How to prevent hackers to insert html file into /wp-content/ folder

J

Johnws2022

Verified User
Joined
Jan 14, 2022
Messages
114
Dear All,

How to prevent hackers inserting html files into /wp-content/ folder on my WP website?

I have set file/folder permission as follows:

folder - 755
file - 644

Still hackers can access my above folder. I see some advice on how to use .htaccess file to restrict access to hackers (I have .htaccess file created by a plugin inside /wp-content/?

What is the best option to protect folders in Direct Admin so that hackers cannot access any of folders?

Many thanks in advance.

Regards
 
Last edited:
LawsHosting said:
Well, don't use WordStress for one....... but the serious answer - install Wordfence - nothing is 100% but.
Click to expand...
Thanks. You are right; there might be a spamy file already inserted somewhere, and it keeps generating that html file. I used Wordfence before, but removed it recently due to many DB tables created which might slow down my website. I may have to use it again to scan for that spam.

Or any other ways of using .htaccess to restrict access to folders?

Very appreciate your help.

Cheers
 
The thing is with wp-content directory, it holds just about everything...... So it's difficult...... And I don't use it, I hosted clients with it, but......
 
Johnws2022 said:
have set file/folder permission as follows:

folder - 755
file - 644

Still hackers can access my above folder.
Click to expand...
It doesn't matter if it's Wordpress or just html or a community. These are normal values and if hackers succeed to put files in your /wp-content/ folder, than chances are that Wordfence might not help you either.
Because you have to figure out the root cause of the issue. Why are hackers succeeding to do this. And then most likely it's probably from a leak plugin or theme which they are abusing to hack your WP installation.

Now what you can do is start to be sure that all hacked files are gone. Wordfence is a beginning, but there is moer.
Install Maldetect (click) for example, it's free. Scan your server and your files.
I runs every night and this way you can faster see if some suspicious files are entered or present.
But also especially start checking your plugins and themes if they are OK. Do -not- used nulled scripts or themes and I would suggest to remove any theme using base64 content.
However, Maldetect will warn you for this too.

Als do not use simple passwords for the mysql database, that is also an easy way to get in. Once you scanned with maldetect I would suggest to change the mysql passwords too.
 
Richard G said:
It doesn't matter if it's Wordpress or just html or a community. These are normal values and if hackers succeed to put files in your /wp-content/ folder, than chances are that Wordfence might not help you either.
Because you have to figure out the root cause of the issue. Why are hackers succeeding to do this. And then most likely it's probably from a leak plugin or theme which they are abusing to hack your WP installation.

Now what you can do is start to be sure that all hacked files are gone. Wordfence is a beginning, but there is moer.
Install Maldetect (click) for example, it's free. Scan your server and your files.
I runs every night and this way you can faster see if some suspicious files are entered or present.
But also especially start checking your plugins and themes if they are OK. Do -not- used nulled scripts or themes and I would suggest to remove any theme using base64 content.
However, Maldetect will warn you for this too.

Als do not use simple passwords for the mysql database, that is also an easy way to get in. Once you scanned with maldetect I would suggest to change the mysql passwords too.
Click to expand...
Thanks Richard; you are always very helpful.

I use all outdated plugins due to my wp theme being abandoned by its developers for over 4 years now. Its a good them; very customisable without errors, and I cannot replace it because it contained thousands of users' data which is added every day. You may be right, the hackers may enter that folder via out dated plugins. I ll try the plugin you suggested, and let you know if I can find hacking files.
 
Johnws2022 said:
and I cannot replace it because it contained thousands of users' data which is added every day.
Click to expand...
It's not a theme which contains the data (unless something special is going on) but the database. It might be a good idea too to setup a test environmont or test domain, look for a theme which looks similar and then test by copying the database into there and see what is possible.

But I'm curious as the the outcome of Maldetect. Hope it will fix some things for you.
 
Johnws2022 said:
Thanks Richard; you are always very helpful.

I use all outdated plugins due to my wp theme being abandoned by its developers for over 4 years now. Its a good them; very customisable without errors, and I cannot replace it because it contained thousands of users' data which is added every day. You may be right, the hackers may enter that folder via out dated plugins. I ll try the plugin you suggested, and let you know if I can find hacking files.
Click to expand...
You can keep using the theme. But you have to understand that this is going to be the cost of doing so.

An abandoned theme (or plugin) that has a security hole, isn't going to be patched. So you are going to be perpetually open to exploitation through this security hole.

This is why it is so important that you choose reputable themes and plugins when you start designing or developing your website. A reputable theme or plugin developer is going to be less likely to abandon their project. But just some random theme or plugin that does this "neat" thing how do you know if the developer is going to stick to the project? Defining what is reputable and what is not is difficult and often subjective. But how many installs a theme or plugin has, how many ratings it has, and how often it is updated are often good measuring points.

Even worse are themes or plugins that you pay for that then become abandoned. If you are paying for a theme or plugin you really should be aware if the developer is going to stick around on the project. You have to know what you are getting involved in if you are paying for something. Are you paying for THAT version of the theme and plugin? Do you have to pay again for further updates? What assurances do you have that the developer is still going to be around in 1 year, or 5 years? I'm not against using paid themes and plugins, but there are a lot of paid themes and plugins that are here today and gone tomorrow and then your left out in the dry when the theme/plugin gets compromised. Not only do you lose the integrity of your website, but also the money you paid for the theme/plugin.
 
Becarefully, if you have other domain assign into this user, those domains could be hacking too.

wordpress is easy to use and easy to hacked too.

I'm always notice this to the customer, if you want to use wordpress, please separate user from other domains.

and then.... someone just got hacked... so I restore backup from the last month for him and deny access to only wordpress site.
 
Richard G said:
It's not a theme which contains the data (unless something special is going on) but the database. It might be a good idea too to setup a test environmont or test domain, look for a theme which looks similar and then test by copying the database into there and see what is possible.

But I'm curious as the the outcome of Maldetect. Hope it will fix some things for you.
Click to expand...
No, I wont do that because even a new theme will be abandoned by its developers in the future. My theme was bought by over 6k buyers on codecanyon.net with good review. The company still exist, but just stopped developing my theme.
 
Richard G said:
It's not a theme which contains the data (unless something special is going on) but the database. It might be a good idea too to setup a test environmont or test domain, look for a theme which looks similar and then test by copying the database into there and see what is possible.

But I'm curious as the the outcome of Maldetect. Hope it will fix some things for you.
Click to expand...
My theme is fully customised; I have spent over 2 years doing that. Its hard work; I wont change this Theme. Thanks
 
You must log in or register to reply here.
Back
Top