The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Infected Wordpress website

Discussion in 'Security' started by remcie, Mar 1, 2016.

  1. remcie

    remcie Member

    Joined:
    Nov 5, 2014
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    For the past few months we have been struggling with a hacked Wordpress website.
    The site was hacked and a script was uploaded to send out email.
    Altogether the site has been hacked about 4 or 5 times now.

    The first time we simply deleted (or replaced) the infected files but that did not work.
    As we had a clean backup we uploaded a backup and for about 1 month nothing happened, but then we were hacked again.
    So the 3rd time we decided to work with a clean Wordpress instalation, and kind of rebuild the website. Again everything was quiet for a few weeks till the website got hacked again.

    Please note that every time we found out we were hacked we found the script in different files (sometimes in a certain plugin, sometimes in actual Wordpress files).

    The last time we lost our patience and decided to start all over 100%.
    We deleted the old cpanel and opened a new one. Installed a new Wordpress instalation and build the site again from scratch. Same with the database.
    We installed several security plugins, protected the database etc and again everything was quiet for about 1 month untill yesterday, we got hacked again :-(

    At this point I really don't know where to find the issue. First I expected it to be a Wordpress problem but the last time we made sure working with a clean installation and have all templates and plugins updated to their latest version. Obviously we use very strong passwords, nobody has access to these passwords.
    Could this be a server-lever problem?

    The strange thing is we have another 20 websites hosted on the same Linux dedicated server which have not been hacked in years.
    Any advice would be greatly appreciated.

    Thanks,
     
  2. storminternet

    storminternet Well-Known Member

    Joined:
    Nov 2, 2011
    Messages:
    462
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    If this is specifically with your one website then wordpress plugin you are using can be reason for hacking.
    Recently revslider plugin vulnerability has been detected. For more details you can refer to the thread below.

    https://blog.sucuri.net/2016/02/behind-the-malware-botnet-analysis.html

    Try using cloudfare to protect your website against such intrusion.
     
  3. syslint

    syslint Well-Known Member

    Joined:
    Oct 9, 2006
    Messages:
    249
    Likes Received:
    6
    Trophy Points:
    18
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Twitter:
    Also make sure your client billing accounts and email accounts too secure. If some one have access to that, then there is no point in reinstalling wordpress :)
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  5. rregister

    rregister Member

    Joined:
    Aug 10, 2015
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Texas
    cPanel Access Level:
    Root Administrator
    Couple of tips from a wordpress server admin.

    As someone above mentioned, watch out for old versions of Revslider - I believe it's versions pre 4.6 that are dangerous. I believe the Yoast SEO and Google Analytics plugins were also a problem at one point, but those have long since been fixed and are free plugins that you can update.

    Gravity Forms prior to version 1.9ish are also bad and there is a common exploit that will allow the upload of rogue php files. This is the #1 offender for most of my customers. You need to buy a proper license and update it.

    If your site is infected... just wholesale replace the /wp-admin and wp-includes folders. All of your custom stuff like themes, plugins, etc is in /wp-content, and therefore it should be totally safe to override /wp-admin and /wp-includes with the stock packages. You will of course need to clean /wp-content manually, but this should save you some time.
     
Loading...

Share This Page