Hacked
-
Hi
1 - i did a migration with AIOWP Migration
2 - i have a backdoor, for example they edit index.php
/7b1a5/@include ("/app/data/public/wp-includes/assets/.1d254507.mo");
/7b1a5/
3 - they can create folders and edit certain files like index.php or settings or configi dont know what to do, support derives me here
every 4 / 7 days im hacked.......Thank you very much
the site is hotelmardeplata.com
-
Hi
1 - i did a migration with AIOWP Migration
2 - i have a backdoor, for example they edit index.php
/7b1a5/@include ("/app/data/public/wp-includes/assets/.1d254507.mo");
/7b1a5/
3 - they can create folders and edit certain files like index.php or settings or configi dont know what to do, support derives me here
every 4 / 7 days im hacked.......Thank you very much
the site is hotelmardeplata.com
@jquintana Try this plugin to scan all files for vulnerabilities:
Also worth a look, if you don't have already:
-
@marcusquinn i already have it....., gotmls/
wordfence....,
etc.....,but i want get the roots of this problem........, it's only this site
-
Sorry to be a bit harsh but, do I understand it correctly that you have a compromised Wordpress which gets compromised over and over again and yet you still keep it running?
If it gets breached multiple times what have you done to prevent this?
Did you pay someone to have a look and secure it? -
We'll all be guessing here, but if you already knew of and used the mentioned plugins, and nothing is obvious, the other main thing I would do is change the passwords for all Administrator users, that would be my next guess.
-
I'm not a wordpress expert at all.
But given that the site design and content is not that complex, my instinct would be to create a new Wordpress app in Cloudron on a dummy sub-domain and recreate the site from scratch (i.e. do not import it) with the security plugins and new passwords. Then delete the old one once you are happy, and change the sub-domain of the new site back to the original one. -
Hi @jquintana, you tried Wordfence, the free version or the premium one? What they did, what they replied? I think you should provide more detailed report to have a discussion based on facts...
-
Hi @jquintana
Do all plugins and themes come from "trusted" developers or sites?
- Remove and reinstall all plugins and themes from the installation (including all inactive ones).
- Remove all files that have been added and do not belong to the original development.
- Check the DB to rule out any SQL injection of malicious code that will cause it to re-hack the site.
- Change all admin user passwords.
- Disable login by username and force login by email and password only.
With that, the installation should be secured.
-
Hi @martinkbs
9 may 00:27mins
index.php
/7b1a5/@include ("/app/data/public/wp-includes/blocks/post-featured-image/.8ae050b9.mo");
/7b1a5/
wp-config
/1ce2a/@include ("/app/data/public/wp-includes/blocks/post-featured-image/.8ae050b9.mo");
/1ce2a/
Do all plugins and themes come from "trusted" developers or sites? Yes, the problem here can be the 1st step: cloning site from AIOWPM, here possibly there are altered permission files and folders.....?....
Remove and reinstall all plugins and themes from the installation (including all inactive ones). Done....
Remove all files that have been added and do not belong to the original development. Done....
Check the DB to rule out any SQL injection of malicious code that will cause it to re-hack the site. How?
Change all admin user passwords. Done
Disable login by username and force login by email and password only. How? -
Hi @martinkbs
9 may 00:27mins
index.php
/7b1a5/@include ("/app/data/public/wp-includes/blocks/post-featured-image/.8ae050b9.mo");
/7b1a5/
wp-config
/1ce2a/@include ("/app/data/public/wp-includes/blocks/post-featured-image/.8ae050b9.mo");
/1ce2a/
Do all plugins and themes come from "trusted" developers or sites? Yes, the problem here can be the 1st step: cloning site from AIOWPM, here possibly there are altered permission files and folders.....?....
Remove and reinstall all plugins and themes from the installation (including all inactive ones). Done....
Remove all files that have been added and do not belong to the original development. Done....
Check the DB to rule out any SQL injection of malicious code that will cause it to re-hack the site. How?
Change all admin user passwords. Done
Disable login by username and force login by email and password only. How?@jquintana said in Hacked:
the problem here can be the 1st step: cloning site from AIOWPM
absolutely : in this scenario, don't clone or import.
start with fresh clean WP site, add plugins, then manually create new pages and copy/paste content from old pages to new pages
if the site has some low-level deep infection, "burn it" and start again clean, with all the other recommended protections.
Well, that's what I would do -
@jquintana said in Hacked:
the problem here can be the 1st step: cloning site from AIOWPM
absolutely : in this scenario, don't clone or import.
start with fresh clean WP site, add plugins, then manually create new pages and copy/paste content from old pages to new pages
if the site has some low-level deep infection, "burn it" and start again clean, with all the other recommended protections.
Well, that's what I would do@timconsidine said in Hacked:
absolutely : in this scenario, don't clone or import.
This is the most pragmatic solution.
Any other will require you to expend much more time and energy to answer why you keep getting hacked.
You can understand why it keeps getting hacked by examining the original hacked files offline.
-
You could migrate to one of the Wordpress specialist hosts, like Siteground, Cloudways, etc. Then use their large pool of Wordpress experts to diagnose and fix, which is usually part of their service, then if you want to host with Cloudron still, and self-support with some community ideas here, migrate back again once you're confident it's locked-down again.
-
yes, but that is precisely what I want to avoid....,
I want to find the solution, not only to learn how to close open doors, but also because of time and pride....,I am checking the database, as the problem is very likely to come from there,
Can you think of anything else?
because it seems strange to me that there is no powerful software to analyse back doors.
-
yes, but that is precisely what I want to avoid....,
I want to find the solution, not only to learn how to close open doors, but also because of time and pride....,I am checking the database, as the problem is very likely to come from there,
Can you think of anything else?
because it seems strange to me that there is no powerful software to analyse back doors.
@jquintana If "no powerful software to analyse back doors" is finding anything in the most well-known platform on the planet, with the most understanding of vulnerabilities, maaayyyybbeee it is compromised credentials? No software could detect that. You certain you eliminated that possibility completely?
-
@jquintana In your Cloudron panel, you could try changing the permissions for the files that keep getting edited so they can't be updated, then just change them back temporarily if ever you did want to edit them.
Another quick look at your website, and as nice as I'm sure it was when built, I think you could very quickly build a new version in perhaps a week. I highly recommend the KadenceWP theme, and the above plugins.
Cloudron is rock-solid for us for many years now, and no security issues, so I'm confident you'll be happy with a clean install, modern flexible theme and those light and tight plugins mentions.
That or you might be looking at Upwork of Fiverr for an expert to do an audit, which will be as unpredictable on cost as the guesses we've been able to make here so-far.
-
check out in the options table. I once had a hacked plugin that was writing executable code in the options table, and by that, it was able to reinstall itself again and again.
Well securing the page should be a matter of less than an hour. Just export those pages, make a fresh install and import the pages back in
