[ad_1]
[ad_2]
Hi guys. Looking for insight from web devs.
I have a client in which we found malware prior to migration. We upgraded WP versions and plugins. The web dev spent about 6 hours on this.
Our web team continues to “confirm” the site is clean and then malware reappears about a week later. (Redirect from the landing page)
Is it possible for malware to continue to reinfect the site? We’ve rolled passwords a few times and removed the infected files 2x. This is not my wheelhouse, looking for any insights you might have.
Thanks.
Have you turned off every plugin one by one? Perhaps an outdated plugin is where the malware is coming from.
Malware will continue to reinfect a site until the site is properly cleaned and the vulnerability entry point is removed. Cleaning a site essentially means deleting all files and folders (except /wp-content/uploads) and reinstall WP, theme, plugins from clean, known sources i.e. not backups. Your site is getting hacked likely because you’re using an old plugin that is no longer being updated.
Did you changes the database passwords?
Yes it’s possible, Probably a back door somewhere- check database for weird users as well as replace entire file system (core, plugins, and theme) with clean latest versions, then check / scan wp-content as well.
This is obviously not their strong suit, full reinstall might be what’s needed or bring in a team / company that can get the job done. Plugin updates etc won’t fix it and files will have to be filtered through thoroughly to fix it. Unless you can alternatively pin point around when the infection happened and can restore from a backup (preferably off-site).
Check for left over files in hidden directories somewhere that could be getting missed.
WPCode plugin. It’s fucking horrible. The hackers will insert code into the plugin that’ll hide all traces of it from the WP Dashboard.
Look through via WP-CLI, FTP or in the database.
Here’s the safe mode flag you can add to your dashboard URL:
https://example.com/wp-admin/?wpcode-safe-mode=1
https://wpcode.com/docs/php-error-handling-safe-mode/#Safe_mode
You have a few options. You can have a professional service like Sucuri or Sitelock. They guarantee total removal, and they do it for a job so they have seen pretty much everything. It is a lot cheaper than paying your dev to do it.
But if you have him do it again, here is how I do it.
Start by ssh’ing into server and cd to the website root (generally public_html). All future terminal commands here presume you are in the root folder.
List files modified in the timespan since the hack reoccured. So for example if the hack occurred in the last 24 hours I would use:
`find . -type f -mtime -1`
That should show me the files that were modified on the server. I will generally look through them using nano and see what is going on. Next I would use WP Cli to check the wordpress file checksums. This will show wordpress core files that are modified, and files placed in directories where they don’t belong.
`wp core verify-checksums`
If core files are modified you can just use wp cli to repair the files.
wp core download –force –skip-content
Then validate the plugins
`wp plugins verify-checksums –all`
Any plugin that doesn’t verify should be uninstalled and reinstalled fresh.
This is super important. Audit your plugins. I don’t generally recommend wordfence, but it does have a nice feature where it checks your plugins against a vulnerability database. Any vulnerable plugin that doesn’t have an update should be removed. This is likely how the attackers gained access in the first place.
Manually check your .htacess file if you are running apache for anything that doesn’t belong.
Make sure all user accounts belong and have STRONG passwords.
Install the “Stop user enumeration” plugin. This closes some security holes in wordpress that leak user information, and disables xml-rpc and a few other things.
Lastly, make sure your file and directory permissions are correct. That is 755 for directories and 644 for files. You can do it all at once using:
find . -type d -exec chmod 0755 {} ;
find . -type f -exec chmod 0644 {} ;
If you follow this procedure you should be clean afterwards.
If you are REALLY worried about getting reinfected you can also lock your entire filesystem by setting the immutable flag on all files in your server. This has some caveats… You must be the root user to execute this. You wont be able to upload new media, you wont be able to update core or plugins until you remove the immutable flag.
`find . -exec chattr +i {} ;`
to remove the flag you would do the same command but +i becomes -i
+1 for Sucuri, I’ve generally had good experiences with them.
I had a client with malware, and it was in the WPCode plugin. Hackers added a script to it. All I had to do was disable that script.
clean up the site and change your hosting if it is happening time and again. if you have trouble cleaning, I can help you.