How to prevent hackers to insert html file into /wp-content/ folder

J

Johnws2022

Verified User
Joined
Jan 14, 2022
Messages
114
Dear All,

How to prevent hackers inserting html files into /wp-content/ folder on my WP website?

I have set file/folder permission as follows:

folder - 755
file - 644

Still hackers can access my above folder. I see some advice on how to use .htaccess file to restrict access to hackers (I have .htaccess file created by a plugin inside /wp-content/?

What is the best option to protect folders in Direct Admin so that hackers cannot access any of folders?

Many thanks in advance.

Regards
 
Last edited:
LawsHosting said:
Well, don't use WordStress for one....... but the serious answer - install Wordfence - nothing is 100% but.
Click to expand...
Thanks. You are right; there might be a spamy file already inserted somewhere, and it keeps generating that html file. I used Wordfence before, but removed it recently due to many DB tables created which might slow down my website. I may have to use it again to scan for that spam.

Or any other ways of using .htaccess to restrict access to folders?

Very appreciate your help.

Cheers
 
The thing is with wp-content directory, it holds just about everything...... So it's difficult...... And I don't use it, I hosted clients with it, but......
 
Johnws2022 said:
have set file/folder permission as follows:

folder - 755
file - 644

Still hackers can access my above folder.
Click to expand...
It doesn't matter if it's Wordpress or just html or a community. These are normal values and if hackers succeed to put files in your /wp-content/ folder, than chances are that Wordfence might not help you either.
Because you have to figure out the root cause of the issue. Why are hackers succeeding to do this. And then most likely it's probably from a leak plugin or theme which they are abusing to hack your WP installation.

Now what you can do is start to be sure that all hacked files are gone. Wordfence is a beginning, but there is moer.
Install Maldetect (click) for example, it's free. Scan your server and your files.
I runs every night and this way you can faster see if some suspicious files are entered or present.
But also especially start checking your plugins and themes if they are OK. Do -not- used nulled scripts or themes and I would suggest to remove any theme using base64 content.
However, Maldetect will warn you for this too.

Als do not use simple passwords for the mysql database, that is also an easy way to get in. Once you scanned with maldetect I would suggest to change the mysql passwords too.
 
Richard G said:
It doesn't matter if it's Wordpress or just html or a community. These are normal values and if hackers succeed to put files in your /wp-content/ folder, than chances are that Wordfence might not help you either.
Because you have to figure out the root cause of the issue. Why are hackers succeeding to do this. And then most likely it's probably from a leak plugin or theme which they are abusing to hack your WP installation.

Now what you can do is start to be sure that all hacked files are gone. Wordfence is a beginning, but there is moer.
Install Maldetect (click) for example, it's free. Scan your server and your files.
I runs every night and this way you can faster see if some suspicious files are entered or present.
But also especially start checking your plugins and themes if they are OK. Do -not- used nulled scripts or themes and I would suggest to remove any theme using base64 content.
However, Maldetect will warn you for this too.

Als do not use simple passwords for the mysql database, that is also an easy way to get in. Once you scanned with maldetect I would suggest to change the mysql passwords too.
Click to expand...
Thanks Richard; you are always very helpful.

I use all outdated plugins due to my wp theme being abandoned by its developers for over 4 years now. Its a good them; very customisable without errors, and I cannot replace it because it contained thousands of users' data which is added every day. You may be right, the hackers may enter that folder via out dated plugins. I ll try the plugin you suggested, and let you know if I can find hacking files.
 
Johnws2022 said:
and I cannot replace it because it contained thousands of users' data which is added every day.
Click to expand...
It's not a theme which contains the data (unless something special is going on) but the database. It might be a good idea too to setup a test environmont or test domain, look for a theme which looks similar and then test by copying the database into there and see what is possible.

But I'm curious as the the outcome of Maldetect. Hope it will fix some things for you.
 
Johnws2022 said:
Thanks Richard; you are always very helpful.

I use all outdated plugins due to my wp theme being abandoned by its developers for over 4 years now. Its a good them; very customisable without errors, and I cannot replace it because it contained thousands of users' data which is added every day. You may be right, the hackers may enter that folder via out dated plugins. I ll try the plugin you suggested, and let you know if I can find hacking files.
Click to expand...
You can keep using the theme. But you have to understand that this is going to be the cost of doing so.

An abandoned theme (or plugin) that has a security hole, isn't going to be patched. So you are going to be perpetually open to exploitation through this security hole.

This is why it is so important that you choose reputable themes and plugins when you start designing or developing your website. A reputable theme or plugin developer is going to be less likely to abandon their project. But just some random theme or plugin that does this "neat" thing how do you know if the developer is going to stick to the project? Defining what is reputable and what is not is difficult and often subjective. But how many installs a theme or plugin has, how many ratings it has, and how often it is updated are often good measuring points.

Even worse are themes or plugins that you pay for that then become abandoned. If you are paying for a theme or plugin you really should be aware if the developer is going to stick around on the project. You have to know what you are getting involved in if you are paying for something. Are you paying for THAT version of the theme and plugin? Do you have to pay again for further updates? What assurances do you have that the developer is still going to be around in 1 year, or 5 years? I'm not against using paid themes and plugins, but there are a lot of paid themes and plugins that are here today and gone tomorrow and then your left out in the dry when the theme/plugin gets compromised. Not only do you lose the integrity of your website, but also the money you paid for the theme/plugin.
 
Becarefully, if you have other domain assign into this user, those domains could be hacking too.

wordpress is easy to use and easy to hacked too.

I'm always notice this to the customer, if you want to use wordpress, please separate user from other domains.

and then.... someone just got hacked... so I restore backup from the last month for him and deny access to only wordpress site.
 
Richard G said:
It's not a theme which contains the data (unless something special is going on) but the database. It might be a good idea too to setup a test environmont or test domain, look for a theme which looks similar and then test by copying the database into there and see what is possible.

But I'm curious as the the outcome of Maldetect. Hope it will fix some things for you.
Click to expand...
No, I wont do that because even a new theme will be abandoned by its developers in the future. My theme was bought by over 6k buyers on codecanyon.net with good review. The company still exist, but just stopped developing my theme.
 
Richard G said:
It's not a theme which contains the data (unless something special is going on) but the database. It might be a good idea too to setup a test environmont or test domain, look for a theme which looks similar and then test by copying the database into there and see what is possible.

But I'm curious as the the outcome of Maldetect. Hope it will fix some things for you.
Click to expand...
My theme is fully customised; I have spent over 2 years doing that. Its hard work; I wont change this Theme. Thanks
 
Johnws2022 said:
No, I wont do that because even a new theme will be abandoned by its developers in the future. My theme was bought by over 6k buyers on codecanyon.net with good review. The company still exist, but just stopped developing my theme.
Click to expand...
I suppose the first question to ask is how are hackers getting into your WordPress script? I don't know the answer to that. You'll have to discover that yourself.

You have stated that you are using outdated and abandoned plugins and themes, so it's reasonable to assume that an exploit or compromise point exists some where in that. But I can't say for certain that's how hackers are getting in.

Now... to each their own... but if it's determined that hackers are getting in through one of these outdated/abandoned plugins or themes AND I paid good money for the plugins/theme - I would want to know why the developers of those plugins/theme aren't fixing the security hole. Or are they providing a free/discount price to a newer, current, in-life plugin/theme?

Again, to be clear, I don't think we've established that your outdated/abandoned theme/plugins is the compromise culprit. But it seems you are wanting to someone to tell you that it's OK to continue to use the outdated/abandoned theme/plugins even if they are the compromise point and that everything is just going to magically be OK. But you're not going to find that response. You're going to have to take over the maintenance and upkeep of the theme and plugin and update it's code to fix the security hole... where ever it might be (if it's even in the outdated/abandoned plugins and theme).

This is the security threat that not enough WordPress users understand. WordPress at it's core is typically fine. It's all the addons WordPress users add to their WordPress sites and how well coded and maintained those addons are. You can't just setup a WordPress site and all the neat little bells and whistles, look at it, and declare "this is good" and then never, ever, ever touch anything on the WordPress website again. WordPress has to be maintained. That means keeping the core WordPress script up-to-date (often done through automatic updates - which I'm not a huge fan of). As a WordPress user you have the responsibility of insuring that WordPress is kept up to date and that any plugins and themes are kept up to date. Plugin and theme developers have a responsibility to insure that their projects are maintained and kept free of security holes - and this is quite often the service that is not done. Many plugins and themes get developed but then never touched by their developers again. While you - a WordPress user - may be using the latest version of these themes and plugins, but if the theme or plugin developer hasn't touched the project in 5 years then it's probably not safe to use.

WordPress itself I don't have a problem with. The developers of WordPress keep the project well maintained. It's the responsibilities (or lack thereof) of WordPress users and plugin/theme developers that give WordPress security a bad name.
 
Johnws2022 said:
I wont change this Theme. Thanks
Click to expand...
Oke that's a choice but in that case you have to take security issues in account as mentioned above by both others.
So then best is to find out what the root cause of the problem is. Maldetect might be helpfull to point out if and which scripts/plugins are infected.
 
You should check your site with a few different scanners. I use this if i have suspicion about a site being hacked.
wordpress.org

BitFire Security – Firewall, WAF, Bot/Spam Blocker, Login Security

Real-time firewall that stops bots, malware, and hackers with real AI, file protection, and traffic analytics without slowing down your site
wordpress.org wordpress.org
wordpress.org

Sucuri Security – Auditing, Malware Scanner and Security Hardening

The Sucuri WordPress Security plugin is a security toolset for security integrity monitoring, malware detection and security hardening.
wordpress.org wordpress.org
wordpress.org

Patchstack – WordPress & Plugins Security

Patchstack automatically identifies & mitigates security vulnerabilities in WordPress plugins, themes, and core.
wordpress.org wordpress.org
wordpress.org

Security Optimizer – The All-In-One Protection Plugin

Secure your WordPress site from brute-force attacks, threats, malware, and bots. Free to use and easy to set up.
wordpress.org wordpress.org

Beside that, check your database for hidden admin accounts. Not all admin accounts must be visible in WP BE.
 
You must log in or register to reply here.
Back
Top