Still getting hacked

It’s true. I have wordfence scans come up clean, anti-malware scan come up clean, and securi sitecheck finds nothing, but then code gets inserted into a wp-includes subfolder file.

I even have all of these file names / directories set up for immediate blocking if they’re accessed:
/ground.php?md7lk
/site-rococ/08201024493.html
/mod_fxprev/libraries/info.php
/advantage.php
/woman.php
/appear.php
/proceeded.php
/one.php
/light.php?yr
/?author=1
/?author=2
/?author=3
/?author=4
/administrator/
/wp-config.php
/wp-login.php
/nav-menu.php
/wp-includes/nav-menu.php
/xmlrpc.php
/wp-admin
/wp-admin.php
/admin
/user
/installer.php
/destination.php
/action_hooks.php
/bugslist.txt
/font-uploader-free.php
/functions.php
/cat_grid.php
/fm.php
/lgpl.txt
/wp-e-commerce/license.txt
/user-meta/readme.txt
/fcchat/default.png
/MF_Constant.php
/nextgen-gallery/changelog.txt
/font-uploader-free.php
/wp-homepage-slideshow/functions.php
/ckeditor.config.js
/custom-content-type-manager/index.html
/action_hooks.php
/gallery-plugin.php
/admin.css
/cat_grid.php
/user-avatar/readme.txt
/ninja_forms.php
/wp-e-commerce/license.txt
/nmedia-user-file-uploader/readme.txt
/user-meta/readme.txt
/AWPCP.po
/a-a.css
/simple-dropbox-upload-form/index.php
/ckeditor.config.js
/contact-form-7/license.txt
/nmedia-user-file-uploader/readme.txt
/README_OFFICIAL.txt
/wpmarketplace/readme.txt
/changelog.txt
/wp-editor/
/readme.txt
/sketch/
/269
/wp/v2/posts/
/wp-smtp.php?c
/gaukingo/db.php
/ubh/up.php

@thinkdolphin – Because there may be a backdoor that hackers have already established.

If the scans are not coming back clean, what are they telling you? (They usually indicate at least the name of the potential infection…) There are multiple approaches depending on what the infection/malware is.

Honestly, from your questions, it doesn’t sound like you’re a web development person – nothing wrong with that – but if that is case, cleaning a hacked site is probably beyond your technical abilities and you should likely look into hiring someone to do the cleanup.

Wordfence also provides web site hack recovery – more info at their website.

(NOTE: I am not part of WF support – I’m simply a long-time user. My views are my own.)

@bluebearmedia, confused. Did “It’s true”, referring to @thinkdolphin ‘s previous comment regarding clean scans, not tie my comment into the current thread as a relevant furtherance of the discussion at hand?

Certainly my reference to your previous comment (WF scan, and Securi), was relevant.

Is there some unpublished rule that I needed to make a previous comment in order to provide the information I provided? Is there some ‘warm up’ comment needed?

Since the form and function of this thread is about hacks and scans and presumably solving those issues, how is my post improper in your view?

Please explain, so I can understand. I don’t wish to offend.

Wow – a little touchy??? From quick reading, it just seemed to me that you might have erroneously posted in the thread….

But seriously, calm down – no one was sniping at you. I simply mistook the intent of your post is all… yikes!

As to suspecting a hack when nothing is being reported; Wordfence and Sucuri are tools – they don’t do all the work for you. And nothing is foolproof.

If you suspect a hack but are not seeing obvious notifications from security s/w, then you’d have to start exploring what you perceived to be files that have changed to determine a possible signature that allows you to identify what the hack might be. Again, until you can do that, it’s impossible to determine a suitable course of action.

It’s also possible that the hack is occurring above your website at the server level. So you may also have to get your webhost involved in checking. Case in point, I had a client whose mail credentials were compromised – their WordPress site wasn’t hacked itself per se, but many spam emails were appearing in their WP uploads directory. The leak had to be closed at the host level, not the site level.

Again, in that case, your webhosts are going to ask you the same kind of question – what hack “symptoms” are you seeing? Until you determine WHAT, you can’t fix the HOW…

• This reply was modified 7 years, 1 month ago by bluebearmedia.
• This reply was modified 7 years, 1 month ago by bluebearmedia.
• This reply was modified 7 years, 1 month ago by bluebearmedia.

@thinkdolphin, in that case, if I had to deal with it – here’s my approach:

1 – Lock down the site using htaccess, allowing access only from your own IP

2 – Perform a full site backup….

3 – Re-install WordPress core files from a known, clean copy…

4 – Delete all theme and plug-in files and reload from clean copies…
(and make sure the plug-ins & theme you are using are not currently known to have security holes – if there are some compromised plug-ins in place on your site then you cannot use them – unless you like getting infected!)

5 – Restore your uploads directory from known, clean copies…

6 – Run Wordfence on the freshly installed files…

7 – Restore site access (reset your htaccess)….

If the infection re-occurs, you’re going to have to find the affected files by manual comparison/searching… it is not a short process, by any means. Having said that, it’s extremely likely that the source of the infection is a compromised plug-in.

Also – a quick google search showed the following that has more info:
https://wordpress.org/support/topic/re-scan-result/

And very useeful – the WP Vulnerability DB – lists all known security holes: https://wpvulndb.com/

• This reply was modified 7 years, 1 month ago by bluebearmedia.
• This reply was modified 7 years, 1 month ago by bluebearmedia.
• This reply was modified 7 years, 1 month ago by bluebearmedia.
• This reply was modified 7 years, 1 month ago by bluebearmedia.

@thinkdolphin, WF just released an article which coincides with GoDaddy making some recent changes, and alerting customers to new efforts on identifying malware.

Cf.