Finding a wordpress hacker

H

HMTKSteve

Verified User
Joined
Jan 18, 2009
Messages
73
One of the wordpress based sites on my server has been hacked twice in the last month. Only one out of many so I suspect that only this one domain has been compromised.

Each time they add some malicious code to the header.php files of all of the themes on the site. I have changed the files to read only for everyone (444) but I still need to find out how they are getting in and making the changes to the files.

I tried to check the log files but I can not find the files for today. It looks like shortly after midnight the server backed up yesterdays logs but when I use DA to check the current logs I only get about 100 lines worth.

I changed all of the passwords for this domain and updated wordpress and all plugins. This site has multiple subdomains but only the wordpress install is being modified.

Any ideas on where to go from here?
 
Try the customers computer.
We had kindlike problems on a wordpress site and couldn't find anything in the log either.
Until we advised the customer to have his computer checked with Malware Bytes and ADWCleaner.
That revealed several trojans and other malware on his pc.
We changed the password after the cleaning and since then the problem is gone.

Next you can check for outdated versions of addons and we discovered there are some themes with severe leaks too.
 
Richard G said:
Try the customers computer.
We had kindlike problems on a wordpress site and couldn't find anything in the log either.
Until we advised the customer to have his computer checked with Malware Bytes and ADWCleaner.
That revealed several trojans and other malware on his pc.
We changed the password after the cleaning and since then the problem is gone.
Next you can check for outdated versions of addons and we discovered there are some themes with severe leaks too.
Click to expand...
Thanks for your tips. I also have been in such a situation and now my problem is solved.
 
you need to add security to EVERY WP site:p
otherwise you'll get hacked, smacked, slapped, cracked...:mad:
let me make a few recommendations:cool:
WP file monitor plus //lets you know anytime a file is changed, added, deleted, even when you do it.
this puts you way ahead of the game
WP Firewall 2 //stops many attempts
WP antivirus // checks themes for malicious code
WP limit login attempts //self explanatory
WP auto update
these are all available from the WP market and can be installed from the admin
I have many, many,many WP sites
 
Are you sure about that list of security plugins you advise?
Some of them haven't been updated for over a year and "WP Firewall 2" hasn't been updated for 3 years already.
 
Look though the FTP log file, we had a similar (non-WP site) problem, and the hacker used ftp to add his hacks to all the php/html files. I believe the hacker used malware to access the users Filezilla file and then used the ftp passwords saved there (in plain text, good reason not save passwords in Filezilla) to access all the ftp accounts on the server. Once the passwords were changed and the site updated, the problem went away.
 
@BBM
yes Im sure about WP Firewall 2 , the codder told us that it wasnt dependent on the core changes in wordpress and it Just Works
so if it aint broke, dont try fix it, (but we did have a couple features added,) :)
this little simple plugin has STopped many many attempts at hacking.
I do agree that would be nice for someone to take it over and keep it updated (date purpose only) so people wont think its too old and Not use it. This is one of those KISS plugins
 
You must log in or register to reply here.
Back
Top