WordPress Site - File Randomly Changed

Garrettj94

Active Member
Oct 1, 2015
39
3
8
Arizona
cPanel Access Level
Website Owner
I got notified one of my clients site was down. I checked /wp-admin and it showed the db was pointed to a different IP. I checked the wp-config.php file and saw this:


I have no clue how this was changed. Since then I restored the correct info, changed the FTP password, Root password, and installed a security plugin. Anything else I can do?
 
Last edited by a moderator:

rpvw

Well-Known Member
Jul 18, 2013
1,100
453
113
UK
cPanel Access Level
Root Administrator
Make sure that the Wordpress core, every Plug-in and Add-on and every Theme (irrespective of whether they are in use or not) are updated to the latest available versions.

Delete any Plug-in, Add-on and Theme that are not being used to reduce your attack surface.

Also audit all the Plug-ins, Add-ons and Themes to ensure they are still being actively supported by their developers ,and have not been abandoned.

Ensure that any additional FTP users have been deleted, or have had their passwords changed as well.

If your web host has enabled your access; disable any PHP options (eg file_uploads, allow_url_open etc) that you don't need, you will have to check what the site and its features needs - the two that I listed were meant only as examples, not suggestions !

Check your logs for any indication of a 'PUT' method around the time your config.php file was changed.

Switch ON ModSecurity if it is available to you.

If you are really unsure about whether the method used to change the file has been blocked or not - download the website file-set and also a copy of the Wordpress core and all plugins and themes from their source and "diff" them to see if any strange code resides in any file.

If all else fails - reinstall Wordpress and all the plugins etc fresh, and reconfigure the site.

Disclose the event to your web host, and ask for help in attempting to ascertain the point of access from logs. It is remotely possible that the access originated through another site altogether, and your web host needs to satisfy himself that the rest of his clients are safe as well.

Hope this helps
 
Last edited:

Anupam SG

Active Member
Aug 29, 2018
44
17
8
Earth
cPanel Access Level
Root Administrator
In addition to what @rpvw has said, ask your client if he has uploaded any "nulled" modules/plugins. These are usually paid plugins, which people download from a shady site for free, in an effort to save money. And these "free" plugins almost always have the risk of malicious code inserted in them which is used for all sorts of black-hat purposes. The code can be hard to find and is sometimes disguised as an image file, which is executed through some other code located in some other file.
 
  • Like
Reactions: Infopro