richardhertz

these hackers were sneaky, they laid low, so when restoring from back ups, the backup was also infected.

The hosting company I was with (keyword, was), was no help. I needed cpanel PID’s, and they refused to provide them. With all the whm and cpanel compromises, it became clear that the hosting company had serious problems and simply did not care to resolve the issue. After 14 years as a customer, they ended up tossing me off the server and deleted all my accounts.

I’ve now moved to managed wordpress hosting. Security is supposed to be better. We shall soon see as I’m loading up my reselller account to test it.

I’m rebuilding all my client’s websites. Maybe its time for a new look. But, 75 sites is a lot of work to do, for free. Freaking script kiddies and hackers, must have nothing else or now way to make a decent living wherever they are from. That which does not kill me…..moving on…..

I’ve been suffering this hack for 3 months. My host tech are running avscan to find malicious files.

In one of the infected files, I found a line of code that can turn off wordfence, renaming the entire directory effectively turning it off.

I alsi found online markets that sell accounts, sell exploit scripts. They are using wp-load to bypass wordpress security to do remote code execution and install malware and malicious files. They can even turn off 2fa and compromize whm with brute force attacks.

This is the worst I’ve ever seen.

thank you Tuhin. that gives me a little more to go on.

htaccess file keeps getting modified with this line.

<FilesMatch "^(index.php|simple.php|store.php|unlockindex.php|lockindex.php|google(.*)\.html|chosen.php)$">

Index php file gets changes, and robots txt file is modified.

Logs show possible entry via: “GET /wp-includes/app.php

logs show more stuff around

GET /robots.txt, GET /sitemap-index.xml, GET /security.txt, GET /.well-known/security.txt, GET /ads.txt, GET /humans.txt

Simple, store, chosen, unlockindex, lockindex, chosen php scripts are all deleted or cleaned by immunify.

How does this hacker keep getting in? Determined to beat him, but darn, I’s hire him for SEO work if he or she wanted to go legit…..

I keep getting same hack, over, and over. This must be some persistent hacker. I just cant figure out how he keeps getting in. I’ve changed cpanel passwords. Changed whm passwords. Changed admin password to log into admin area of website. Scanned database with Malcare and it says clean. Manually scanned sql dump too, its clean.

Immunify360 is installed and running on the server, and it catches, cleans, and removes infected files.

/

More documentation needed.

Which google api do you need. Could you include video how to set up google, twitter, linked in api.

What about facebook log in? Icon exists but no api credentials included in set up.

How does one display IO system on wordpress site?

How does one register with IO plus?