Malware in Wordfence?

  • Hi, the website was hacked, a new admin signed in. Wordfence did nothing (no warning), and in the backend the IP-Address of the provider was whitelisted. We took a 5-month-old copy and transferred this copy to the new provider.

    Now, at the new provider, there is another IP whitelistet and I even can’t delete it! Every time, when I delete this IP-Address and click on “Safe Changes”, it appears again!
    https://sonnen-geflecht.at/wp-content/uploads/2023/09/Webserver.png

    It is from a server in France, has nothing to do with the new provider, neither with the old.

    I deleted Wordfence completely, because I think the plugin was hacked and contains malware. Is there anything you know about it or what I can do?

    Thanks! Brisch

    The page I need help with: [log in to see the link]

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Support wfpeter

    (@wfpeter)

    Hi @brisch, thanks for reaching out.

    Has the new hosting provider explicitly told you that the static datacenter IP has nothing to do with them? We have seen cases before of some hosts enforcing an allowlisted IP here that returns after a delete and save operation on this page, so it’s not totally out of the question to see.

    Are you certain that the site wasn’t already compromized or installed with a vulnerable version of a plugin at the 5-month-old point you restored the backup from? There are naturally other attack vectors outside of WordPress that we don’t control like database passwords, cPanel access and FTP credentials so ensure none of these match the site that was already compromized too.

    As a rule, any time I think someone’s site has been compromised I also tell them to update their passwords for their hosting control panel, FTP,? WordPress admin users, and database. Make sure to do this.

    I will provide our site cleaning instructions for you below even though you’ve already gone some way to dealing with this, just in case any steps you haven’t tried can help: https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/

    XML-RPC requests are one of the most common brute force/credential stuffing attack methods so we always recommend using long unique passwords along with 2FA for your administrative accounts.

    Additionally you might find the WordPress Malware Removal section in our free Learning Center helpful.  

    Provided you installed the free version of Wordfence within WordPress’ “Plugins” page, there should be no issue with the validity of the plugin’s files.

    Thanks,
    Peter.

    Thread Starter Brisch

    (@brisch)

    Hi, @wfpeter,

    1. Yes, the provider has! He told me, he doesn’t know this IP in France (Austrian Provider, EDIS)
    2. The old provider told me twice, the hack was 31.8.2023.
    3. Thanks I will do immediately

    Why did Wordfence nothing? Also when I ran the scan, Wordfence found nothing? Why?

    Thanks, Brisch

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Malware in Wordfence?’ is closed to new replies.

Tags