How to prevent hackers to insert html file into /wp-content/ folder

[johannes]

and the DB for hidden admins

 

[Johnws2022]

Only Wordfence? Did not try Maldetect of any of the ones mentioned by others? Could not harm just to be sure.

But it's good you changed everthing to 755 resp. 644.

Yes, I ll try some other software suggested above too, but Wordfence does not scan on my website when doing it manually; it keep scanning for ever, it only scan itself, and found no hacking files. Now I have to remove Wordfence from my website because it added 25 database tables slowing down my website.

 

[DrWizzle]

Hi All,

Just update what I have found. I found nothing after running Wordfence, My conclusion is /uploads/ folder was set at 777 which allowed everyone or hacking to have writing permission; it mean they can modify or insert any files into the server,

In order to avoid this for WP website owner:

1. Make sure all folders are set at 755, and files are set at 644, in particular:

/wp-content/
/wp-admin/
/wp-includes/

2. All folder under /wp-content/ must set at 755 too:

/wp-contents/themes/
/wp-contents/plugins/
/wp-contents/uploads/

and all others inside /wp-contents/

3. All folders under /wp-admin/ and /wp-includes/ should be 755 and files at 644.

4. Failure of doing the above, hackers enjoy attacking your websites.

When should you do that?

When you restore your website from a backup on a new server or the same one because file/folder permissions are normally set back to 777/666, etc.


Many thanks for this such a great community.
(I will try Rechard's advice to install a protection on SSH)

Cheers

wp-config.php and all derivatives I set at 640 as the public shouldn't have any read access to it if they were ever to get access to it.