WordPress site keeps getting hacked.

Messages
1,470
Name
Darren
Edit My Images
Yes
#1
Someone keeps hacking my WordPress site and sending spam emails through the site.

What its the best way to secure a WordPress site? I have already had to delete the site, reinstall it and added a security plugin, but it still.happened again today.

Any tips? I'm using WordPress because I'm not all that proficient with Web stuff, although I'm getting better.

I wish I could learn to build my own site or outsource, but have neither the time not money.
 
Messages
3,721
Name
Richard King
Edit My Images
No
#5
Is the code getting hacked or are you just getting spam?

To secure a wordpress site properly, you need FTP access to the site, do you have this?

There are a number of plugins with which you can toughen up a contact form, or secure a site, however in my experience, the first point of call is to ensure all the files are in the "best locations", and have the correct permissions. You also need to remove redundant plugins, and check your theme for vulnerabilities (there are a few older themes which are quite vulnerable)

In addition, you need to look at your usernames and passwords. Have the FTP, cPanel and root usernames reset. You also need a strong password for backend access, and dont use the usename=admin

Your webhost ought to be ble to provide access logs, you may be able to block your hackers IP address, or at least see what file is being attacked
 
Last edited:
OP
OP
daz103
Messages
1,470
Name
Darren
Edit My Images
Yes
#6
Is the code getting hacked or are you just getting spam?

To secure a wordpress site properly, you need FTP access to the site, do you have this?

There are a number of plugins with which you can toughen up a contact form, or secure a site, however in my experience, the first point of call is to ensure all the files are in the "best locations", and have the correct permissions. You also need to remove redundant plugins, and check your theme for vulnerabilities (there are a few older themes which are quite vulnerable)

In addition, you need to look at your usernames and passwords. Have the FTP, cPanel and root usernames reset. You also need a strong password for backend access, and dont use the usename=admin

Your webhost ought to be ble to provide access logs, you may be able to block your hackers IP address, or at least see what file is being attacked
Hi thanks for the info. The hackers are sending spam emails through my website first to the host through '/LICENCED.php' yesterday and then today to a third party through '/wp-content/upgrade/LICENCED.php It seems impossible to find this file using the ftp even without any hidden files.

I am quickly beginning to understand the need to keep it updated as I think I had a couple of redundant plugins which were not updated.

I am now going to start using random password generators and hope I can remember them all :thinking:
 

KayJay

Give us a Tena
Messages
6,222
Edit My Images
Yes
#7
It might not even be an issue with Wordpress itself. They release security updates very quickly when the code is found to be insecure and is so pretty reliable.

The reason this is probably happening is that you folder permissions may not be set correctly which could in itself create vulnerabilities for hackers to exploit.

For most consumers the best way to secure a website is ensure your with a good hosting company that spots things like this quickly, and that you use secure passwords and limit your use of plugins and third party software that you've not had experience with in the past.

For a list of the correct folder permissions for a Wordpress install take a look here : http://codex.wordpress.org/Changing_File_Permissions

Also contact your host to track down this phantom script. If they're competent enough they'll find it and through server logs potentially track down the vulnerability and patch it.
 
Messages
474
Name
Darren
Edit My Images
No
#9
My WP site got hacked yesterday. I received an email from my hosting company telling they had taken my site down due to them detecting malicious scripts being uploaded.

I contacted them and they gave my ip address access so I could sort it out. Luckily they detected it VERY quickly as there we only a couple files I had to delete.

I also deleted all my pluggins as a precaution and reinstalled them with newest versions etc and updated WP while I was at. Even though I had updated it recently to 3.3 they had released a patch with some fixes to security issues.

Hats off to my hosting company as if they had not been so quick to detect it I could have been in for alot more hassle sorting it out.
 
Messages
3,721
Name
Richard King
Edit My Images
No
#10
Iphotouk

It may be your theme that is vunerable other possibilities include

- lack of strong passwords for admin
- wrong folder permissions
- wrong file permissions
- a server vunerability
- your machine at home has a virus and has sent your FTP details offsite

For all of these reasons change ALL of your passwords, FTP, cPanel, admin, and run a scan on your home machines
 
Messages
159
Name
Diane
Edit My Images
Yes
#11
Change the default password for the database, and your log-in to the dashboard, and set the file permissions to a more secure setting, if they are not already. See here for how to change permissions on the hosting service:
http://codex.wordpress.org/Changing_File_Permissions

It could be that the hosting company has some issues themselves - might be as well to contact them and see what they say.
 
Messages
7,651
Name
Jon
Edit My Images
Yes
#14
You should also check your themes, (styles) that you are using. sometimes there is hidden code within the themes. Try the TAC plugin, this checks your themes for hidden code.
You could also set your wordpress to not allow new user sign ups, you can then create new users yourself.
 
OP
OP
daz103
Messages
1,470
Name
Darren
Edit My Images
Yes
#15
Thanks for all tips guys. I've had to spend out on new hosting because ipage couldn't sort it out. It seems that it may have been their servers that got hacked. But still taking extra precautions now.
 
Messages
16,461
Name
Hugh
Edit My Images
No
#20
I hate to ask, but who are you hosting with, and is it shared hosting? If so, particularly with shared hosting there could well be some vulnerabilities in the hosting itself, with nothing you can do at your end.

I got caught like this a couple of times till I moved host. Eventually the host admitted that the hacks were coming because a member of staffs computer had a keystroke logger that allowed the hackers access. edit - and I notice you're using the same host. They really should sort themselves out.

Having said that - there are a couple of things you need to do. First and foremost regenerate and reload the salts in your wp-config.php file. This will force anyone logged on still to log off. Use this site to generate the code you need https://api.wordpress.org/secret-key/1.1/salt/

2. Delete any users you don't recognise

3. Delete any plugins and theme you don't use.

Most script attacks hide backdoors in files that aren't routinely updated when you update wordpress. Wp-Config for example, or add another file that looks like to should be there, but in reality shouldn't.

This script will fix any script injection attacks, that insert code using base_64decode, but be careful with it. Its worth what you paid and some free themes use this function which means it'll stop that theme working

Site remediated by <a href="http://sucuri.net">Sucuri</a><br />
This script will clean the malware from this attack:
<a href="http://sucuri.net/malware/entry/MW:MROBH:1">http://sucuri.net/malware/entry/MW:MROBH:1</a>
<br />
<br />
If you need help, contact support@sucuri.net or visit us at <a href="http://sucuri.net/">
Sucuri.net</a>
<br />
<br />
<?php
set_time_limit(0);

$dir = "./";

$rmcode = `find $dir -name "*.php" -type f |xargs sed -i 's#<?php /\*\*/ eval(base64_decode("aWY.*?>##g' 2>&1`;
echo "Malware removed.<br />\n";
$emptyline = `find $dir -name "*.php" -type f | xargs sed -i '/./,$!d' 2>&1`;
echo "Empty lines removed.<br />\n";
?>
<br />
Completed.
 
Last edited:
OP
OP
daz103
Messages
1,470
Name
Darren
Edit My Images
Yes
#21
Thanks for the info, I moved hosts in the end and am now trying to get some money back from ipage, which I doubt will happen. I am TSOhost which seemed to come highly recommended on this forum. Has so far worked well.
 
Top