For some time now, every few days, this website is subject of some kind of injection attack. I made some changes to improve security, and I have installed Firewall plugin, upgraded and reinstalled the blog and all plugins but, attacks continue.
Firewall plugin stops several attack each day, but still some of them got through and only header.php file of the theme ends up changed and code is injected there. If any one has any suggestion on how to stop this type of attack, please leave a comment with suggestions on how to prevent this. I already did everything I can think of including protecting folders, wp-config and all the other things.
If you leave a comment that helps solve the problem, I will award you with premium support license on Dev4Press for GD Star Rating.
loading...
Share this:
Comment Link
Did you completely re-install WP after the first hack? I wonder if they left a back door?
loading...
Comment Link
I did it twice with 2.9.1.
loading...
Comment Link
Yeah, I kind of guessed you would have, that is why I didn’t suggest it when we exchanged emails about it last month.
Wow, it’s a real mystery! The prime suspect is some weakness in your theme’s header.php but, of course, I know that you will have already gone over that a hundred times.
I hope someone manages to solve the mystery, your offer of a premium license is smart, perhaps you should also post this offer to a few of the PHP and WordPress discussion sites.
loading...
Comment Link
In the last 2 days, firewall stopped several attacks and header.php is still ok, so maybe the last update solved it. Hopefully problem is gone, but I would like to know how that could happen if the WP is latest version fully reinstalled.
loading...
Comment Link
WordPress File Monitor Plugin will provide you with
an email of a time when files are changed.
get it here:
http://www.wpbeginner.com/plugins/wp-security-wordpress-file-monitor-plugin/
Look for a pattern in when events occur that modify the header file. Every little bit of info is critical when trying to solve these issues.
loading...
Comment Link
Thanks. I am building much more advanced plugin for this same job, but for now this is a good start.
loading...
Comment Link
I’ll gladly help you with this issue, I’m not doing it for money or anything else.
If you have the knowledge then you can fix this by yourself, it’s rather easy.
You need to install mod_security for apache, this is if you have apache as web server and if you are the admin of the server where this web site is hosted.
If this is not the case then send me a email with all the details you can give.
loading...
Comment Link
Right now things are OK, and no files got hacked for 4 days. But, firewall plugin registers 10-15 injection and traversal attacks each day.
As for apache, I am on the BlueHost hosting, and it has no mod_security installed. Hopefully, no injections will happen, but I will monitor things daily.
loading...
Comment Link
Glad to hear that everything is fine.
loading...
Comment Link
Well, looks like that problem is still there. The backdoor that hacks only, and only header.php of the active theme is hidden somewhere, so how to find it?
loading...
Comment Link
You should contact BlueHost, ask them to check the logs, specify the dates on which your web site got compromised.
Also you should ask for mod_security if you are on a linux/apache server (but keep in mind, that some rules may not be compatible with your web site, making some of it’s sections inaccessible).
What you can do is to change all the passwords, including ftp, web hosting panel, etc.
If you have access to the logs then you can find out what is the problem by yourself.
loading...
Comment Link
Have you checked all of your javascript files? Those are notorious for having back doors and being infected. Also, have you deleted the admin role that is standard with wordpress? Just another way to get hacked
I use a sister company of BlueHost (HostMonster) and I haven’t had any problems so far. Hopefully, I won’t…
loading...
Comment Link
I will install PHP IDS (Bluehost suggestion) to monitor every type of requests and try to find out exactly where the attack is done.
Also I have many websites on BlueHost and this is only one being hacked.
loading...
Comment Link
Worth installing http://wordpress.org/extend/plugins/wp-security-scan/ and following this guide here.
http://blogsecurity.net/wordpress/wordpress-security-whitepaper (changing database prefix is something I recommend all doing to limit XSS injection attacks.)
Also worth checking if you have register globals on in php.
loading...
Comment Link
WP Security Scan is pretty useless plugin, everything that it does I always implement and check on my own for each website. On the same host, I have Dev4Press and TVScape hosted, and only this website is under attack daily.
loading...
Comment Link
Hi,
I have the Star rating now on my wordpress site. I went to the IP part to ban this one commenter that leaves strange stuff, but it won’t ban his IP. I banned another IP that was selling drugs and that worked fine. Why would this one IP not ban?
Sorry to butt in on this forum…I didn’t know where else to leave question.
After reading this hacking issue I realize that my site may be vulnerable too. I use bluehost. How do you know if someone is getting into your site?
Thanks.
loading...
Comment Link
I will check why IP is not banning.
loading...
Comment Link
thanks. So far just tried the two. One banned ok the other one did not.
loading...
Comment Link
Is the IP added to the banned list on IP panel? And if it is, how do you now that plugin is not banning that one. I have tested and it’s working fine. On this website I have some 20 IP’s in the list and as far as I can tell, banning works fine.
loading...
Comment Link
Right. I went into the IP for Gd starrating and that is where I banned the one person. The other one I tried but it doesn’t take.
Do you think its some kind of hacker? I don’t know why they would, I don’t have any sales or pay pal stuff.
It must not be anything to do with the gd rating. I will call my host and maybe they can tell what’s going on with this particular IP.
Thanks. At least I narrowed it down a little.
loading...
Comment Link
You add IP and it’s not saved to the banned list on the IP panel? The only known way for this to happen is if the IP is invalid. Plugin checks the format before saving it.
loading...
Comment Link
I just used the ban IP Masked and it took it. I’m not sure what masked means, but it took it there. Hopefully this will do the trick. He just left another comment, always uses different name but its the same IP each time.
loading...
Comment Link
Plugin IP filter only works for plugin, and filters votes, doesn’t prevent user for doing anything else on the website.
loading...
Comment Link
Do you know how to ban this guy. He is in again. here is the strange website that they come in from:
mmacomments dot com
Ya, he’s in there again right now. hahaha!
loading...
Comment Link
Try finding some plugin that can filter IP addresses completely and prevent access to website.
loading...
Comment Link
You can ask your web hosting provider to block that IP from the server’s firewall, explain to them what is that ip doing and maybe you will get lucky. If you have a dedicated ip address for your web site, then they can block this ip only for your web site.
loading...
Comment Link
Thank you everyone for the help. I’ll try these last two ways. thankyou
loading...
Comment Link
Hi Millan.
Ban them at .htaccess level!
Also check that your .htaccess file is setup properly. I had a similar problem when a plugin modified my .htaccess than a few days later I had modified header.php and footer.php
loading...
Comment Link
Already did that, but I can do it again, maybe I overlooked something. Also, this website will soon get new theme and most of the things will be made from scratch starting with full WP install, DB and files cleanup and server settings review.
loading...