• I launched a new website at 1pm yesterday afternoon. The installation software generated a complex username and a very strong password, which I modified to make it stronger. After that I immediately installed Limit Login Attempts, capcha, Wordfence and Sucuri plugins. I then uploaded a theme (a premium Elegant themes one) and then closed down the website as I had to go out for the evening.

    When I got home, there was an email from Wordfence informing me that a core WordPress file had been modified. I viewed the file, but since I know little about coding, I didn’t understand it, though I did notice the word “explode”.

    I used Wordfence to restore the file to its original state. At this point I did not have any Sucuri alerts of brute force login attempts, but since this happened I have received notification of many failed login attempts from IPs in Ukraine.

    The Wordfence Blocked IPs log says that one of the Ukraine IPs had “5 hits before blocked” and “599 blocked hits”. It says “Last site access before this IP was blocked was 13/04/2016 at 22:07 – however I did not receive a Sucuri notification of this IP address trying to log in until 23:46 yesterday.

    Does this mean there is some malware embedded in the cPanel that transfers to the website as soon as I create it? Or is malware being transferred from the theme or plugins?

    The background to this is that I recently changed to a new hosting provider after five of my websites were hacked two months ago. I have reason to believe that my previous hosting provider suffered a DDoS attack. Since then I have installed increased security measures on all of my websites. I also ran a virus/malware checker on my computer which came out as clean.

    I will now delete and re-upload the theme and all the plugins I installed yesterday as a precaution. But I am very concerned that there could still be malware embedded in the site, or in my cPanel.

    Can anyone tell me how I can secure my website against these attacks and ensure that there is no embedded malware?

    Thanks

Viewing 4 replies - 1 through 4 (of 4 total)
  • I am by no means a security expert, and there are many here who know more about this than I do, but there are two other possibilities I would consider here: 1. Your host has been compromised, or 2. You have a keylogger or other similar malware on your computer that your scan failed to detect.

    If I was in your situation I would focus on #1 first. Who is your host? Are you on a shared server? What kind of reputation do they have? Have they been blacklisted anywhere? Check your server IP here: https://mxtoolbox.com/blacklists.aspx

    Thread Starter nataliemin

    (@nataliemin)

    Thanks MBWB. I’ve checked my hosting provider against the blacklist and they came out clean. I did loads of research before I moved to them, and they have an excellent reputation.

    I also did a virus scan on my Mac about a week ago, but maybe there was something that it failed to detect.

    There have been several failed login attempts since then, so I’m hoping that means the backdoor that initially allowed them access has now been firmly closed.

    Wordfence is an excellent plugin. I use it myself. If you are still concerned I would upgrade to the premium version (very affordable for one website).

    Most important question . Did you purchase theme or download a nulled version from internet or torrent .

    If you using nulled theme (Which you should not be doing anyways), sometimes the person sharing it adds extra info to the codes which somehome opens a back door or i can say notifies the person that his theme has been installed in xyz.com and then kaboom ..

    Also if you have problems with wordfence try moving to akismit .

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Brand new website hacked despite security plugins etc’ is closed to new replies.