site keeps getting hacked, don’t know who to believe

If it was me I’d install iThemes Security in tandem with your present WordFence and follow both of their recommendations.

https://www.ads-software.com/plugins/better-wp-security/

I’d also install Sucuri Malware Scanner and run it then follow it’s recommendations. I’d then disable Sucuri but leave it installed in case you need it again during another attack.

https://www.ads-software.com/plugins/sucuri-scanner/

You can continue running WordFence and iThemes Security together as they behave well with each other and complement each other’s capabilities. Sucuri is really good itself but having that with iThemes is probably overkill and might cause some compatibility issues later on.

I’d look at my user’s list and change passwords… maybe even change user names and double-check the email addresses.

If they hacked in then they may have compromised your database by figuring out your database credentials. You might want to change those. I certainly would.

Next, I’d get the site onto CloudFlare and their superior DNS services. The proxy side of CloudFlare will hide your origin server over at BlueHost from future discovery and will boost your site’s performance somewhat. BlueHost should be able to drive CloudFlare’s free tier product just fine.

When I first looked up your website it loaded fast enough for me with no issues but I did scan it with the online Sucuri Scanner which said it didn’t find any malware but the site was blacklisted at McAffee. Just now I checked again.. all is fine now. You probably should recheck that in a day or so and deal with whatever it tells you. The online scanner might not be able to ‘see’ past your NGinx proxy there at BlueHost.

Here’s that Sucuri link already configured for you https://sitecheck.sucuri.net/results/https/frederic-mi.com

This article might help you more with the site https://www.ads-software.com/support/article/hardening-wordpress/.

Hope this all helps and let us know if you need more help.

• This reply was modified 5 years, 4 months ago by JNashHawkins.

JNAsh, thank you for the recommendations. I’m currently able to view the site on the front end (what everyone can see) but I’m not able to log in to the Dashboard (I get the “site is experiencing technical difficulties” message) so I can’t install any plugins or look at details about users. At this point I am so frustrated with this situation in general and with BlueHost that I feel like moving and recreating the site somewhere else. Would that work? Then I could start with a fresh installation of WordPress, a new DB, make sure all the users are nice and secure, etc. etc. and not have to worry that there’s any “leftovers” from any of the hacks.

If you could move the site to another host then you would have changed the IP address which might help if the hackers used that as a way in. And it is possible that one of your neighbors on that same server is hacked and infecting you and everyone else on that box but that’s pretty far out there.

A ‘redo from start’ would be good but I’m not gonna point the finger at BlueHost for this problem… that doesn’t seem fair.

And you can’t get into the site to export the content unless you can get into the dashboard. With the other problems you’ve had, you sure don’t want to restore from a backup so you need to fix the login issues to get to where you need to be to follow a sensible restoration plan. And at that point, you’ll be able to do as I outlined and pretty much fix everything right then anyway.

So, unless you have good reason to do so, I don’t think you need to change hosts and I can’t recommend moving the site to another server for a fresh start when you can’t recover the present content. You really don’t want to walk away from that great content and ‘history’ you’ve recorded there.

I’d just fix my site for now.

FTP in and/or use your hosting control panel’s file manager and find the plugins directory then rename it by adding 1234 to the present name. That will kill your plugins and probably let you in.

If you need help getting this new admin access problem fixed then please create a separate topic where we can help you further.

If you need to you might hire a dev to fix or move and fix your site if you feel like giving up on these issues. I understand they can be overwhelming but we’re here to help also where we can.

https://jobs.wordpress.net/

The above link is to the jobs board here where you might post and find someone willing to work within your budget.

I am currently in the Dashboard, so the first thing I did was check the users. The only two users are the site’s owner and I, so that’s good. After that I used the native export tool to export the pages, posts, etc. so I have a backup of all those. Then I installed the plugins you recommended, including Sucuri. I had it delete all the files that it found in the scan, but two of them keep showing up as not deleted. One I deleted manually via the File Manager within the site’s cPanel. The other I looked for in the file manager and via FTP and I can’t find it. They are wp-includes/images/crystal/license.txt (the one I deleted manually but that keeps showing up in the scan list) and wp-cron.php (can’t find). What should I do?

As for BlueHost, I’m frustrated with them for telling me that “plugins are useless” and that hacks will continue to happen unless the site owner pays for their security service. If they’re happening at the server level they should be securing everyone against those, and if they are happening at the site/WP level and are my responsibility why do they have to get paid for something when there are so many good security plugins like the ones you recommended? …Maybe I just should have come to you guys in the beginning.

@rebeccainmi The security plugins have limitations and are not the best way to clean a website that is infected with malware. That said, Bluehost just wants to sell their SiteLock service, which they also own under their parent company Endurance International (EIGI). I also do not think that it is happening at the server level as I can promise you that Bluehost would definitely act on that ASAP since it would be putting the thousands of websites on that shared server at risk.

Are you hosting multiple websites from this hosting plan?

@g0tr00t this site is on its own hosting plan, so thankfully the impacts of the repeat hacks are limited to just this site. What do you think I should do?

wp-cron.php is part of the WordPress core so the quick fix for that would be to do a complete backup (just in case something goes wrong) of the files and the database then go to the update page in your dashboard and reinstall WordPress. Watch for any errors or problems during that process.

If you don’t already have a good backup plugin I recommend UpdraftPlus and I run Updraft with WP-Optimize. They work well with each other.

https://www.ads-software.com/plugins/updraftplus/

https://www.ads-software.com/plugins/wp-optimize/

What BlueHost tried to sell you is a product that should eliminate future problems with them standing behind that in a service capacity if it doesn’t. That’s probably the best answer they have. The plugins comment from them is most likely from their experience. Some plugins are not all that great.

The ones I recommend come from my experiences over the years and are what I’d install for my own clients. I know they do what I expect them to do and I’m here to try to help if they don’t. The help and advice I give here are the same I give my own clients and offer to anyone who asks.

@rebeccainmi I would not use Sitelock and honestly I don’t think I have ever met a website owner that uses them who was not also hosted with one of the EIGI hosting brands (Bluehost, Hostgator, etc). It’s sad because there used to be a time when web hosts would actually support their customers and clean the website for free. Now they just suspend your website and tell you to pay Sitelock ??

Sucuri is who I personally recommend, but you may not even need to pay any company if you were knowledgable enough to enable 2FA and monitor the password alerts. One other area you should check is the Bluehost cPanel, reset its password, check the contact email address inside the cPanel, and then check for any FTP accounts that may exist and have been compromised.

@jnashhawkins I couldn’t find wp-cron.php at all, so I used FTP to upload a fresh copy from the latest version of WordPress. That took care of that complaint. I had also uploaded fresh versions of /wp-admin and /wp-includes, and I put new salts in wp-config.php and uploaded that just in case.

I used to have a plugin that would back up the database automatically, but it was old and hadn’t been updated in quite a while so I removed it just in case it was a security risk. I will try the plugin you recommended because I do want to have a backup plugin working on there. Do you think it’s safe to trust the database or should I worry that it’s somehow compromised?

@g0tr00t I find it disappointing too. Customers definitely used to get more for their money. *SMH* Thank you for the recommendations about additional security steps to take within the cPanel. I will definitely do those things.

I think what you are doing now will mitigate the security issues and remove any problems in the database but I want you to view the database as it is right now as possibly broken so you won’t want to depend on it too much.

Once you’ve passed the malware scans and warnings from those three security plugins and move into the hardening portion of my first post I’d consider the database safe enough!

I don’t get too excited about older plugins unless they start tossing warnings out or I hear about issues. With the site check and Health Check features of WordPress added to the security plugins I advise using it’s not that big a risk for the observant website owner or webmaster.

BTW: If you are interested once this security stuff is done…

You might want to add the Health Check plugin to your sites if you haven’t done so already. I also like to pair Health Check with the Wapuu Dashboard Pet.

https://www.ads-software.com/plugins/health-check/

https://www.ads-software.com/plugins/wapuu-dashboard-pet/

The Wapuu Dashboard Pet resides at the bottom of any dashboard pages to let you know about updates needed and a few other ‘system issues’. It can also remind you to add new posts if you set up that feature. And it can make you grin when you see him bandaged up, sick, and unhappy.

Some people will tell you it’s useless but I find myself looking for it when I drop into my dashboard and follow it’s lead. Handier than Health Check if most everything is normal on your website. Yet Health Check can be a real boon to use when you have troubles. They work well together and are even better when you’re running multiple sites.

I think I’ve passed all the security and malware scans, except within the Sucuri plugin there’s a box that says “SITE NOT CLEAN” in orange. It says “hover over to see payload” but nothing happens when I hover over the link in that box. Can you explain that to me? There’s also all these things that I’m not sure whether I’m able to “turn on” (or turn off) or if BlueHost would want to charge me extra for them.

Directory Listing Enabled
Directory listing is enabled on your site. You can test it by visiting: (example here)

Server Banners Displayed
Your site is displaying your web server default banners.

Security Header: X-XSS-Protection Missing
We did not find the recommended security header for XSS Protection on your site.

Security Header: X-Content-Type-Options nosniff
We did not find the recommended security header to prevent Content Type sniffing on your site.

Security Header: Strict-Transport-Security
We did not find the recommended security header Strict-Transport-Security on your site.

I ran a backup with UpDraftPlus and am currently running WP-Optimize. After that, could I consider everything “safe” again?

Sucuri is trying to warn you of a few other security steps you might need to take. Once you work your way through the ‘Hardening WordPress’ steps I imagine that last bit of Sucuri warnings will go away.

https://www.ads-software.com/support/article/hardening-wordpress/.

Let us know if you need more help.