Site Hacked Wordfence Compromised

Sorry to hear that.

You basically have three options: a) delete the site and database, and restore from a known good pre-hack backup (the easiest option, but the attack vulnerability may still be there, leading to another hack down the line. Plus it can be difficult to say when the hack occurred without analysing site and the logs), b) clean the site yourself using the following guide: https://codex.www.ads-software.com/FAQ_My_site_was_hacked, c) call in the troops and pay a specialist to clean the site and fix the original vulnerability.

Keep in mind that having a security plugin such as Wordfence installed does not mean that you will never be hacked. It helps a lot, but can do little about sites running unsupported php versions, infections from neighbouring sites on shared hosting, login credentials being comprised, vulnerable and/or outdated plugins or themes, etc. etc.

Once you have resolved things, give this a read: https://codex.www.ads-software.com/Hardening_WordPress

Good luck!

Thanks for answering here @pidengmor. @palmer1hines, I agree with those suggestions from @pidengmor. However, I will say that before you determine that your site is hacked you should make sure these scan results are not false positives. These files for example are sometimes incorrectly identified as malware by some hosting scanners:

./public_html/wp-content/wflogs-old/config.php
./public_html/wp-content/wflogs/config-transient.php

For some of these it’s very easy to double check. For example you can download a fresh version of Wordfence and compare wordfence/views/blocking/country-block-map.php from that fresh version to the version you have installed on your site. If they are identical, the file is not infected. If you see something in your own copy that’s not in the fresh version, then it IS infected.

Hope that helps,

Hi

Thank you all for your responses, all very helpful, especially barnez. The problem I had was that although I had repaired the site following a definite hack (redirection) Wordfence refused to work. Spent three hours with a Tsohost tech who worked hard to resolve the issue but they could not get Wordfence to run. I wanted to check how the hacker had found their way in (when Wordfence was active) and I had received no notifications. With Wordfence refusing to even start (after several removals in re-installations) my concern was that the Hacker had left some code somewhere which was automatically disabling Wordfence. I used a couple of remote scanners and found two bits of code which I removed (renamed actually just in case) via FileZilla. Still Wordfence would not run. I installed another anti-virus for the time being. I was also getting problems with a long running script (which was a devil to find) again suspicious. I had one last idea. I logged on via Firefox and viola Wordfence behaved impeccably. I ran two scans on my PC and found three pups nothing more. So I repaired Edge and logged on via Edge. Again after an initial delay Wordfence worked perfectly. I still don’t understand (and don’t trouble to try an explanation, chances are I wont understand it) why Edge was the problem and the Tsohost tech who was working at the back end and was also granted admin status could not get the plug-in to work. Anyway, site is restored, Wordfence is working and the stand by plug-in deactivated (until next time). I also found that Tsohost offer a roll back facility and data base vault so will be saving some money on back ups on renewal. Thank you for your help I am most grateful as, you may have guessed I know b a about these web site thingies. Too old and too thick! Good luck and may your servers never go down on you…..

Great to hear that have fixed the issue and have the site running normally again.

you may have guessed I know b a about these web site thingies. Too old and too thick!

I think you may be selling yourself short ?? It sounds like you are making good decisions and learning as you go.

Sorted, thank sfor all your help and support. Most welcome.