Blogs keep getting hacked

  • Alright, so I have about 6-7 blogs on my host. I’ve gone through all and updated WP, plugins, removed old plugins, etc…

    It started about two months ago. All of my sites had their htaccess file modified to redirect mobile users to spam. I replaced the htaccess files but could not find the source of the problem.

    Two weeks later, the htaccess files are modified again. And then another two weeks later.

    (Again, this is across all of my sites, not just one.)

    Today, Wordfence alerts me that a file was modified, wp-includes/default-filters.php.

    Sure enough, it was, with this code: Pastebin.

    It’s inserted like this at the bottom of the file: https://i.imgur.com/MRXXmvw.png

    EDIT: Here’s the HTML it’s trying to put into my site, decoded. It doesn’t seem to work though, as I don’t see this HTML anywhere in the source code: Pastebin.

    This, again, was across all of my sites. The code is similar across all of them. It only appears in the footer-area of the source code if you’re logged in with the admin bar activated.

    Anyone have any ideas? Happened to you? Because this is happening across all of my sites, I don’t feel it’s just a simple “someone has my WP admin password” since that wouldn’t link to the other sites, right?

Viewing 10 replies - 1 through 10 (of 10 total)
  • Andrew Nevins

    (@anevins)

    WCLDN 2018 Contributor | Volunteer support

    It usually keeps happening because the backdoor was left in. People tend to remove the symptom of the hack and think that’s it.
    You need to start working your way through these resources:

    Additional Resources:

    Thread Starter FTLRalph

    (@ftlralph)

    Thanks. I’m aware that’s probably what the issue is, a backdoor. And I really don’t mean to come off as snarky (a bit frustrated at the moment), but I’ve seen that copy-paste response countless times and it’s not terribly helpful.

    I’m really hoping for someone who had a similar issue could provide some insight. I’d prefer not to go through all of my sites deleting everything and starting new if I can help it, you know?

    Hello FTLRalph,

    can you share details of your wordpress theme ? which theme you are using ?

    Thread Starter FTLRalph

    (@ftlralph)

    Hey ahmedeqbal. Well, that depends, which site? I have six sites that are on my host that are affected.

    Three have custom themes that I made, the others are running themes called Wave (a premium theme), JournalCrunch, and DW Minon.

    The thing I don’t understand is how this hack is simultaneously happening to all sites at the same time. They share nothing but a database. Could the solution be as simple as changing my database credentials and then all wp-config files?

    Does each site have it’s own cPanel account or are your 6/7 sites all in the same account but in different subdirectories?

    Hello FTLRalph,

    1. Check your all plugins for Vulnerability, use only most trusted and well updated plugins.
    2. Change your wordpress theme.
    3. Scan your all ‘wp-content’ directorates with linux maldet tool.
    4. change your hosting credentials and update ‘wp-config.ph’p file also.

    Otherwise you should change your hosting with HostGator or BlueHost.

    Thread Starter FTLRalph

    (@ftlralph)

    @wslade All under my cPanel. Some are my sites, some are others (but I manage them).

    @ahmedeqbal Yeah, done all that already, except for changing the themes. I’m going to change the database credentials and stuff as soon as I figure out why my FTP refuses to give me a steady connection. Also, I am using HostGator.

    Moderator Samuel Wood (Otto)

    (@otto42)

    www.ads-software.com Admin

    Have you actually told HostGator about it, instead of trying to fix it yourself?

    https://support.hostgator.com/articles/pre-sales-policies/security-abuse/my-account-was-hacked

    Thread Starter FTLRalph

    (@ftlralph)

    I have not yet, probably will today though.

    Once malware is injected, it can be used to modify any file in your account, even non WordPress files. If, for example, you had a forum installed in your account. A hack on the forum could add to and modify WordPress files. This is how all your sites can seem to be hacked (or rehacked) at the same time.

    You say that you don’t want to go through and delete everything. Unfortunately, that’s about the only way to assure that you get all the malware. When you copy over the WordPress core or load a new version of a plugin, any complete files added by the hack are left unchanged.

    The average WordPress site has about 4000 files. Your installation multiplies this by six or seven times. And it only takes one remaining backdoor for the whole installation to be reinfected. The most time effective method to getting rid of standalone malware files is deleting and reloading files as described in the various guides to fixing hacked sites.

    And your installation adds another unique challenge. Your situation is like bailing out a very leaky rowboat. Files you have overwritten in the past could very well be reinfected. Files you previously deleted are possibly back.

    If you don’t have a block of time to devote to thoroughly cleaning your site, you might consider taking everything in your account off line until you can work through the process on every site.

Viewing 10 replies - 1 through 10 (of 10 total)
  • The topic ‘Blogs keep getting hacked’ is closed to new replies.