Title: Server compromised after WordPress 4.3
Last modified: August 30, 2016

---

# Server compromised after WordPress 4.3

 *  [germars](https://wordpress.org/support/users/germars/)
 * (@germars)
 * [10 years, 10 months ago](https://wordpress.org/support/topic/wordpress-43-50/)
 * I’ve got a server that has about 20 WP sites on it. It was recently compromised
   by hackers and the strange thing is, I had updated all of the sites but had missed
   about 4 and they are the only ones that weren’t messed with. I wonder if you 
   have had any information about a vulnerability with the new version. With all
   the repair work that I had to do, I only updated one further site and again, 
   the sites that I had just repaired, plus the one I added to the list of 4.3 WP
   sites also was compromised.
    I wonder if you want any further information or 
   if there are any plugins that are coordinating with this to allow a attacker 
   access? I’d like to help you as much as I would like to plug any holes that may
   not be known about yet.
 * Thanks

Viewing 6 replies - 1 through 6 (of 6 total)

 *  [Andrew Nevins](https://wordpress.org/support/users/anevins/)
 * (@anevins)
 * WCLDN 2018 Contributor | Volunteer support
 * [10 years, 10 months ago](https://wordpress.org/support/topic/wordpress-43-50/#post-6520207)
 * There are websites that distribute themes and plugins for free or a discounted
   price, that do so without the authors permission. These themes and plugins often
   have code that the vendors insert in for them to make money once the theme is
   up and running on a website. So, that is one possibility.
 * Have you seen the hardening WordPress article on Codex?
 *  Thread Starter [germars](https://wordpress.org/support/users/germars/)
 * (@germars)
 * [10 years, 10 months ago](https://wordpress.org/support/topic/wordpress-43-50/#post-6520212)
 * Isn’t it a coincidence though that all of the older sites aren’t compromised?
   I’ve done a lot of those steps, just changed passwords to FTP and user a week
   or so ago after the first attack. I only use themes that I find in the WordPress
   respository. And not all the sites use the same ones.
 * Just thought I’d mention it.
 *  [Andrew Nevins](https://wordpress.org/support/users/anevins/)
 * (@anevins)
 * WCLDN 2018 Contributor | Volunteer support
 * [10 years, 10 months ago](https://wordpress.org/support/topic/wordpress-43-50/#post-6520216)
 * What do you mean by they aren’t compromised, that they don’t have the symptom
   of the hack? Like the spam in those websites?
 *  Thread Starter [germars](https://wordpress.org/support/users/germars/)
 * (@germars)
 * [10 years, 10 months ago](https://wordpress.org/support/topic/wordpress-43-50/#post-6520228)
 * I’m going to use the term “hacked” even though attacked etc is likely the right
   terms, just for ease of typing etc.
 * But yes, that is what I’m saying.
 * I have 20 sites on one server. Everyone of the updated to 4.3 WordPress was attacked,
   yet not one of the missed ones (that I hadn’t updated yet) were touched. At all.
 * So I was wondering if it was possible that there was a vulnerability that exists
   in 4.3, that wasn’t in the previous version. They seem to have added some files,
   but mainly they get to:
 * wp-blog-header.php
    wp-includes/nav-menu.php wp-includes/js/jquery/jquery.js 
   wp-includes/js/comment-reply.min.js wp-includes/js/jquery/jquery-migrate.min.
   js and the header.php file in the theme.
 * I don’t know if that helps or not.
 *  Moderator [Jan Dembowski](https://wordpress.org/support/users/jdembowski/)
 * (@jdembowski)
 * Forum Moderator and Brute Squad
 * [10 years, 10 months ago](https://wordpress.org/support/topic/wordpress-43-50/#post-6520249)
 * > So I was wondering if it was possible that there was a vulnerability that exists
   > in 4.3, that wasn’t in the previous version. They seem to have added some files,
   > but mainly they get to:
 * That’s _technically_ possible but really unlikely. WordPress 4.3 has been downloaded
   8+ million times and if there was a 4.3 compromise then lots of people would 
   be chiming in. More likely your sites or your account has been compromised.
 * You need to start working your way through these resources:
    [http://codex.wordpress.org/FAQ_My_site_was_hacked](http://codex.wordpress.org/FAQ_My_site_was_hacked)
   [http://wordpress.org/support/topic/268083#post-1065779](http://wordpress.org/support/topic/268083#post-1065779)
   [http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/](http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/)
   [http://ottopress.com/2009/hacked-wordpress-backdoors/](http://ottopress.com/2009/hacked-wordpress-backdoors/)
 * Additional Resources:
    [Hardening WordPress](http://codex.wordpress.org/Hardening_WordPress)
   [http://sitecheck.sucuri.net/scanner/](http://sitecheck.sucuri.net/scanner/) 
   [http://www.unmaskparasites.com/](http://www.unmaskparasites.com/) [http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html](http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html)
   [http://blog.sucuri.net/2010/07/understanding-and-cleaning-the-pharma-hack-on-wordpress.html](http://blog.sucuri.net/2010/07/understanding-and-cleaning-the-pharma-hack-on-wordpress.html)
 *  Thread Starter [germars](https://wordpress.org/support/users/germars/)
 * (@germars)
 * [10 years, 10 months ago](https://wordpress.org/support/topic/wordpress-43-50/#post-6520257)
 * I’m sure that is the case. And there is a hole in my particular hosting that 
   is allowing this to happen. I’m plugging away at cleaning up the sites, changing
   passwords again etc..
 * Thanks.

Viewing 6 replies - 1 through 6 (of 6 total)

The topic ‘Server compromised after WordPress 4.3’ is closed to new replies.

## Tags

 * [Compromised](https://wordpress.org/support/topic-tag/compromised/)
 * [Hackers](https://wordpress.org/support/topic-tag/hackers/)
 * [site](https://wordpress.org/support/topic-tag/site/)

 * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
 * 6 replies
 * 3 participants
 * Last reply from: [germars](https://wordpress.org/support/users/germars/)
 * Last activity: [10 years, 10 months ago](https://wordpress.org/support/topic/wordpress-43-50/#post-6520257)
 * Status: not resolved

## Topics

### Topics with no replies

### Non-support topics

### Resolved topics

### Unresolved topics

### All topics
