Title: WordPress security question Last modified: August 22, 2016 --- # WordPress security question * [Max Sharlaev](https://wordpress.org/support/users/e13/) * (@e13) * [11 years, 6 months ago](https://wordpress.org/support/topic/wordpress-security-question/) * Hi! One of my sites was hacked. Some bot had modified category.php – instead of showing posts of certain category it was showing file upload form. * Then I made some digging and that is what I found in web server logs: * ``` 77.247.181.165 - - [20/Oct/2014:07:38:11 +0400] "GET /wp-login.php HTTP/1.1" 200 3578 "-" "Opera/9.80 (Windows NT 5.1); U) Presto/2.7.62 Version/11.00" 77.247.181.165 - - [20/Oct/2014:07:38:13 +0400] "POST /wp-login.php HTTP/1.1" 302 1 "-" "Opera/9.80 (Windows NT 5.1); U) Presto/2.7.62 Version/11.00" 77.247.181.165 - - [20/Oct/2014:07:38:16 +0400] "GET /wp-admin/ HTTP/1.1" 200 59000 "-" "Opera/9.80 (Windows NT 5.1); U) Presto/2.7.62 Version/11.00" 77.247.181.165 - - [20/Oct/2014:07:38:20 +0400] "GET /wp-admin/ HTTP/1.1" 200 59000 "-" "Opera/9.80 (Windows NT 5.1); U) Presto/2.7.62 Version/11.00" 77.247.181.165 - - [20/Oct/2014:07:38:26 +0400] "GET /wp-admin/theme-editor.php HTTP/1.1" 200 68294 "-" "Opera/9.80 (Windows NT 5.1); U) Presto/2.7.62 Version/11.00" 77.247.181.165 - - [20/Oct/2014:07:38:28 +0400] "GET /wp-admin/theme-editor.php?file=category.php&theme=sometheme HTTP/1.1" 200 43929 "-" "Opera/9.80 (Windows NT 5.1); U) Presto/2.7.62 Version/11.00" 77.247.181.165 - - [20/Oct/2014:07:38:29 +0400] "POST /wp-admin/theme-editor.php HTTP/1.1" 302 1 "-" "Opera/9.80 (Windows NT 5.1); U) Presto/2.7.62 Version/11.00" 77.247.181.165 - - [20/Oct/2014:07:38:33 +0400] "GET /theme-editor.php?file=category.php&theme=sometheme&scrollto=0&updated=true HTTP/1.1" 404 25658 "-" "Opera/9.80 (Windows NT 5.1); U) Presto/2.7.62 Version/11.00" 77.247.181.165 - - [20/Oct/2014:07:38:37 +0400] "POST /wp-content/themes/sometheme/category.php HTTP/1.1" 200 46 "-" "Opera/9.80 (Windows NT 5.1); U) Presto/2.7.62 Version/11.00" 77.247.181.165 - - [20/Oct/2014:07:38:39 +0400] "GET /wp-content/themes/sometheme/wp-upload.php HTTP/1.1" 200 - "-" "Opera/9.80 (Windows NT 5.1); U) Presto/2.7.62 Version/11.00" 77.247.181.165 - - [20/Oct/2014:07:38:39 +0400] "GET /wp-admin/theme-editor.php HTTP/1.1" 200 68395 "-" "Opera/9.80 (Windows NT 5.1); U) Presto/2.7.62 Version/11.00" 77.247.181.165 - - [20/Oct/2014:07:38:42 +0400] "GET /wp-admin/theme-editor.php?file=category.php&theme=sometheme HTTP/1.1" 200 45418 "-" "Opera/9.80 (Windows NT 5.1); U) Presto/2.7.62 Version/11.00" 77.247.181.165 - - [20/Oct/2014:07:38:46 +0400] "POST /wp-admin/theme-editor.php HTTP/1.1" 302 1 "-" "Opera/9.80 (Windows NT 5.1); U) Presto/2.7.62 Version/11.00" 77.247.181.165 - - [20/Oct/2014:07:38:52 +0400] "GET /theme-editor.php?file=category.php&theme=sometheme&scrollto=0&updated=true HTTP/1.1" 404 25658 "-" "Opera/9.80 (Windows NT 5.1); U) Presto/2.7.62 Version/11.00" 77.247.181.165 - - [20/Oct/2014:07:38:55 +0400] "POST /wp-content/themes// HTTP/1.1" 200 - "-" "Opera/9.80 (Windows NT 5.1); U) Presto/2.7.62 Version/11.00" 77.247.181.165 - - [20/Oct/2014:07:38:55 +0400] "GET /wp-content/themes//wp-upload.php HTTP/1.1" 301 1 "-" "Opera/9.80 (Windows NT 5.1); U) Presto/2.7.62 Version/11.00" 77.247.181.165 - - [20/Oct/2014:07:39:03 +0400] "GET /wp-content/themes/wp-upload.php HTTP/1.1" 404 25597 "-" "Opera/9.80 (Windows NT 5.1); U) Presto/2.7.62 Version/11.00" 77.247.181.165 - - [20/Oct/2014:07:39:08 +0400] "POST /wp-admin/plugin-install.php?tab=upload HTTP/1.1" 200 42445 "-" "Opera/9.80 (Windows NT 5.1); U) Presto/2.7.62 Version/11.00" 77.247.181.165 - - [20/Oct/2014:07:39:09 +0400] "POST /wp-admin/update.php?action=upload-plugin HTTP/1.1" 200 35580 "http://somesite.com/wp-admin/plugin-install.php?tab=upload" "Opera/9.80 (Windows NT 5.1); U) Presto/2.7.62 Version/11.00" 77.247.181.165 - - [20/Oct/2014:07:39:14 +0400] "GET /wp-content/uploads/2014/10/maink.php HTTP/1.1" 200 88800 "http://somesite.com/wp-admin/plugin-install.php?tab=upload" "Opera/9.80 (Windows NT 5.1); U) Presto/2.7.62 Version/11.00" ``` * I couldnt find any other requests to category.php so I think this is the moment my file was changed. * Can anyone tell me if I right or wrong in my suggestion that this bot knows username and password and successfully enters website administration page? * And I couldnt get what is this bot doing since 07:38:39. I think wp-upload.php is the file it uploaded via upload form, but reason of other actions is not clear. Viewing 5 replies - 1 through 5 (of 5 total) * [Andrew Nevins](https://wordpress.org/support/users/anevins/) * (@anevins) * WCLDN 2018 Contributor | Volunteer support * [11 years, 6 months ago](https://wordpress.org/support/topic/wordpress-security-question/#post-5421279) * Are you still cleaning up your hacked website? * Thread Starter [Max Sharlaev](https://wordpress.org/support/users/e13/) * (@e13) * [11 years, 6 months ago](https://wordpress.org/support/topic/wordpress-security-question/#post-5421289) * Andrew, I have already cleaned it up – at least what I could find (there was lots of files and code inserts). Now I am trying to understand how the attacker got in. And if it is possible – what exactly did he done. * [Andrew Nevins](https://wordpress.org/support/users/anevins/) * (@anevins) * WCLDN 2018 Contributor | Volunteer support * [11 years, 6 months ago](https://wordpress.org/support/topic/wordpress-security-question/#post-5421334) * Just to be clear, you’re aware of the PHP file in your uploads directory? * [A2BCool](https://wordpress.org/support/users/a2bcool/) * (@a2bcool) * [11 years, 6 months ago](https://wordpress.org/support/topic/wordpress-security-question/#post-5421350) * The pattern of page visits in your logs appears to be a manual login and edit of each of those files. Note that each step that a person would have to take to get to the file editor was taken. A bot would have logged in and posted directly to /wp-admin/theme-editor.php * Check to see if there is a new administrator user on the site and look in your plugins and themes folders for any unused or outdated plugins and/or themes. * The fact that there were not large numbers of attempts to POST to wp-login.php means that the user that did this has a username and password. if you have backups of your site, I would use one before [20/Oct/2014:07:38:11 +0400] and update all plugins and themes. * Thread Starter [Max Sharlaev](https://wordpress.org/support/users/e13/) * (@e13) * [11 years, 6 months ago](https://wordpress.org/support/topic/wordpress-security-question/#post-5421370) * Andrew, yes, I’ve deleted this file. For now it seems all malware is cleared ( catched the last one today – it didnt contain eval function, so I couldnt find it at once). * Benjamin Cool, thank you, I didn’t noticed that bot would go directly to /wp- admin/theme-editor.php . All other actions looks like bot activity (many files were created in random directories and certain line of code was inserted in random existing files). * I’ve checked users – there was no new administrators. I think attacker could use account of my colleague because I have a quite strong password. * I think I should reinstall WP and check theme files. Now I see peroidic POST requests to wp-login.php like somebody is trying to bruteforce my site. Hope security plugin will handle bruteforce well. Viewing 5 replies - 1 through 5 (of 5 total) The topic ‘WordPress security question’ is closed to new replies. * In: [Everything else WordPress](https://wordpress.org/support/forum/miscellaneous/) * 5 replies * 3 participants * Last reply from: [Max Sharlaev](https://wordpress.org/support/users/e13/) * Last activity: [11 years, 6 months ago](https://wordpress.org/support/topic/wordpress-security-question/#post-5421370) * Status: not resolved ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics