # END WordPress
    (insert)

    <Files wp-login.php>
    Order Deny,Allow
    Deny from All
    Allow from 100.11.73
    Allow from 100.11.74
    Deny from 100.11.112

    (Note order must be Deny,Allow)

    </Files>
    <Files wp-admin$>
    Order Deny,Allow
    Deny from All
    Allow from 100.11.73
    Allow from 100.11.74
    Deny from 100.11.112

    (same list as above)

    </Files>
    <FilesMatch “^php5?\.(ini|cgi)$”>
    Order Deny,Allow
    Deny from All
    Allow from 100.11.73
    Allow from 100.11.74
    Deny from 100.11.112
    Allow from env=REDIRECT_STATUS=200

    (last line after the filter is redirect)

    and finally
    </FilesMatch>
    Options -Indexes
    <Files xmlrpc.php>
    Order Deny,Allow
    Deny from all
    </Files>

    I have once fixed IP in case I get locked out, I also update the rules by FTP if I need to add an IP while I travel.

    get to a hotel, get the IP range, open .htaccess local save and use notepad ++ to insert the hotel IP, FTP the file to the server, then log in.

    Be aware every time you update .htaccess, Wordfence will warn you the file changed. More info is better then less.. it will also do the same when it updates logs..

    Hope this helps..

    You would need ssh access to the hosting account and have to read through the log files to find out the exact entry point, it might be one of the sites. HG should be able to trace the entry point too.

    Once you find the entry point, the next step is to block it and clean up all the sites. Check for files that dont seem to be in the right place. Read the contents of the .php files to understand what is it trying to do, check the database for any backdoors.

    Are the plugins, themes and WordPress core updated on all sites?

    From previous experience, There is only one explanation to how the malware keeps coming back or regenerating. You have a hidden Backdoor on either your PC or SHARED HOSTING.

    If I were you I would:

    – Download Malwarebytes free version and run a scan on PC.
    – Submit a ticket to HostGator and ask them to run a malware scan where your websites are hosted. (Or you can request $24 yearly sitelock addon: http://www.hostgator.com/sitelock)

    After all the above is done, You will finally need to change your ftp passwords and clean any potential vulnerabilities from your WordPress as follow:

    – Literally, remove all wordpress themes that you are not using and only keep the one you are using and optionally twenty wordpress themes.

    – Remove all plugins and reinstall them from your plugin admin panel.
    – Avoid plugins that are no longer supported. Those might contain sweet vulnerabilities for hackers.
    – Stop using timthumb as an image resizer as it introduces several vulnerabilities to your wordpress installation.

    – Use two factor identification/Captcha for your WP ADMIN.

    – CloudFlare is a must have! It is 5 min very easy to setup and It provides outstanding security against attacks and hackers, in addition to better performance for your website. So WordPress security plugins are next to not needed or optional honestly.

    Consider switching to secured ftp protocol “SFTP” I recommend WINSCP: https://winscp.net/eng/download.php

    And get an internet security suite for your business such as paid ones: Kaspersky, panda or you get a free comodo internet security: https://www.comodo.com/home/internet-security/free-internet-security.php

    Here are two top website scanners that help locate malware fast and free:

    https://quttera.com/website-malware-scanner

    https://sitecheck.sucuri.net/

    • This reply was modified 3 years, 9 months ago by mcfreder.
    • This reply was modified 3 years, 9 months ago by mcfreder.
    Thread Starter Osu

    (@mrnabo)

    Thanks for the help, I’m going to need to do a lot of work to go through all 28 of my sites then by the sounds of things. I don’t suppose anyone can recommend a good shared host in the UK that has decent security in place (things like allowing FTP access for a specific amount of time, whitelisting certain IP’s etc.), as all I’m getting from Hostgator is a sales pitch to pay huge amounts of money for their Sitelock program…

    Simple as that, you can run a free online website malware scanner and jump into website security program for all time protection to your website..

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Sites keep getting hacked’ is closed to new replies.