Malware repeatedly being created on a WordFence-protected site

  • Resolved mike62

    (@mike62)


    10 years, 2 months ago

    I develop and manage many WordPress sites. I install WordFence on all of them.

    One site is repeatedly getting malware files installed here:
    wp-content/plugins/docs/cache/ff1b545c44f672186325b1b32f5d9bfe.dat

    Always with the message:
    This file contains a suspected malware URL listed on Google’s list of malware sites.

    Is there anything I can I do to increase the security of the site and prevent these breaches? I have very few plugins installed, all of which I’ve used many times on other sites:

    • Akismet
    • BackupBuddy
    • Contact Form 7
    • Gallery Carousel Without JetPack
    • Meteor Slides
    • Resize At Upload Plus
    • Wordfence Security

    Any help or ideas would be greatly appreciated. Thanks!

    -Mike

    https://www.ads-software.com/plugins/wordfence/

Viewing 6 replies - 1 through 6 (of 6 total)

  • Are all your plugins up to date and is WordPress on the latest version?

    Thread Starter mike62

    (@mike62)

    Yes and yes.

    We had this same problem and found it was a malicious script at the top of the functions.php file in all the themes installed.

    You need to delete all unused themes and check the functions.php file in your active theme. There should be a malicious script at the top of this file which looks like this:

    [hacked code removed by moderator – please don’t post that here; use a pastebin if you must share it]

    Remove that, then delete the /wp-content/plugins/docs folder and it should stop re-generating. You’ll want to check the rest of your site for exploits and back-doors.

    Hope that helps.

    Thread Starter mike62

    (@mike62)

    YES! That was exactly the code it was in there. Found it on one other site too. Thanks for the tip! \o/

    Hi,
    I have the same problem and already deleted the folder and all themes that are not active but unfortunately i cannot see the script that i should delete.
    Can someone re-post it?
    Thanks

    Update: I found it but in my case it was not in the functions.php
    I looked but the code seemed good there.
    After that I tried deleting all the WP files except the wp-config.php and the /wp-content folder and then re-uploading a fresh copy from the wordpress download directory. But I still had the same malware problem.

    I looked deep into the wp-config.php file and THERE it was.
    Here is the code you should delete right underneath the Salt keys:

    https://pastebin.com/U2eTCK1a

    Hope that helps somebody

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Malware repeatedly being created on a WordFence-protected site’ is closed to new replies.