WordPress Installation Hacked and Being Used to Send SPAM Emails

  • Hi Guys,

    One of my WordPress installations appears to be continually hacked. Core WordPress files are being modified and changed. The PHP code is actually being changed. New PHP code is being injected into specific files. I have no idea how this is happening. It appears to be some kind of exploit directed specifically at a plugin or something else.

    For example, the following code was somehow added into

    wp-admin/network/settings.php:

    [ Malware deleted ]

    I installed WordFence to identify changes to files because my server was being added to blacklists from spam originating from Base64 encoded php files in random wordpress directories. It’s only happening to this installation of WordPress. This installation belongs to one of my clients on my shared server. I have already changed the MySQL and main admin logins and passwords, cleaned it up originally using WordFence, and now it’s back today.

    Any idea what I should do? I have already updated WordPress to the latest version, all of the plugins to the latest version, and all of the themes as well to the latest version. Whatever exploit they are using, I have no idea.

    This installation is running the following activated plugins:

    • Disable XML-RPC
    • Gallery by BestWebSoft
    • Wordfence Security

    Can anyone help?

Viewing 3 replies - 1 through 3 (of 3 total)
  • Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    That code means (as you’ve guessed) your site is compromised.

    Please remain calm and carefully follow this guide.

    When you’re done, you may want to implement some (if not all) of the recommended security measures.

    Thread Starter own3mall

    (@own3mall)

    I’m running a full scan now on the entire server using ClamAV, but I’m pretty sure the issue is just localized to this installation. I have already followed the guide for the most part, as WordFence does restore the files with the original once it detects changes.

    The problem is, how are these changes being made in the first place? It keeps happening.

    Hi there!

    Its possible that you already have a backdoor on the files that may be overlooked by WordFence and by ClamAV. Important to note that no security suites/Antivirus’s are perfect and detect everything.

    If your other websites are not presenting the same symptoms it does not mean that they are not infected as well, an infection can take many forms and many don’t present any symptom, they just place a backdoor on the website for future use.

    The only good way to get that cleaned up is to get in touch with a good Security company and have them scan your website and even all your other websites and also get a firewall up and running there.

    I know this can sometimes may be costly and the site may not be worth it, but infection can easily spread and soon take a more destructive objective :/.

    If you haven’t performed many changes on the website you can try to just restore the files (only the files) to a time where you knew everything was good, then fully remove WordFence and its settings and reinstall.

    The posts and pages should remain the same as the DB was not touched.

    But again, the infection may have already been there, you just didn’t notice as it was dormant :).

    Good luck

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘WordPress Installation Hacked and Being Used to Send SPAM Emails’ is closed to new replies.