Tuhin Ahmed

Hi Joe,
Thank you for your reply.
Yes, this is a very strange error. I have tested 2 separate installations and was able to reproduce the same issue.
As mentioned above, If I put any external URL or the main website URL without a trailing slash in the “Registration Ticket URL” field and hit the update button, it throws a ‘404 not found’ page.
For example:
https://example-external-url(.)tld – 404 page
https://example-main-domain(.)tld – 404 page (without slash)
https://example-main-domainurl(.)tld/ – ok (with slash or any internal URL)

Can you please test on your end?

Thank you

Hi @richardhertz,

Immunify has likely already provided you with sufficient information to identify the type of malware you’re facing. Additionally, this link offers further resources on understanding and eliminating malware infections: https://securewp.net/case-studies/unmasking-a-persistent-malware-attack-on-a-wordpress-website/

Remember, it’s crucial to address any vulnerabilities that allowed the malware to enter your system in the first place. This will help prevent future infections.

Enhance your WordPress website’s security posture by implementing these essential best practices outlined here:
https://learn.www.ads-software.com/tutorial/7-tips-to-improve-website-security/

To further fortify your defenses, consider these advanced techniques
https://securewp.net/tutorial/how-to-secure-wordpress-website-from-hackers/

Hey @jjsmith888
Your new hosting provides PHP 8.0. However, your current theme isn’t fully compatible. This is due to the deprecation of create_function in PHP v8.0. While downgrading PHP to 7.4 might seem like a quick fix, it’s important to remember that security support for PHP 7.4 ends in just a few days.

• This reply was modified 11 months, 2 weeks ago by Tuhin Ahmed.

In addition to updating the theme to its latest version, please verify the current PHP memory limit. If you encounter any errors in the log file related to exceeding the maximum allowed memory, increasing the PHP memory limit will be necessary.

Hi @cannon303

While exploiting a WordPress vulnerability to gain cPanel access is statistically improbable, I’m still interested in understanding your cPanel configuration. To clarify, could you confirm if the cPanel login page offers a password reset link? Additionally, is there a file named “/home/username/.contact” present? If so, does it contain your email address?

It appears you already have the correct permissions assigned to those files. For additional security hardening, you could consider setting .htaccess and wp-config.php to 444. For index.php, 644 remains sufficient. However, I want to reiterate that file permissions alone cannot guarantee website security if vulnerabilities exist. While stricter permissions can make it slightly more difficult for malware to spread or unauthorized access to occur, they are not a foolproof solution.

File permissions are indeed critical, especially in shared hosting environments or with multiple website installations. In such scenarios, a compromised website can easily spread malware to others.

However, based on the details you’ve provided, I believe your website’s vulnerability is the primary cause of the reinfection.

As I mentioned previously, a comprehensive website audit is necessary to fully diagnose and resolve the issue.

You’re absolutely correct. Malicious infections can indeed modify files and alter permissions, often to 444. That’s precisely what I suspected might be happening in your case. Unfortunately, providing definitive answers to all your questions requires a thorough website audit. The reinfection you’re experiencing suggests the underlying issue might still be present. While plugins offer valuable assistance, no single solution guarantees 100% malware detection. Given the complexity, I strongly recommend seeking help from a professional security expert.

Hi @kristinubute,

I’m attempting to determine if your current issue aligns with my suspicion. The index.php file typically requires 644 permissions, what you got?

I’m curious about the reinfection after clean it.

Hi
In the event of unauthorized modifications to the index.php and .htaccess files (my guess is .htaccess is modified too), how long would it take for malicious content to be reinjected?
Additionally, could you confirm if the index.php file permissions are set to 444?

I am glad your website is back up and running again.
Enjoy your WordPress journey!

Maybe it’s too much to ask..
If you don’t have access to the /home/username/logs directory, How do you check /home/user/.lastlogin file?
Is your website managed and hosted by an IT company rather than a traditional web hosting provider?

• This reply was modified 11 months, 3 weeks ago by Tuhin Ahmed.

Hi Daitya
Your hosting server appears to be missing the php-json module, which is crucial for web application functionalities. Please get in touch with your hosting provider’s support team to install the missing module.

While a file manager plugin itself cannot directly delete the entire file system, it can facilitate the upload of malicious PHP scripts that can perform such actions. For instance, a single PHP script like “Tiny File Manager” can be uploaded through a file manager plugin and subsequently employed to delete website files and upload new content.

A thorough examination of the access log file is essential for accurately identifying the root cause and scope of any potential security breach. The information in the recent month’s access log holds the key to understanding the nature of the compromise. However, effectively interpreting this data requires a comprehensive understanding of log file analysis techniques and recognizing patterns indicative of malicious activity.