Website was hacked even when WordFence was installed

  • Resolved ramardent

    (@ramardent)


    3 months, 1 week ago

    Hi there,

    My website was hacked last week. When I tried to scan the website, WordFence plugin wasn’t accessible in WordPress back-end. So I deleted the plugin files from plugin directory and installed fresh WordFence plugins. After scan, suspicious files and users were added in the back-end. With the help of the plugin, I repaired repairable files and deleted suspicious files. I even went through folders to delete suspicious looking files. There were some weird named plugin, as well as theme, which I deleted. But today as well, my website got hacked, new suspicious user was added as well as suspicious files and some suspicious theme and plugin. I deleted all those, but the strange thing is upon scanning, some suspicious files were inside WordFence plugin folder as well.

    Can anyone suggest how can I resolve this issue and protect my website from getting hacked again? Also, how can I remove these vulnerabilities and strengthen my website? I have updated users passwords. Reinstalled WordPress itself (as I was using the latest version), updated plugins and themes.

    Note – I have WordPress website in a sub-domain as well, which also appeared to have been hacked.

    Regards,

    Ram

    The page I need help with: [log in to see the link]

Viewing 5 replies - 1 through 5 (of 5 total)

  • Hey @ramardent,

    Recommendations to fix your issue and prevent its reocurrence:

    1. Follow this procedure.
    2. Avoid suspicious websites.
    3. Do not click on suspicious links.
    4. Do not use common usernames nor weak passwords.
    5. Do not use unsupported software, plugins, or themes.
    6. Ensure WordPress and your custom code, plugins, and themes are up-to-date.
    7. Do not use nulled plugins/themes nor plugins/themes from a third party (see note below).
    8. Ensure your website is protected by at least three (3) security layers: A good host (like SiteGround, Hostinger, and Dreamhost), a rock-solid security plugin (like Wordfence), and a reputable CDN (like Cloudflare).

    If the above did not help, contact your host or hire an expert for assistance. Heavily “contaminated” websites require expertise, time, and effort for proper clean-up and restoration.

    If the above did help, kindly consider closing this topic as “Resolved.”

    Note: From our research, using nulled or third-party plugins or themes causes 60-80% of all hacks or hacking attempts.

    Best wishes.

    Plugin Support wfpeter

    (@wfpeter)

    Hi @ramardent,

    The procedure Generosus linked to is certainly our recommendation for cleaning a site yourself, and you can also check our free learning center for further information: https://wordfence.com/learn/

    Wordfence is an endpoint firewall that (when optimized) runs before site content is served to the browser but after PHP runs. This means that another entry point such as FTP, hosting control panel, database etc. where Wordfence doesn’t run could have been the source of the problem. Naturally it’s also important to have all the latest updates to WordPress, your plugins – especially if there are any known vulnerable versions. So, as a rule, any time I think someone’s site has been affected I tell them to update their passwords for their hosting control panel, FTP,?any WordPress admin users, and database. Make sure to do this too!

    Many thanks,
    Peter.

    Thread Starter ramardent

    (@ramardent)

    Thanks for your reply @generosus and @wfpeter.

    We have implemented most of the steps you have specified above. We also went through most of the files and folders and found some backdoor files inside public_html folder which were named as “wp-bookmarks.php”, “wp-class-revisions.php”, which looked genuine files but inside them were malicious codes and PHP functions. We have also upgraded from free Wordfence to premium version, and regularly scanned the website, which shows no threat and site is secure.

    Regards,

    Ram

    Hi @ramardent,

    Glad it all worked out! Thanks for sharing that.

    If satisfied, can you close this topic as “Resolved“?

    Cheers!

    Thread Starter ramardent

    (@ramardent)

    Thanks @generosus!

Viewing 5 replies - 1 through 5 (of 5 total)
  • You must be logged in to reply to this topic.