Adam

users can easily just copy and paste the htaccess rules from the 6g website if they still want them.

No, usually they don’t. Most web servers should block POST with that kind of content with 403 and messages from server WAF like “LDAP Injection Attack” or similar.

Additionally, there is still 6g settings section in AIO Security settings what is, at least, confusing.

This change has affected users for whom these rules were working.

With the removal of the 6G rules from .htaccess, these users have been de facto forced to use your PHP-based firewall.
But:

• we are not familiar with its effectiveness…
• this solution is based on PHP and not .htaccess, which has traditionally been the first line of defense
• this change prevents the use of other, proven / favorite / premium WAFs that may already be installed on our systems

Please consider the possibility of restoring the 6G (or newer) .htaccess rules for users who do not wish to use your PHP firewall.

I hope you understand that users may have different preferences for their WAF solutions.

?? Great

Please consider adding ability to enable loging requests blocked by 7G rules.

Thanks for the good work!

Adam

Hi,
I have exactly the same issue, my version is 5.3.6.
Do you have any suggestions?
Adam

Yes, it is.

Just fix ‘siteurl’ and/or ‘home’ in your database (the first two rows in wp_options table)

A.

So, probably there is another vulnerability, it may be a weak password, another website on this hosting account, server security issues etc – it’s impossible to guess.

Yes, you may try with the backup, but you have to know that the backup might be infected (we don’t know when your website was infected, we know when Google/hosting found the infection).
After recovering the bakup you HAVE TO:
– change all the passwords including database password
– upgrade all the plugins (to fix the vulnerability which most likely is vulnerable plugin)
– verify the domain ownership in Google Search Console and send the reconsideration report (for www and non-www version).
Of course, you need to recover the backup after cleaning your hosting account (please, be sure that this backup is working)
If you are lucky, it may work. Good luck!

A.

@johanna2patricia
It is (almost) always possible to clean infection without starting from scratch. Additionally, there is no guarantee that removing all files except /uploads folder solves your problem (for many reasons, like malicious content in your DB or wp-config file, compromised password(s) etc. to name a few).
Unfortunately, it may be really hard to clean the infection, remove vulnerability, harden your WP and deal with Google issues if you have no experience in this field

There is nothing suspicious in this .htaccess file.
Did you try to fetch these ‘pharama’ URLs as google (using Google Search Console)?

A.

The fact that someone is trying to brute-force your website credentials using xmlrpc.php doesn’t mean that xmlrpc.php is ‘open door’ for your website. Most likely wp-login.php may be used to brute-force your website as well (according to this Wordfence blog post). There are a lot of plugins and server-side solutions to avoid that kind of attack (mainly to block a user IP after a certain number of unsuccessful login attempts).

I was working on hacked/malwared websites hosted on GoDaddy (as well as on websites hosted on most of the most popular hostings) and an infection has never been the fault of GoDaddy.

There may be many reasons why your site is continuously hacked, for example, it may not have been efficiently cleaned after the very first infection.

Adam

Hi,

You may try to find all .ico files using external tools (like your hosting panel, ftp client or simple php script if you are allowed to use shell_exec()) and delete all other than favicon.ico
But notice, that the .ico files can’t be executed if there are no other modifications, like AddHandler/SetHandler (mainly in .htaccess) or inclusion of .ico files in other .php files.
Also, you really need to find and fix the vulnerability.

No matter how secure your account is, there are other accounts in your shared hosting that don’t know that theirs have been compromised by malicious files.

Not a true: on properly configured shared hosting all user accounts are separated and unproperly configure VPS will not be secure.

Adam

This is paid plugin, it’s easy to find – just ask Google about ‘Really Simple SSL Social’ (I can’t paste a link because the links are quite restricted here).

If you’ve enabled redirection in some way (if your visitors are automatically redirected from https://yoursite to https://yoursite with code 301) Google at last “switch” the link juice to the new page, but it will take more time and there may be some fluctuations in SERP and in the traffic
You may check if redirection works properly on this page:
https://www.redirect-checker.org/
(just put your domain with https:// and you should get 301 redirection to https://)

A.

You may fix this changing (or adding):
<meta property=”og:url” content=”http://www.mydomain.com” />
or installing dedicated plugin, like Really SImple SSL Social

BTW:
– after switching to https:// you also need to verify new domains in Google Search Console and send new sitemaps
– if you have been hacked, switching to https:// will not help

A.

• This reply was modified 6 years, 7 months ago by Adam.