Preventing file changes

Hi,

If your site was already hacked before you installed NinjaFirewall, you need to clean it up and remove all backdoors first. Hackers have probably full access to your site.
1. Change all your passwords (including FTP, hosting panel etc).
2. Enable File Check with hourly scan. The snapshot is stored in the /wp-content/nfwlog/ folder. Its purpose is to detect changes not to restore. You can use a plugin like Wordfence to do that, it works well with NinjaFirewall.
3. Enable File Guard and set the delay to 20 hours.
4. In the Firewall Policies, you may need to enable “Block POST requests in the themes folder /wp-content/themes” and similar options.
5. keep an eye on the firewall log. Even if they have access to your site, some of their actions may be blocked or logged.

When you get an alert, check your HTTP server log, check for POST requests mostly, and you should find where is/are the backdoor(s).

Thanks for your help. This hacker seems to be able to add this code to themes/artificer/header.php whenever he wants. I’d like to decrypt it.

[Large code excerpt removed by moderator per forum rules. Please use the pastebin for all large code excerpts. It works better anyway.]

Also there is the execution of extra.php in the logs but the file is nowhere to be found. I have blocked a few IPs appear in my logs. I’m not sure how to block POST to the theme folder and I am using both WF and NF now.

To block POST requests in the theme folder:
1. Click on “Firewall Policies”.
2. Scroll down the page to the bottom. One of the few last options is “Block POST requests in the themes folder /wp-content/themes“. Select “Yes” then click on “Save Firewall Policies” to save the changes.

Then, keep an eye on the firewall log.