Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

WordPress Site - File Randomly Changed

Discussion in 'Security' started by Garrettj94, Oct 4, 2018.

  1. Garrettj94

    Garrettj94 Active Member

    Joined:
    Oct 1, 2015
    Messages:
    39
    Likes Received:
    3
    Trophy Points:
    8
    Location:
    Arizona
    cPanel Access Level:
    Website Owner
    I got notified one of my clients site was down. I checked /wp-admin and it showed the db was pointed to a different IP. I checked the wp-config.php file and saw this:


    I have no clue how this was changed. Since then I restored the correct info, changed the FTP password, Root password, and installed a security plugin. Anything else I can do?
     
    #1 Garrettj94, Oct 4, 2018
    Last edited by a moderator: Oct 8, 2018
  2. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    1,088
    Likes Received:
    441
    Trophy Points:
    113
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    Make sure that the Wordpress core, every Plug-in and Add-on and every Theme (irrespective of whether they are in use or not) are updated to the latest available versions.

    Delete any Plug-in, Add-on and Theme that are not being used to reduce your attack surface.

    Also audit all the Plug-ins, Add-ons and Themes to ensure they are still being actively supported by their developers ,and have not been abandoned.

    Ensure that any additional FTP users have been deleted, or have had their passwords changed as well.

    If your web host has enabled your access; disable any PHP options (eg file_uploads, allow_url_open etc) that you don't need, you will have to check what the site and its features needs - the two that I listed were meant only as examples, not suggestions !

    Check your logs for any indication of a 'PUT' method around the time your config.php file was changed.

    Switch ON ModSecurity if it is available to you.

    If you are really unsure about whether the method used to change the file has been blocked or not - download the website file-set and also a copy of the Wordpress core and all plugins and themes from their source and "diff" them to see if any strange code resides in any file.

    If all else fails - reinstall Wordpress and all the plugins etc fresh, and reconfigure the site.

    Disclose the event to your web host, and ask for help in attempting to ascertain the point of access from logs. It is remotely possible that the access originated through another site altogether, and your web host needs to satisfy himself that the rest of his clients are safe as well.

    Hope this helps
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #2 rpvw, Oct 4, 2018
    Last edited: Oct 4, 2018
    Garrettj94 and Infopro like this.
  3. Anupam SG

    Anupam SG Active Member

    Joined:
    Aug 29, 2018
    Messages:
    38
    Likes Received:
    15
    Trophy Points:
    8
    Location:
    Earth
    cPanel Access Level:
    Root Administrator
    In addition to what @rpvw has said, ask your client if he has uploaded any "nulled" modules/plugins. These are usually paid plugins, which people download from a shady site for free, in an effort to save money. And these "free" plugins almost always have the risk of malicious code inserted in them which is used for all sorts of black-hat purposes. The code can be hard to find and is sometimes disguised as an image file, which is executed through some other code located in some other file.
     
    Infopro likes this.
  4. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    5,707
    Likes Received:
    436
    Trophy Points:
    233
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Please note that external links are not allowed, if you have a screenshot please attach it to the thread directly. Please let us know if the advice provided by @rpvw and @Anupam SG helps or if you have any further issues or concerns.


    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice