How to prevent hackers to insert html file into /wp-content/ folder

[johannes]

and the DB for hidden admins

 

[Johnws2022]

Only Wordfence? Did not try Maldetect of any of the ones mentioned by others? Could not harm just to be sure.

But it's good you changed everthing to 755 resp. 644.

Yes, I ll try some other software suggested above too, but Wordfence does not scan on my website when doing it manually; it keep scanning for ever, it only scan itself, and found no hacking files. Now I have to remove Wordfence from my website because it added 25 database tables slowing down my website.

 

[DrWizzle]

Hi All,

Just update what I have found. I found nothing after running Wordfence, My conclusion is /uploads/ folder was set at 777 which allowed everyone or hacking to have writing permission; it mean they can modify or insert any files into the server,

In order to avoid this for WP website owner:

1. Make sure all folders are set at 755, and files are set at 644, in particular:

/wp-content/
/wp-admin/
/wp-includes/

2. All folder under /wp-content/ must set at 755 too:

/wp-contents/themes/
/wp-contents/plugins/
/wp-contents/uploads/

and all others inside /wp-contents/

3. All folders under /wp-admin/ and /wp-includes/ should be 755 and files at 644.

4. Failure of doing the above, hackers enjoy attacking your websites.

When should you do that?

When you restore your website from a backup on a new server or the same one because file/folder permissions are normally set back to 777/666, etc.


Many thanks for this such a great community.
(I will try Rechard's advice to install a protection on SSH)

Cheers

wp-config.php and all derivatives I set at 640 as the public shouldn't have any read access to it if they were ever to get access to it.

 

[Johnws2022]

Bad news: the hackers still managed to insert himl files into /wp-content/ folder. No idea of how they do that?

 

[ericosman]

Bad news: the hackers still managed to insert himl files into /wp-content/ folder. No idea of how they do that?

I could have a look for you, would be a payed service tho*

 

[sparek]

You need to get a timestamp for when the files were added.

Then scour your logs to see what was being done around that time on the account.

A lot of times this leads to another "file that shouldn't be there", so you have to timestamp it and scour the logs... rinse repeat until you come upon the culprit.

I will also reiterate that if you're using outdated or abandoned plugins or themes... that's probably going to be your culprit. And if you wish to continue to use those outdated or abandoned plugins or themes, then you're just going to have to live with these compromises (as long as your web host continues to allow it).

 

[Richard G]

Bad news: the hackers still managed to insert himl files into /wp-content/ folder. No idea of how they do that?

The domein log and access logs should be able to tell you. Either a leak theme or maybe the user or database account hacked.

 

[DrWizzle]

Well, don't use WordStress for one....... but the serious answer - install Wordfence - nothing is 100% but.

"Wordstress" Priceless!

 

[Ohm J]

If you still don't know..... just manual log the payload request

$_REQUEST
$_FILES
file_get_contents('php://input')

(these variable should contents all possible payload )

using "auto_prepend_file" directive feature with PHP script to keep the logs in the secret location and monitor it which's request insert that HTML file.

 

[Johnws2022]

I could have a look for you, would be a payed service tho*

Thank you for offering, but i cant anyone enter backend or SSH.

I have now removed two other websites from the server which are not well maintained and protected. Wait for a week if html files are still inserted

 

[Johnws2022]

You need to get a timestamp for when the files were added.

Then scour your logs to see what was being done around that time on the account.

A lot of times this leads to another "file that shouldn't be there", so you have to timestamp it and scour the logs... rinse repeat until you come upon the culprit.

I will also reiterate that if you're using outdated or abandoned plugins or themes... that's probably going to be your culprit. And if you wish to continue to use those outdated or abandoned plugins or themes, then you're just going to have to live with these compromises (as long as your web host continues to allow it).

I ll do that. its too late this time as html file was removed

 

[ericosman]

Thank you for offering, but i cant anyone enter backend or SSH.

I have now removed two other websites from the server which are not well maintained and protected. Wait for a week if html files are still inserted

Will not need access to ssh, would need access to ftp and the wordpress site's itself (to clean, update etc)