constant malware problem!!!

I forgot to say I already checked outside WP installation option as well with no security issues.

Hi,

Sounds like there is still a “leak” somewhere. The first thing to do is make sure WordPress and all of your plugins are updated. Is your theme up-to-date? Also, make sure to remove any unused themes and plugins.

Thanks!
Brian

Hello Brian,

Thanks for your response! Everything is up to date and there’s no extra theme in there. Any clues?

Regards,

The next steps after what Brian recommended are included in our guide on cleaning hacked sites, here:
How do I clean my hacked site using Wordfence

There is a lot to read, but it is the best way to clean a stubborn infection. There is a section that begins “If you have SSH access to your server…”, but if you don’t have SSH access, you may still be able to clean it by following the other steps.

The guide explains using “high sensitivity” scanning and other options in Wordfence — it is possible that you will find files that may not be bad during that process. It is usually best to save a copy of the file (or have a recent full site backup) in case you remove something that was still required. If you have questions on any of the files found by the scan, let us know here.

-Matt R

Hello Matt,

Appreciate your response! I’ve already read that section (another thanks for providing documents and info on your website). Also I’ve taken all your mentioned steps with no success (the worst luck). luckily, I had an old backup of the website back to the point that it hadn’t been hacked yet. After restoring, everything looks fine. Now I’m adding my new posts/pages from the most recent backup. BTW, thanks again for your great plugin and of course for your time and assistance.

Best regards,

Ok, glad to hear you got it back to normal again. If the hack comes back, let us know. Sometimes there could be a dormant file that doesn’t do anything until they try to access it again.

If it does come back, it may be a new one we haven’t seen yet, so we can help track down the file, and add it to future scans.

Thanks for the response and the feedback!

-Matt R

Dear Matt,

Sure, I will. I’ll let you know if it comes back. Thank you guys for following up and your support.

Regards,

Anond,

What theme are you using? And are you using a page builder? There were some recent security issues with a certain page builder which has been fixed.

Thank you

@mvincik, thanks for your concern! I’m already aware of Visual Composer security issues but fortunately I don’t have that plugin or any other page builders installed on my website.

& Wordfence,

There’s a bad news. After two days when I came back to work today, faced with 6 malware containing files on Wordfence security scan/warning page. It seems the big bad wolf is back or I’d better say it’s been there all the time. After removing all malwares I rescanned the website with high sensivity and images & binary files scanning enabled with no security problems found. So what’s the next step. I already changed all the passwords after scanning.

Best regards,

WordFence,

I scanned the website (with High Sensitive + Photo/Binary Files options on) today with no sign of infection but whenever I think it’s gone, it comes back and creates malware fake PHP files. Any ideas?

Regards,

There might still be a security hole in a theme or plugin that hasn’t been found yet, if all of your themes and plugins are up to date, or it could be a bad file that hides its code in a new way.

You can also enable “Scan files outside your WordPress installation” if you haven’t already, which helps find files placed in unusual places.

If you have multiple sites on the same hosting account, one of the other sites could cause the problem as well — if there are any other sites, make sure those are all up to date, too.

If you want, you can send me a copy of the site’s access log, I may be able to spot a bad file they’re using. If you don’t know where to find it, your host should be able to help. If you know about the time when the files came back, that might help narrow it down, too. My email address is mattr (at) wordfence.com

-Matt R

Thanks a lot for your response Matt! Actually that option is enabled and I’m running another scan session right now with no sign of infection SO FAR. Do you need my WP credentials or ftp?

Regards,

Ok, let us know how the scan went. If you find any files that are only detected in the thorough scans, you can send them to my email address mentioned in my last post.

We don’t need any login information; we currently don’t provide that type of support here, but if you do have an access log for the site that you can email to me, I may be able to spot the bad file that way. Thanks!

-Matt R

I couldn’t believe what I saw; 9 malicious files + 1 changed from original version. It’s so disappointing after two days of cleanliness. I will definitely send you the files. I really appreciate your help Matt.

Regards,

Dear Matt,

I just sent you all suspicious files as well as the raw access log. Thanks again for all your help and support.

Regards,