Tools to analyze compromised sites

  • Claudio

    (@ioclaudio)


    2 years, 1 month ago

    Hi,

    I have a compromised WordPress, it seems that randomly when you visit it it redirects you to a malicious site.

    I’ll restore a backup, but is there a way to know that the restored version doesn’t have this problem?

    Are there tools or services to check WordPress sites?

    Thank you very much

    Claudio

Viewing 8 replies - 1 through 8 (of 8 total)
  • Moderator Steven Stern (sterndata)

    (@sterndata)

    Volunteer Forum Moderator

    2 years, 1 month ago

    Externally, one can use https://sitecheck.sucuri.net

    Moderator James Huff

    (@macmanx)

    2 years, 1 month ago

    Carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

    Thread Starter Claudio

    (@ioclaudio)

    2 years, 1 month ago

    Thank you for your help, I’m reading these documents.

    I have just a curiosity.

    Using a new brand container and a new WordPress core and replacing the plugins with the original version taken from the official repository, I still have this problem of the redirect.

    That is, only when you visit the site the first time it redirects you to a malicious site.

    So I wonder how they managed to “dirty” the site and where does the malicious code reside? Any ideas on where to look?

    Thank you very much

    cld

    • This reply was modified 2 years, 1 month ago by Claudio.
    Moderator James Huff

    (@macmanx)

    2 years, 1 month ago

    Is the theme also brand new and unmodified?

    If it’s a commercial theme, did you acquire it by purchasing it from the theme’s official vendor?

    Thread Starter Claudio

    (@ioclaudio)

    2 years, 1 month ago

    It is a custom theme that we have into a private repository and it was modified two years ago last time.

    The copy on the compromised site is the same on the repository.

    Moderator James Huff

    (@macmanx)

    2 years, 1 month ago

    Do you have the same issue with the Twenty Twenty-Four theme active?

    Thread Starter Claudio

    (@ioclaudio)

    2 years ago

    yes

    Thread Starter Claudio

    (@ioclaudio)

    2 years ago

    It was a snippet of code injected using the plugin WPCode.

    It was added with an account that probably had a weak password.

    cld

    • This reply was modified 2 years ago by Claudio.
Viewing 8 replies - 1 through 8 (of 8 total)

The topic ‘Tools to analyze compromised sites’ is closed to new replies.