Pete Moore

Understood thanks for replying.

Put the ErrorDocument 401 Default before the # BEGIN WordPress line.

By password protecting the directory you’re creating a 401 response saying authentication is required.

So by putting the error handler from what I understand you’re essentially saying Oi WordPress stop messing with my 401’s ??

Try adding this line to the .htaccess in the root:

ErrorDocument 401 default

I think it might be to do with the fact you’re password protecting that 2nd sub dir

So you’re not getting the login box pop up

Worth a shot

Pete

chimpstatic.com is a mailchimp domain do you have some kind of mailchimp pop form

My first thought would be is the original vulnerability still there (did you find out how the site was breached originally)

Ideally you want to be able to delete all files on your hosting account and drop the database.

Download & Upload fresh copies of core/theme/plugins & import the DB

I much prefer NinjaFirewall and scanner it has a learning curve but the docs are quite educational and the firewall logs give you a good insight to what is being attempted as well as the file guard and a number of excellent features and firewall policies all in the free version you also get instant access to new firewall rules instead of having to wait 30 DAYS! (gets off soapbox ??

https://www.ads-software.com/plugins/ninjafirewall/
https://www.ads-software.com/plugins/ninjascanner/

It’s strange that sub 1 works but sub 2 doesn’t.

Is WP installed in the root or as a sub directory that wasn’t clear to me

the .htaccess may need a WordPress rewrite rule:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

It may depend on your hosting account setup and also if WordPress is installed in the root not a sub folder

https://codex.www.ads-software.com/htaccess

I’m sure it’s there maliciously.

If you base64 decode “Lm11aHlkaWFmb3VuZGF0aW9uLmluZm8” and “OTAwMC5tdWh5ZGlhZm91bmRhdGlvbi5pbmZv” the text before and after the =| separately they are a domain

The text files should be harmless in themselves but I would imagine they would be called by “something” as part of a hack.

But yeah how they got there is the big question if you only copied the DB and nothing else.

Pete

If you’ve recently changed PHP versions it could be the version of WordPress core you’re using and/or a plugin causing the error.

It’s best to make sure core/theme/plugins are up to date before changing to a newer version of PHP.

Pete

Does the 2nd sub directory have a .htaccess file in it?

It sounds like that directory has a .htaccess file in it with the WordPress rewrite rule

Pete

Have you viewed what’s in the txt files.

Recently I’ve seen hacking attempts that try to call some txt files from pastebin.

If the previous host was breached the hacker may have uploaded the txt files or maybe you copied a backdoor file(s) the hacker uploaded previously to the new host.

Pete

Check the folder permissions for wp-content folder should be 755 or 750, you can check that via file manager in your hosting control panel.

Also check your wp-config.php file see if you have a line that says something like:

define(‘WP_TEMP_DIR’, ABSPATH . ‘wp-content/temp/’);

If not you can try adding it to the bottom of the file (make sure you download a copy of the file in case anything goes wrong)

Pete

Have a look at your .htaccess file in the main folder where WordPress is installed and also wp-admin folder see if anything is in there that shouldn’t be, depending on your hosting control panel in file manager you may need to “view hidden files”.

It really depends on how your site was breached (how the hacker got in) and what they have/had access too. Looking at your raw access files in your hosting account may help you find out.

If they were able to upload files then you need to check for any backdoor files which will give them access to hack your site again, uploading new WordPress files will not stop that.

Also change your hosting control panel password and any FTP accounts and also WordPress admin when you gain access again.

Hope that helps
Pete

Hey Dan,

You may already know but just in case, Vladimir is the founder of ManageWP.com might be worth contacting them to see if there’s a way to get a message to him.

Cheers
Pete

Excellent thank you