[ad_1]
A couple of weeks ago we discovered some of our sites were hit with this hack (added to either the functions or wp-config files). I’ve since moved the wp-config files outside of the root directory with a different name, and an include inside to load the real file.
I guess I haven’t locked down how they’re getting in, because it popped up again. However, it’s in the dummy file, so will it actually load?
An example of what my wp-config file looks like right now:
<?php
include (outside directory path with real config file);
function (hack crap)
Will the function load or would I be safe if I left it?
[ad_2]
FWIW: the hack was randomizing clicks to other websites
Sounds like you’re trying to fix the symptom and not the real issue. I’m guessing there is a file they are triggering on a cron that is public that causes it to re-infect your site each time you clean it up. I’d look for any non-wordpress files scattered throughout your site. I’ve seen some with up to a hundred randomly name files that look semi-legitimate.
Your site is hacked. Install Wordfence and run a scan. Google how to clean a site correctly – essentially you’re deleting everything except wp-content/uploads and redownloading WP, the theme and plugins from known trusted sources.
Obfuscation is only for convenience, not security. Some like to hide the login page, for instance…but that in no way makes it more secure. It just means you have less bandwidth being used by low effort players. It does not, however do a damn thing to secure your site. This is no different. You need to fix the mode of access, not just obscure the target.