Thanks for reaching out.
That by itself wouldn’t necessarily mean the site was compromised. What you need to do to fix it is to use your FTP access and look for the .user.ini file in the root of the WordPress installation.
The code you want to look for (if there is a lot of code there. Sometimes there isn’t) should say
; Wordfence WAF
auto_prepend_file = '/home/www/sitename/wordfence-waf.php'
; END Wordfence WAF
Note : Obviously sitename will be your sitename
What you can do is remove the whole block of code and save. The site should be available now. You’ll need to re-optimize the firewall at this point.
I would also follow up with a full scan, making sure that these scan options are checked.
- Scan for signatures of known malicious files
- Scan file contents for backdoors, trojans and suspicious code
- Scan files outside your WordPress installation
- Scan core files against repository versions for changes
- Scan theme files against repository versions for changes
- Scan plugin files against repository versions for changes
Because you think you might be hacked, following this guide to using Wordfence to clean a hacked site might be a good idea.
https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/
Additionally you might find the WordPress Malware Removal section in our free Learning Center helpful:
https://www.wordfence.com/learn/
Make sure and get all your plugins and themes updated and update WordPress core too. If you are on an older branch (WordPress 4.x etc) because you wanted to wait before installing the latest version because of Gutenberg or a custom theme compatibility you still need the latest update in that version.
As a rule, any time I think someone’s site has been compromised I tell them to update their passwords for their hosting control panel, FTP, WordPress admin users, and database.
If you are unable to clean this on your own there are paid services that will do it for you. Wordfence offers such a service for this. Regardless if you choose to clean it yourself or let someone else do so, it’s always a good idea to make a full backup of the site beforehand.
Tim
Thread Starter
mpek
(@mpek)
Hi Tim,
thank you for your reply!
I cannot find a file “.user.ini”, I even checked my other wordpress installations, but there is none.
“.user.ini” is being mentioned in file “.htaccess”
This is what I found in file .htaccess regarding Wordfence:
`# Wordfence WAF
<IfModule mod_php5.c>
php_value auto_prepend_file ‘/home/www/sitename/wordfence-waf.php’
</IfModule>
<IfModule mod_php7.c>
php_value auto_prepend_file ‘/home/www/sitename/wordfence-waf.php’
</IfModule>
<Files “.user.ini”>
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
Order deny,allow
Deny from all
</IfModule>
</Files>
# END Wordfence WAF`
Any hint?
It might be because the . before the file name (.user.ini) indicates that it is hidden. Your FTP client settings may need the ability to see hidden files turned on. The file browser in your hosting control panel may show it. If it isn’t there, you might also look for the php.ini file but I’m fairly certain that you’ve got it there.
Tim
Thread Starter
mpek
(@mpek)
I’m using Filezilla and turned on to show hidden files, “Force showing hidden files” is ticked now.
Checking root directory, i don’t see that “.user.ini” nor “php.ini” in root directory of this wordpress installation.
The file browser of my hosting control is not showing these files neither.
Just to exclude misunderstandings, root directory is where you see these directories:
wp-admin
wp-content
wp-includes
Correct?
Thread Starter
mpek
(@mpek)
I deleted the mentioned entries in .htaccess, because i could not wait any longer to find the .user.ini file you mentioned. After that I could access the site again and re-initialize wordfence and add entries back to .htaccess by using wordfence function in settings. Site works again.
To look for .user.ini file took some time, but .htaccess was the file in my case.
If you want to further investigate what happened, please contact, because Wordfence found a suspicious file called 1owl.php.
This seemes to be a backdoor, but I don’t where it came from and how it could be placed there.
Thread Starter
mpek
(@mpek)
This is what Wordfence scan showed:
-
This reply was modified 2 years, 10 months ago by
mpek.
I’m pretty sure that’s a malicious file. Can you send that to me (zipped up, of course.
Rename the .php extension to .txt as well) at wftest [at] wordfence [dot] com? I’ll take a look and confirm. Let me know when you sent it by replying here.
Thanks
Tim
Thread Starter
mpek
(@mpek)
Thank you for further investigating. File sent!
Just responded to you. Can you look and answer what I asked? Do me a favor and respond here when you do. We can update the topic once we get through looking but I’d prefer to do so afterwards to make sure we aren’t sharing any data we shouldn’t that might be unsafe for your site.
Tim
Thread Starter
mpek
(@mpek)
Hi Tim,
thank you for looking into it!
This file (1owl.php) has nothing to do with me and I deleted it. They added the file to two of my websites:
[Sites are mentioned in email]
It is more a malicious attempt to steal traffic from my site or game a SEO boost.
My main question is how they were able to place the file in root directories of my wordpress installations and why wordfence blocked my site from showing.
I responded about the diagnostics.
Any time I see files start showing up, I immediately start changing passwords. Admin level passwords to the site. FTP passwords. The hosting control panel password. Your database password too. You might run those through Troy Hunt’s HaveIBeenPwned site to see if they are found in a compromise.
https://haveibeenpwned.com/Passwords
Tim
