Username/pw are being changed, not brute forced

Hey @aintholly,

I’m really sorry to hear about this, I know how frustrating it can be.

In addition to a fresh installation of all software I’d suggest updating your ftp/sftp and database credentials. I’d also see if your hosting provider will move you to a different server. If this continues to happen after that, I’d get with a hack repair service to make sure it’s professionally cleaned and the point of entry is patched. We offer this service if it’s needed.

https://www.wordfence.com/wordfence-site-cleanings/

Good luck,

Gerald

Thank you for the reply. After changing the credentials didn’t help, I completely deleted the FTP user since WordPress no longer requires FTP to update like it used to. I also changed the mysql password after every hack as part of changing all related passwords. While I’d like to know how this latest malicious file was uploaded without FTP access and with no records of the offending IP address showing up in the access logs, we’ve decided to take the drastic route. We’ve completely erased the public_html site, hopefully removing anything that was allowing malicious users to upload files and change the password. The plan is to eventually re-install the latest version of WP and see if that site stays secure. The hosting provider has been involved but hasn’t been able to detect any obvious reason how they continued to gain access.

As an aside, I fired up a Tor browser and tried to find information about hacking WP on onion sites. The continuous nature of the attacks (at least once every 5 minutes according to WF) led me to believe my specific site must have been listed somewhere as an easy-to-attack target. I wasn’t able to find anything in a few hours of searching, but I think there has to be a reason so many hackers from different countries continued to attack the site on a daily basis. Perhaps some remnant of an old theme or plugin was allowing access even though I removed it from WP.

In summary, it seems like we’ll never be certain how attackers were gaining access. We’ll just start from scratch and hope for the best.

Hey @aintholly,

After speaking with a colleague about this I was wondering if I could get a little more information?

Who are you hosting with?

Also, can you please email me your Diagnostics report so we can review the plugins on the site? From the WordPress Dashboard navigate to Wordfence > Tools > Diagnostics then click SEND REPORT BY EMAIL to send it to [email protected]. Please also add your www.remarpro.com username and update this post so we’ll know what it’s in reference to.

Additionally, it might be a good idea to update your cPanel/hosting credentials.

Thanks,

Gerald

Thank you again for the replies. The site is hosted by Webintellects. During the repeated hacks, the cpanel password was one of many we changed. At the hosting provider’s suggestion, we even changed email passwords and deleted unused email accounts.

There’s no longer a site to send WF diagnostics from. We’ve decided to completely erase the public site and temporarily host the blog on a local LAMP installation. Perhaps in the future we’ll re-install on our hosting service, but for now we’re keeping it private. I’ll be sure to install WF from the get-go next time in the hopes we can avoid whatever caused it to be so easily and frequently compromised.

Hey @aintholly,

Thanks for the update, and I’m sorry to hear about the troubles. Please do let us know how it goes.

Thanks,

Gerald