jeeni

Thanks for all this!

(Thanks for sharing, @coolest77!)

Easy enough to do but I guess ThemeFuse isn’t interested in keeping their code up to date, since it’ll soon be closing on 2 years since this was found but not integrated into their plugin updates. (Plugin last updated 2 months ago. Really?) This was on a site I inherited. Wouldn’t recommend new users install this.

• This reply was modified 2 years, 6 months ago by jeeni.

I was curious if it was just my experience. (Glad it isn’t!) Thanks for your hard work, @dnesscarkey !

Same here. I’ll submit a query to your site as that preference was indicated.

• This reply was modified 4 years, 6 months ago by jeeni.

Thanks again!

Thank you!

Will your source code keep this update going forward or will we need to tweak the code after each new release? Thanks for the additional information.

Take care,
Jean

I have a similar issue and found your table working on your site page shared. Was it a fleeting issue or did you figure out a solution, @carnetsdemontagne?

Thanks in advance for sharing your experience.

I would also be interested in learning the outcome of your question.

Thanks for your plugin and thanks for this info.

You may want to add a little more info to your alert. I wasn’t sure which plugin was throwing this alert from within the WordPress admin area. After seeing it for a week or so, I ended up doing a google search and thankfully found this thread so I could figure out what needed updating.

Thanks again!

Have you looked through the contents of your .htaccess file? Wordfence and Sucuri don’t seem to examine that file and I’ve seen redirects placed there before.

I agree with Mark: Look through your server logs to see what the hackers have touched.

Best wishes.

^ Peace of mind, hehe! Whoops ??

Hackers can add/change files without necessarily having admin access by using known exploits in older plugins – Revslider, Gravity Forms, etc. From this access, they can potentially gain admin access to your website as well as access to your database.

Google “arbitrary file upload vulnerability” if you want to see an example on how this can happen.

I’ve seen hacked sites with additional admin users that the site owners did not create. When I deleted those users, I also made sure that every other user had updated passwords, that the database password was updated and that the wp-config.php page was moved/secured.

~~~

I have no experience with databases that have been exploited. I’ve only experienced and have helped clear up hacks in WP files/directories. Learning more about finding and removing inserted malicious code within a database is something I’m interested in learning more about but haven’t had time or cause to dig in to that area.

If I suspected one of my client sites had malicious code inserted into their database, I would immediately update my database password and do a database dump so I could search through the database for some known phrases and any suspicious text. I would also probably search for differences between a backed up version of the database that was backed up before the exploit.

Hope you get piece of mind soon!

Oh! To answer your question regarding dealing with added and modified files:

For any files added that Wordfence found, remove them if you didn’t add them to your site.

For any files that Wordfence found are modified, you can compare the two to see what the update was. For instance: Minor plugin version numbers or documentation may have been updated without the plugin requiring an official update, so the files on your site may be different than the files on the WordPress repository.

Some plugins have additional files that are site-specific, but you should be able to see what are legitimate files and what are added by a hacker.

Glad to help!

If they’re still hammering your login page, I’d also recommend loading the “Rename wp-login.php” plugin – and name your login page something not default. (The plugin default is yoursite.com/login) You can name it whatever you want yoursite.com/lamp-post/ (hehe!) but be sure to bookmark it and don’t lose track of what it is, as the yoursite.com/wp-admin/ will no longer redirect you to the wp-login.php page. If your site has a “log in” link on the front end of your website, that will tend to be updated, so you and any other users can find it without much fuss.

Here’s a link to that plugin:
https://www.ads-software.com/plugins/rename-wp-login/

After you’ve moved your login away from the default wp-login.php page, you can go to the Wordfence -> Options and add /wp-login.php to the “Immediately block IP’s that access these URLs:” field. Just be sure to tell other valid users about the update so they don’t inadvertently get themselves locked out.

It’s also very worth checking through the settings on Wordfence’s options page. For instance, I’ve found the following 2 options very helpful!

• Scan files outside your WordPress installation
• Scan images and binary files as if they were executable

Set other options as you see fit. I tend to do the same for all sites I administer and will export/import settings from the bottom of that page to make my job easier. Best wishes!!

If Wordfence and Sucuri tests come up clean, you may be safe – but you will want to follow what Mark shared to be sure. Hopefully they didn’t get into your database.

(Thanks for clarifying my comment, Mark.)