WordPress gets hacked at wp-blog-header.php or index.php (6 posts)

  1. Andrés Sanhueza
    Posted 3 years ago #

    I have a WordPress site that just keeps being hacked. The index.php or wp-blog-header.php of the root gets injected with a malicious code that references a temp.php and another random-named .php file that is generated in some random sub-folder of the site. I delete these when they appear, but they appear every day. Oddly, it is unnoticed when the site is visited by a direct link or by typing the URL, but always shows when one access via Google results (where the whole site is replaced by some a drugstore catalog). I'm not sure what could be the problem. I already checked the CHMOD of all the files and updated the Timthumb scripts.

  2. The Hack Repair Guy
    Posted 3 years ago #

    Good to hear you've heard about the timthumb related exploits. Definitely a step in the right direction.

    Likewise, make doubly sure your theme is upgraded, or better yet, try a virgin installation of your theme.

    Sadly, nowadays it's rare for hackers to not leave back door scripts in place (allowing hacker to hack your site again in future). For this reason, you'll need to review every file on your website respectively to ensure none are out of place or were installed by hacker.

  3. Rev. Voodoo
    Volunteer Moderator
    Posted 3 years ago #


    Maybe this can help a little if you have access to your server logs. If files are being edited through a backdoor, it is often possible to track down that backdoor file with a little bit of work

  4. Andrés Sanhueza
    Posted 3 years ago #

    For some reason, the logs of the server don't say anything about those hacks and the modified date of the files changed don't change either. I deleted a bunch of older files unrelated to WordPress and tested some security plugins with no luck.

  5. esmi
    Forum Moderator
    Posted 3 years ago #

  6. Andrés Sanhueza
    Posted 3 years ago #

    I noticed there where some hidden files of a previous hack in a plugin folder, I deleted it and the problem disappeared for about a week, but it started again twice. Only the second time I got to see an access log http://pastebin.com/TXKGagBj . It looks that at first the 'hacker' looks for old files that are supposed to contain hacks. As those are all deleted or never existed, then the hacker logs into the site and edit a theme file. I'm not entirely sure about what to do in that case. I have two plugins that limit login attemp after a few failed tries, so I guess the hack knew a password beforehand. The obvious thing is to change my user password, yet there are other users on the site I guess I must ask them for the same. But even with that, I don't know which user the hack used or if it was something else more obscure that is not obvious by the log itself and could have involved the MySQL database. Is there any way to keep track of it?

Topic Closed

This topic has been closed to new replies.

About this Topic


No tags yet.