compressor

Hi Jared,

Thanks for your quick reply.

No need to say sorry about that. Sounds like a very solid base.

I just can’t figure out what went wrong where anf when. That’s why I assumed it had something to do with the update. Have to go to a customer now but I am going to try and change the recaptcha settings and backtrace when I get home again.

Thanks again!

Well, just as they said here ( https://wordpress.org/support/topic/multiple-wordpress-sites-and-others-infected/#post-7207946 ): how did it get infected?
I changed my passwords. Again. The site is up to date.

Right now I’ve got multiple, probably conflicting, WAF tools installed so I need to make up my mind and decide which is the best one to keep.

I wonder, some of the files that were infected (actually seem to be either uploaded or generated), were renamed on the server. I’m guessing by the hoster. Whom did not inform me. So that’s an automated process which doesn’t care.

I remember going through some sites this afternoon and finding out my hosting provider was listed by an AS number (not familiair with that type of indication) but the registered number of incidents seemed quite high. 736 or something like that.

Ah, and I should check file permissions… of course… But I don’t know what the correct permission settings are for files and folders of wordpress… so that is one thing to find out too… 😀

No, I never did find what infected it, over and over again. I am assuming that it was my fault since I never got around to updating it. Or its plugins etc. Now that I am going for a new round, I have removed everything from the httpdocs folder and created a new DB and did a fresh WP install.

This is what has been visiting my site (I will remove this pic in 20 minutes or so, I think, just to be safe(r))
http://nl.tinypic.com/view.php?pic=2q2kc5z&s=9
Now… See what links they are visiting? Joomla pages. Except for the blog36 and inc.php. What the guy from Reykjavic is trying to do…. Dunno. However… see what started happening to the visited URLs after I had changed passwords and removed some of the infected files? All visits started to go to / instead of other locations. And look at the time of those visits.
I don’t know, but I hope that might mean whatever was targeting me, did not succeed in gaining access and tried via another route…

Thank you!

I am working through it all…

I have also installed wordfence and the other 3 tools/scanners/firewalls. But I already had ninjafirewall installed. It spoke about running in full-WAF mode during installation, which succeeded. Now wordfence, which seems a lot more advanced still, asked me sort of the same thing (different question but also concerning the php.ini file (if I recall correctly) so it could run in this mode. I let it change the values and it said the installation succeeded.

Now I am wondering: on a normal windows machine, having multiple AV’s running would pose a problem. Not so when running anti-malware and AV.

How is that for a server based piece of software like WP? No problem?