I’ve got a site that has been hacked for the fourth time now this month. With scripts hosted on autofaucet.org. (sloppy code even, found their names. Some Russian dudes. But that’s off topic) I’ve taken some measurements to prevent a new hack, but alas…
- I’ve installed a clean WP installation on the server, with clean files and a clean DB.
- reinstalled the plugins clean
- I have
All In One WP Security & Firewallplugin for file scanning, firewall, hide inlog page, etc. - Changed all the wordpress passwords.
I’ve notices the encoded code is being placed in files called assets.php.
I’m curious how a hacker would inject/place the code on the server. How to prevent it better and what questions to ask the webhost company. I’ve asked them before and they just say it’s my fault, update the wp installation and move on. What should they check if the code is injected from their side?
2
Answers
Your log files (of the web server) e.g.
/var/log/nginx/access.logwith thenginxweb server will tell you who it was. Look for the change date/time of theassets.phpfile. Then check server access logs for IP addresses from that exact time. Then search logs for that IP address. You will find the first accesses by that IP address. That was likely the hack.Usually WordPress plugins are to blame as long as you keep the WP site updated. So, you could disable plugins not needed urgently, and disable the others one by one, or all for testing.
As a workaround, you can make the
index.php(or other) file under attack read-only. In the past I have worked around particular attacks bychown root.root filetobeattacked.phpwhich usually works (but may hinder updates, so it’s a temporary solution). If you are notrooton the server (shared hosting) perhapschmod 444 filetobeattacked.phpcould work.I had same issue before. It might be the wordpress core files.