Support » Fixing WordPress » Theme Twenty-sixteen vulnerability

  • Hello,

    My site has been compromised 3 times over the last month. After reviewing the logs, I figured out how it’s being done. The WordPress theme, “twenty-sixteen” has a hole. Where do I report my finding?

    First time, I was using theme twenty-fourteen, one version behind. OK, that was my fault. I restored from backup & changed to theme twenty-sixteen.

    Second time, I had upgraded to theme twenty-sixteen, removed all plugins. Added iTheme & Loginizer… it was hacked in a 2 days. different exploit than before. blocked malicious IP’s again, but that’s like wackamole – 2 more just pop up..

    Third time, changed all directory permissions to 555 files (it’s shared hosting) to 444 or 400 for sensitive files, not just plugins & uploads. i was ready to do all updates manually. it was hacked in a day. Same exploit as in twenty-fourteen. screw this. .

    Because it’s on shared hosting I can’t segment my user account owning both the website and file above the public_html folder so I’m going to restore from backup again and install yet another theme.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The WordPress theme, “twenty-sixteen” has a hole.

    If that was true, this forum would be flooded with folks having the same issue.

    It sounds like you need to first get the site cleaned up.

    Sucuri can do that for you at what I would say is much less than you pay a dev/expert to do it.

    Once that is done, you may want to move to a better host and increase site security.

    Moderator Geoffrey Shilling


    Volunteer Moderator

    @ipfreely Remain calm and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

    Do you have any older backups you could try? A hacked site could be backed up before an issue is discovered. When that version is restored, it also restores the hacker’s door to the site.

    thank you both for your quick responses.

    @swansonphotos, I do appreciate the unlikelyhood (and how many installs of this there probably are), but it’s possible this exploit hasn’t been shared. I am going to restore the site again, and do 2 experiments where 1) I make a change to one of the entry points I suspect 2) if it happens again, i’ll need to figure out how to capture the info being passed in. not sure if it’s possible with my host.
    I’ll report my findings either way

    @geoffreyshilling, yes i do thank you. I have a clean dev version of the site, db & files, created locally so no chance of infection. it’s easy to restore, but still annoying.

    I suspect i actually need to change hosts. the log entries in iThemes leading up the site compromise included what looks like full paths of various other accounts on this shared host. that would indicate an escalation of privileges to obtain that info. If that’s true, then nothing i do will help.

    • This reply was modified 3 years, 1 month ago by .

    Sure, just make sure you scan those files with multiple scanners. A common root of site infections is in fact from local machines.

    Scan your local environment.
    The first place you should start with is your local environment. In many cases, the source of the attack / infection begins in your local box (i.e., notebook, desktop, etc…).
    Make sure you run a full anti-virus/malware scan on your local machine. Some viruses are good at detecting AV software and hiding from them. So maybe try a different one. This advice extends to both Windows, OS X and Linux machines.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Theme Twenty-sixteen vulnerability’ is closed to new replies.