25 {{ upvoteCount | shortNum }}
25 {{ upvoteCount | shortNum }}

My Wordpress files keep getting infected! How do I stop it?

by LuisEAvila
20 replies
O.k. so to make a long story short. I have several niche websites and two of them are infected according to my AVG scanner. I also ran them through the Dr WEB online URL scanner (Dr.Web online check) and it tells me the same thing.

I found this out today as i was visiting the sites, my computer shot out a WARNING sign that accessed file was infected.

the thing is, one of the sites is my church website that I run for my church and get paid to do it. So as you can imagine, this website is on a different hosting account but I do all of my maintenance with my own computer, so even though its on a different hosting account the infection is still there so that is why I think it might be my computer maybe.
Here is the link to that website since i don't mind sharing that one. Rio Life Community Church.

Anyways, so what i did to one of my other websites is I erased all of my wordpress files except the wp-content folder. I then uploaded all the new wordpress files again. I scanned the website with DR. WEB again, this time the results came out as CLEAN. The infection is gone.

BUt i'm worried that it will come back, How can i stop it? I have had similar problems with the exact same websites before. None of my other websites have a problem except these.

At first i was getting Parse Error and the website would disappear but now its all these infections.

If anybody has a solution or recommendation i would appreciated. Even if there is valuable anti virus softwares for websites i would be willing to buy.

Thanks in advance.
#files #infected #stop #wordpress
  • Profile picture of the author Chris Grable
    Got the same alert with AVG! NOt sure what to suggest.

    Nice looking site though!
    {{ DiscussionBoard.errors[1618297].message }}
  • Profile picture of the author globalpro
    Hi,

    Usually the problem is having an out of date copy of WP. The other problem you may run into is out of date plugins. Usually one of the two.

    Thanks,

    John
    {{ DiscussionBoard.errors[1618362].message }}
    • Profile picture of the author LuisEAvila
      Originally Posted by globalpro View Post

      Hi,

      Usually the problem is having an out of date copy of WP. The other problem you may run into is out of date plugins. Usually one of the two.

      Thanks,

      John

      The wordpress files are up to date, its the latest version, but I will check the plugins.
      {{ DiscussionBoard.errors[1618574].message }}
  • Profile picture of the author RebeccaL
    It may also be some encrypted code in the wordpress theme.
    Signature
    Reached my Goal of $500/day - Writing It Down Works
    My Blog
    {{ DiscussionBoard.errors[1618374].message }}
    • Profile picture of the author LuisEAvila
      Originally Posted by RebeccaL View Post

      It may also be some encrypted code in the wordpress theme.

      the themes for the sites are all different and one of them even has the default theme that wordpress comes with. I will do as the post above mentions and check the plugins though.
      {{ DiscussionBoard.errors[1618577].message }}
  • Profile picture of the author Michael Silvester
    Hi Mate,

    This used to happen to me all the time too.

    This is what I did to fix it.

    Step 1: Updated to the latest version of wordpress
    Step 2: Updated plugins I were still using
    Step 3: Deleted all Plugins I werent using anymore
    Step 4: Deleted all themes that I wasnt using anymore.
    Step 5: I put a blank index.html file inside every folder that didnt have its own index file. (Very important)

    If you do that you will get yourself out of trouble. I havent been hacked since.

    Hope that helps?

    Take Care,

    Michael Silvester
    {{ DiscussionBoard.errors[1618595].message }}
    • Profile picture of the author LuisEAvila
      Originally Posted by Michael Silvester View Post

      Hi Mate,

      This used to happen to me all the time too.

      This is what I did to fix it.

      Step 1: Updated to the latest version of wordpress
      Step 2: Updated plugins I were still using
      Step 3: Deleted all Plugins I werent using anymore
      Step 4: Deleted all themes that I wasnt using anymore.
      Step 5: I put a blank index.html file inside every folder that didnt have its own index file. (Very important)

      If you do that you will get yourself out of trouble. I havent been hacked since.

      Hope that helps?

      Take Care,

      Michael Silvester
      awesome advice. i don't understand the blank index.html file strategy though. how do you do that?
      {{ DiscussionBoard.errors[1618670].message }}
  • Profile picture of the author Joe118
    To find the culprit:

    Preparation:
    1. Upgrade everything
    2. Switch to the default theme, if you need to then install it from scratch from a wordpress ZIP file
    3. Turn of *all* plugins
    OK now you're ready to find the culprit:

    1. Visit the website. Does the warning appear? If yes, then your DB is infected. You need to look at every post with an editor, at every user registered, etc. Edit the bad code out.
    2. Turn on your theme of choice -- does the warning show up? If yes, delete the theme and upload a fresh copy.
    3. Turn on your plugins one by one and visit the website. Once you get the warning then you found the plugin that is the culprit. Delete the plugin and upload a fresh copy.
    It's tedious and a pain in the posterior. But you have to find it.

    Step 5 above in Michael Silvester's post is an excellent preventative measure once you've cleaned up the infection.
    {{ DiscussionBoard.errors[1618611].message }}
    • Profile picture of the author LuisEAvila
      Originally Posted by Joe118 View Post

      To find the culprit:

      Preparation:
      1. Upgrade everything
      2. Switch to the default theme, if you need to then install it from scratch from a wordpress ZIP file
      3. Turn of *all* plugins
      OK now you're ready to find the culprit:

      1. Visit the website. Does the warning appear? If yes, then your DB is infected. You need to look at every post with an editor, at every user registered, etc. Edit the bad code out.
      2. Turn on your theme of choice -- does the warning show up? If yes, delete the theme and upload a fresh copy.
      3. Turn on your plugins one by one and visit the website. Once you get the warning then you found the plugin that is the culprit. Delete the plugin and upload a fresh copy.
      It's tedious and a pain in the posterior. But you have to find it.

      Step 5 above in Michael Silvester's post is an excellent preventative measure once you've cleaned up the infection.
      I will do this, thank you for your info. You've given me an awesome blueprint to follow!
      {{ DiscussionBoard.errors[1618693].message }}
    • Profile picture of the author LuisEAvila
      Originally Posted by Joe118 View Post

      To find the culprit:

      Preparation:
      1. Upgrade everything
      2. Switch to the default theme, if you need to then install it from scratch from a wordpress ZIP file
      3. Turn of *all* plugins
      OK now you're ready to find the culprit:

      1. Visit the website. Does the warning appear? If yes, then your DB is infected. You need to look at every post with an editor, at every user registered, etc. Edit the bad code out.
      2. Turn on your theme of choice -- does the warning show up? If yes, delete the theme and upload a fresh copy.
      3. Turn on your plugins one by one and visit the website. Once you get the warning then you found the plugin that is the culprit. Delete the plugin and upload a fresh copy.
      It's tedious and a pain in the posterior. But you have to find it.

      Step 5 above in Michael Silvester's post is an excellent preventative measure once you've cleaned up the infection.

      I did what you suggested and found that my themes were infected, as soon as i would switch them from my default the INFECTION sign would come out again.

      By any chance, do you know what this is...according to dr.WEB online check this is the infection on one of my sites.

      http://www.mywebsite.com/infected with Js.Click.61
      {{ DiscussionBoard.errors[1618867].message }}
      • Profile picture of the author LuisEAvila
        Now that this problem is solved...How do I keep that from happening again. on some of the websites it was just the themes but on others it was both, the plugins and themes.

        Someone mentioned about adding an index.html file to folders but i don't understand this, can anyone clarify?

        I would have to use my ftp program right?
        {{ DiscussionBoard.errors[1618912].message }}
        • Profile picture of the author Gail_Curran
          Originally Posted by wicho696 View Post

          Now that this problem is solved...How do I keep that from happening again. on some of the websites it was just the themes but on others it was both, the plugins and themes.

          Someone mentioned about adding an index.html file to folders but i don't understand this, can anyone clarify?

          I would have to use my ftp program right?
          No, you don't need your ftp program. Go into cpanel, navigate to the folder you want to place a file in (using file manager), and create a new file named index.html. You don't even need to put any code in the file. When you go to that folder through your browser, all you should see is a blank page.
          {{ DiscussionBoard.errors[1619742].message }}
  • Profile picture of the author Istvan Horvath
    How do you know that your files get infected?

    If the blog is old enough maybe it was already online when in one (or more? - don't remember) WP version there was a MySQL injection vulnerability, which means the evil script sits in your database and no matter what you do with the files... the hack keeps coming back.

    Also, there were hacks that uploaded some obscure files exactly in the wp-content folder (they know people don't delete that, LOL). Once I was checking a client's blog and there were some unexpected directories in wp-content/uploads/2008/17

    As you can notice it pretended to have a month 17... and the bad guys were inside such folders.

    So, just repeating the same operations and expecting different results - you know what they call it.
    Try checking those folders and your database. If needed, hire a pro (no, I don't do that kind of jobs, sorry).
    Signature

    {{ DiscussionBoard.errors[1618635].message }}
    • Profile picture of the author LuisEAvila
      Originally Posted by Istvan Horvath View Post

      How do you know that your files get infected?

      If the blog is old enough maybe it was already online when in one (or more? - don't remember) WP version there was a MySQL injection vulnerability, which means the evil script sits in your database and no matter what you do with the files... the hack keeps coming back.

      Also, there were hacks that uploaded some obscure files exactly in the wp-content folder (they know people don't delete that, LOL). Once I was checking a client's blog and there were some unexpected directories in wp-content/uploads/2008/17

      As you can notice it pretended to have a month 17... and the bad guys were inside such folders.

      So, just repeating the same operations and expecting different results - you know what they call it.
      Try checking those folders and your database. If needed, hire a pro (no, I don't do that kind of jobs, sorry).

      AVG tell me that the page i'm visiting is infected. I even used a different computer to go to the website and AVG still gave me the same report.
      {{ DiscussionBoard.errors[1618708].message }}
  • Profile picture of the author Letterman
    Curious also.... the file is simply a blank text doc renamed to index.html and uploaded into every WP folder?

    How does that deter? And Thanks for the information : - ]
    {{ DiscussionBoard.errors[1618792].message }}
  • Profile picture of the author Istvan Horvath
    Not into every folder, only to those that don't have one. Can be index.html or index.php, doesn't really matter.

    Uninvited visitors can't read what files do you have in each directory. If there is no index, you would see a list of all the files there...
    Signature

    {{ DiscussionBoard.errors[1618812].message }}
  • Profile picture of the author Michael Silvester
    Hi Mate,

    If you dont have an index file in every directory,
    basically any old person can come along and see
    what you have installed.

    Then they can dig around and find a way in.

    Let me give you an example.

    Go to your wordpress blog and put this on the
    end of your URL.

    wp-includes/

    And see what happens...

    Putting in a blank index file in all the directories
    that dont have one...will not allow hackers to
    snoop around and find a way in.

    Hope that makes sense?

    Take Care,

    Michael Silvester
    {{ DiscussionBoard.errors[1619448].message }}
    • Profile picture of the author LuisEAvila
      Originally Posted by Michael Silvester View Post

      Hi Mate,

      If you dont have an index file in every directory,
      basically any old person can come along and see
      what you have installed.

      Then they can dig around and find a way in.

      Let me give you an example.

      Go to your wordpress blog and put this on the
      end of your URL.

      wp-includes/

      And see what happens...

      Putting in a blank index file in all the directories
      that dont have one...will not allow hackers to
      snoop around and find a way in.

      Hope that makes sense?

      Take Care,

      Michael Silvester
      Awesome, will look into this!
      {{ DiscussionBoard.errors[1621238].message }}
  • Profile picture of the author Ken Shorey
    OP, you have malware on your pc. This is a global threat that is affecting hundreds of web hosts, and hundreds of thousands of websites. The virus, a variant of which was originally known as 'Gumblar', searches for FTP credentials stored on a client's computer, logs into the web server using those details, and modifies site files in order to host its own web content on your domain or to propagate itself to other machines (when the infected page is viewed in a web browser).

    It will affect all files with index, main, home in the filename and all .js files. Be sure to check all your plugins because many of them have files that will be affected.

    I have been hit by this and it is a real pain to get rid of if you have a bunch of sites.

    First scan your pc with malwarebytes, and a good updated antivirus program. Upload clean versions of all infected files and change the password to all your hosting logins.

    Hope you get it straightened out.
    {{ DiscussionBoard.errors[1620120].message }}
    • Profile picture of the author LuisEAvila
      Originally Posted by Ken Shorey View Post

      OP, you have malware on your pc. This is a global threat that is affecting hundreds of web hosts, and hundreds of thousands of websites. The virus, a variant of which was originally known as 'Gumblar', searches for FTP credentials stored on a client's computer, logs into the web server using those details, and modifies site files in order to host its own web content on your domain or to propagate itself to other machines (when the infected page is viewed in a web browser).

      It will affect all files with index, main, home in the filename and all .js files. Be sure to check all your plugins because many of them have files that will be affected.

      I have been hit by this and it is a real pain to get rid of if you have a bunch of sites.

      First scan your pc with malwarebytes, and a good updated antivirus program. Upload clean versions of all infected files and change the password to all your hosting logins.

      Hope you get it straightened out.
      Thanks, I will scan my pc and see what happens.
      {{ DiscussionBoard.errors[1621245].message }}

Trending Topics