• HI

    We have a site, which has been affected by someone changing the index.php file with malicious code and adding 3 dodgy files simple.php and chosen.php and baindex.php

    ALL plugins are updated and WordPress is fully up to date.

    Has anyone else had this issue and HOW you got on top of it to stop it?

    We haven’t had issues for 2 weeks after restoring the website, updating ALL plugins, updating WordPress and no issues since then.

    Until today. 3 new files in root directory and index changed

    And I’ve installed Wordfence security also so I can monitor what files are accessed and can BLOCK them through Wordfence. But obviously I want to have preventative measures in place BEFORE it occurs, not having to try and fix it AFTER the issue.

    So firstly my question is –

    • What security plugin do you find best to use for these types of issues?
    • I am looking at 2 types – Wordfence and Ithemes
    • How can I stop the index.php being edited ?
    • And the login.php file how to stop them getting access to this
    • I heard that the wp_uploads directory is vulnerable to attackers is that correct ?
    • Someone suggested to install a wordpress hardening plugin. But the one I found is OLD AND NOT SUPPORTED. This plugin hides sensitive files such as wp-contents, wp-uploads, etc. with just a toggle of a button. – Is there another plugin someone can suggest for this that is current and has support?
    • Could a customer login password be a very poor password and causing this vulnerability?
    • My other question is about plugins. As I notice when you have had plugins installed and then remove them (as in totally uninstall them), they still seem to sit in the backend in File Manager under the Plugins directory area but not actually removed. But you cannot see them in the WordPress admin Plugins list activated or deactivated as they have been removed. But they still sit when I look under File Manager on the hosting they are there under Plugins. Therefore can these old plugins that have already been removed, but sitting in here, can they cause a vulnerability? Does that make sense?

    As all our plugins and wordpress is completely up to date it is hard to figure it out where the vulnerability is on the site.

    Very frustrating. I’m at a loss at this stage.

    I’ve fixed it again now until next time.

    Thanks

Viewing 15 replies - 1 through 15 (of 24 total)
  • Hi
    In the event of unauthorized modifications to the index.php and .htaccess files (my guess is .htaccess is modified too), how long would it take for malicious content to be reinjected?
    Additionally, could you confirm if the index.php file permissions are set to 444?

    Firstly, I would recommend this article:

    FAQ My site was hacked

    My basic recommendation for hacks would be to delete everything – database and files. And then restore everything from a clean backup. Then secure the project, for example by updating and checking the security settings.

    In your case, I’m still missing the fact that you changed access data in the list. Also in the hosting. Anyone who has access via FTP can very easily change any files. I would therefore recommend that you change these passwords as well. And yes, also the passwords of administrators in WordPress. It is unlikely that users of other roles would be able to do this, but it is a possibility depending on the plugin used.

    Regarding security, take a look at the following article:

    Hardening WordPress

    And no, I would not recommend using any plugins that obfuscate WordPress directories and files. In my experience, this does more harm than good.

    One more tip about the plugins: even if you write that they are all up-to-date, check WHEN they were last updated. If there is even one plugin that is no longer being developed and/or has not been updated for 2-3 years, there is a risk that this is the gap through which attackers could penetrate.

    Thread Starter kristinubute

    (@kristinubute)

    Thanks for your email.

    Could you confirm do you mean that the index.php file permissions should be set to 444?

    Here you can find an article that describes the permissions for files: https://developer.www.ads-software.com/advanced-administration/server/file-permissions/

    Hi @kristinubute,

    I’m attempting to determine if your current issue aligns with my suspicion. The index.php file typically requires 644 permissions, what you got?

    I’m curious about the reinfection after clean it.

    Thread Starter kristinubute

    (@kristinubute)

    The main files in WordPress BEFORE the sub directories (wp-config etc) are setup to 644

    Should some be 444 ?

    wp-content set to 755

    If you could confirm for wp-config, index.php, and htaccess what should they be set to please?

    Now I don’t know what settings they should be.

    This is what I have found when googling:

    wp-admin: 755 wp-includes: 755 wp-content: 755 wp-content/themes: 755 wp-content/plugins: 755 wp-content/uploads: 755 .htaccess: 644 index.php: 644 wp-config.php: 640

    Thread Starter kristinubute

    (@kristinubute)

    Hi @2h1n846

    Thanks for your reply. What is your suspicion?

    It is currently set to 644.

    But an hour after I went to bed, and woke up to check on the site, reinfection occurred. Some files were deleted and new index was added and redirecting to a dodgy site.

    I had to delete the dodgy files again (different ones) and reupload a number of files. Back and working again.

    I maybe have some file permission issues? Hosting checked it for us last time.

    Now all files in the directory BEFORE the sub directories are permission 644. Is that what they should be?

    I am chasing my tail here. As everything seemed OK for past 2 weeks. Now I have to double check everything again and figure out HOW to stop them.

    I am reading this

    Some files and directories should be “hardened” with stricter permissions, specifically, the wp-config.php file.

    What should this be set to?

    Thanks in advance

    You’re absolutely correct. Malicious infections can indeed modify files and alter permissions, often to 444. That’s precisely what I suspected might be happening in your case. Unfortunately, providing definitive answers to all your questions requires a thorough website audit. The reinfection you’re experiencing suggests the underlying issue might still be present. While plugins offer valuable assistance, no single solution guarantees 100% malware detection. Given the complexity, I strongly recommend seeking help from a professional security expert.

    File permissions are indeed critical, especially in shared hosting environments or with multiple website installations. In such scenarios, a compromised website can easily spread malware to others.

    However, based on the details you’ve provided, I believe your website’s vulnerability is the primary cause of the reinfection.

    As I mentioned previously, a comprehensive website audit is necessary to fully diagnose and resolve the issue.

    Thread Starter kristinubute

    (@kristinubute)

    No-one uses FTP

    Thread Starter kristinubute

    (@kristinubute)

    If you could confirm for wp-config, index.php, and htaccess what should they be set to please?

    It appears you already have the correct permissions assigned to those files. For additional security hardening, you could consider setting .htaccess and wp-config.php to 444. For index.php, 644 remains sufficient. However, I want to reiterate that file permissions alone cannot guarantee website security if vulnerabilities exist. While stricter permissions can make it slightly more difficult for malware to spread or unauthorized access to occur, they are not a foolproof solution.

    Thread Starter kristinubute

    (@kristinubute)

    Yes I agree and I thank you for your feedback.

    Is 444 less secure? And I have also purchased Solid Security for additional protection to the site, in discussions with them.

    Possibly alongside Wordfence as that can help block certain IPs etc.

    I have an e-commerce site in Ajman and I am concerned about the security issue as nowadays hacking a site seems common. What would be the best strategy for my website security? Here is my site URL.

    Enhance your WordPress website’s security posture by implementing these essential best practices outlined here:
    https://learn.www.ads-software.com/tutorial/7-tips-to-improve-website-security/

    To further fortify your defenses, consider these advanced techniques
    https://securewp.net/tutorial/how-to-secure-wordpress-website-from-hackers/

Viewing 15 replies - 1 through 15 (of 24 total)
  • The topic ‘I have a question about website security and dodgy file’ is closed to new replies.