Support » Fixing WordPress » wp-config keeps adding new lines

  • My page had some malware on it, so I deleted all the files from root directory, wp-admin and wp-includes. Copied from fresh install. After an hour or two there was white screen of death. Couldn’t figure out what was wrong until I realised that wp-config.php was changed.
    Only changes made to it were one line at the bottom just before the last line:
    require( ABSPATH . 'wp-admin/setup-config.php');
    How can I stop this from happening?

Viewing 10 replies - 1 through 10 (of 10 total)
  • The malware must be elsewhere than the core files you deleted. I would look for changed files throughout your wp-content folder. Try renaming your current theme folder so that WordPress will load the default theme.

    Also try commenting out that line with /* and */

    Thread Starter JankyLV

    (@jankylv)

    I tried commenting it out. After a while a new one just like it shows up. It works when I comment it out.. For a little while.. Don’t see any changes in theme files or plugins.

    Comment it our then make the file non writable. That really isn’t a fix though since there is obviously some malware somewhere. Have you looked at your .htaccess file? Maybe you can use a plugin like duplicator to copy the site to your local machine and follow one of the many tutorials on fixing a hacked site. Here’s one from Elegant Themes http://www.elegantthemes.com/blog/tips-tricks/what-to-do-when-your-wordpress-website-has-been-hacked

    Thread Starter JankyLV

    (@jankylv)

    I have tried almost everything you mentioned 🙂 Tried making it non writable. FileZilla couldn’t make that possible, so edited in cPanel. Waiting for results.
    Also installed the “WordPress File Monitor Plus”. Let’s see if any of this helps..

    Hi @jankylv,

    Sorry about the troubles you are having. These types of things can be extremely painful and time consuming. First things first, you really need to find out where the breach in your site is. This could be though a plugin or a theme or even user access. It could be WP core but trust me when I say that it is very secure but anything is possible.

    The most common way a site is hacked is through a plugin or theme. The next would be the server you are on. Some shared servers allow for cross site hacking from within the server.

    WordPress community has a guide for approaching a hacked WP install which can be found at https://codex.wordpress.org/FAQ_My_site_was_hacked .

    I would run the following plugin to see if it comes up with anything as well.
    https://wordpress.org/plugins/sucuri-scanner/

    Thread Starter JankyLV

    (@jankylv)

    Changing wp-config.php to 444 seems to work for now. I installed scanner plugin, but it couldn’t find anything. The WP core wasn’t update for a few months, so I guess that could have been the breach.

    My guess would be geared more toward a plugin and or a theme. You can run a plugin like WordFence that monitors who and when a file was edited. This may help you track down where the fault is.

    Here is what I would do:

    – Remove unused plugins/themes
    – Update all you plugins to the latest version
    – Update your theme(s) to the latest version
    – Update WP to the latest version
    – Check the DB for bad code. (This will involve some knowledge of MySQL and WP tables/data structure)

    Thread Starter JankyLV

    (@jankylv)

    Sucuri is starting to pick up some failed logins. What is the best solution for these attacks?

    Failed logins are the sole attempt of bots doing Brute Force attacks. If you are not seeing any performance issue from these attacks, you can leave them be. They always happen and happen often. It is just a side effect of a very popular CMS.

    If you are seeing a performance hit on your server, you can check out https://codex.wordpress.org/Brute_Force_Attacks for some basic information on how you can slow down if not prevent the attacks all together.

Viewing 10 replies - 1 through 10 (of 10 total)
  • The topic ‘wp-config keeps adding new lines’ is closed to new replies.