to recover theme options after hacker attack

I just suffered a similar attack on OneTone theme. Can you share the holes you plugged so that I can ensure I also have them plugged?

Apparently the hacker needed to create new users in order to inject the bad code. Luckily on this website I don’t need to have new users, so from general WP settings I ruled out the possibility of registration for anyone. Moreover the suspicious traffic is directed especially to wp-login.php: temporarily I renamed this file so that it has another address. Obviously for different infections the holes used can be different. However, I have installed Wordfence Security and WP Cerber Security plugins that have helped me to find infected files and to analyze the traffic.

I’m hoping somebody will help me get this theme going again…

In addition to the information given, one clue is that OneTone Companion plugin does not load any templates now

I have same problem, i reinstalled wordpress and installed onetone again and still cant change theme settings, need fast help, i think its theme fault?

I want to clarify: I can access appearance / custom menu item. However, I can’t find any way to reload my settings.

Looks like that the hacker manipulated the options manager: https://vuldb.com/?id.152745

However, I wonder why once the files and the database are replaced with backup copies it is not possible to reload the options correctly… any attack must insist on one of these two components.

Does anyone have any ideas?
Thankyou

Small update: I installed new version of wordpress and new version of the theme on new database. The problems in order to import the theme settings persist. They seem to be independent of the hacker attack. This is a problem that this theme has always had, judging by the messages on the manufacturer’s forum https://mageewp.com/forums …which is currently NOT reachable!

It would be a great help if anyone who has had problems with importing a theme’s options could suggest some solutions.

Thanks

I also suffered several attacks since the beginning of April. I was able to recover the customization in theme options by downloading all the files from a good backup, and re-uploading them to replace all the files in the root directory.

I need to plug the attack hole as well. Look to hear from anyone who’s found the hole.

• This reply was modified 4 years, 7 months ago by dps102.
• This reply was modified 4 years, 7 months ago by dps102.
• This reply was modified 4 years, 7 months ago by dps102.

In my case, the attack also infected the database (fortunately I had a backup of). With the Onetone theme I was not able to recover the customization even restoring the backup of files and databases. I had to redo all the customization: it seems that this problem does not depend on the virus.

I’ve now been able to repair the weaknesses used by the hacker (I haven’t had any problems since 2 weeks ago). If it helps anyone, here’s what I did:

– I closed user registrations on the website
– I removed the write permissions to the important files (I set the permissions to 444 for the htaccess and wp-config.php files set to 444)
– I installed Wordfende and Cerber plugins both in free version (through Cerber in particular I was able to monitor the hacker who day by day searched the vulnerable points of my cms)
– I changed the login page address with the WPS Hide Login plugin
– I added (copy and paste code) 6G firewall in htaccess in the website root
– I disabled the native WP search by inserting a special function in the file function.php of the theme
– I disabled xmlrpc.php with the Disable XML-RPC plugin
– I disabled REST API (needed especially for WP versions 4.7 and 4.7.1) with the Disable REST API plugin

For all these measures you will find sufficient instructions on the net. But if you need any more information, my modest experience is at your disposal.

• This reply was modified 4 years, 7 months ago by harlock33.