Hey @sakhr1989,
I’m sorry to hear you’ve run into this, I understand how frustrating it can be.
Wordfence protects against a vast variety of attacks. Whether you were hacked because of an unknown attack method or because there is some other issue in your system is hard to say. Some plugins contain vulnerabilities that are so bad that Wordfence can’t protect against them. The same goes for servers.
Regarding how they gained entry, here are some possible scenarios:
1. You may be using a plugin or theme with a vulnerability that is so severe that we cannot protect against it
2. Your wp-config.php file is readable to the hacker, either directly via your account, via a vulnerable plugin or via another hacked site on the same server
3. The hosting accounts on the server are not properly isolated on the serve,r so the hacker has access to your database via another user’s database
4. The server software has vulnerabilities that allow the hacker to get root access
5. You were actually hacked many months ago, but the backdoor was not activated until now.
There are a few steps you can take yourself to secure your website after a compromise:
1. Scan with Wordfence and use Wordfence to delete/replace any infected files. Scan with the “High sensitivity” scan type for best results.
NOTE: Before you delete any files, back them up just in case, and take note of when they were last modified. Write their filenames and timestamps down in a text file. This information can be used for tracing how they gained entry; for example, via access logs.
2. Make sure there are no administrator accounts on your site that you have not added yourself. If there are, access your database via phpMyAdmin and check the wp_users table. There, you can take note of exactly when the accounts were created. Add that information to your text file mentioned above. Then, delete the rogue admin accounts, or demote them to “subscriber” while you investigate so that they can’t do any further harm.
3. Change the passwords to your web hosting account, your database, and any remaining legitimate WordPress admin accounts immediately, if you haven’t already done so.
4. Have a look at the WordPress configuration file wp-config.php and your theme’s functions.php file. Inspect these manually to make sure that they look okay. If you are not sure what they should look like, try to find an old backup of the files or a fresh version from WordPress/your theme author to compare them to. Also inspect the .htaccess file in the root of your site to make sure it does not contain any malicious redirects.
5. Look over all your themes and plugins. Delete any themes and plugins that you are not using. Make sure all your plugins are up to date. Remove or replace any themes and plugins that are no longer being updated by their authors.
6. Check the WordPress upload directory to make sure there are no files there that look out of place.
7. Inspect your server’s access logs, which you can usually find in your cPanel or get from your web host. The access logs show every single request made on your site. If you look at the timestamp of infected files to detect when they were created, you may be able to match that up with particular requests in the access logs. If you can identify the first request in a cluster that appears to be involved when files on your site are edited, you may be able to figure out which request is the original culprit. Please note that there can be more than one access point once your site has been infected.
8. Keep an eye on your error logs. When infected files are removed, this can sometimes cause server errors. The error log can give you additional clues as to where infected pieces of code may be residing in your system.
9. You may want to talk to your web host and ask them if they can explain how your site was hacked. They have access to all server information, and are thus able to see things that you can’t see yourself. For example, it does happen occasionally on shared hosting that a site on one account will infect a site on another account.
After following these steps if the site remains infected or becomes reinfected I’d suggest reaching out to a professional hack repair service to clean the site and patch the point of entry.
Thanks,
Gerroald
