wfgreg
Forum Replies Created
-
Wordfence does have Site Cleaning services, and it does sound like your site is having ongoing malware attacks. I would recommend looking at the services I sent:
https://www.wordfence.com/wordfence-site-cleanings/
Be aware, I do work for Wordfence, so the recommendation is coming from an employee.
It does sound like those files may have issues, which may need attention from your contact as well. It depends on what the exact scanner results say – sometimes they just highlight suspicious or unusual files, othertimes the scanners identify probable malicious content.
Whenever you are performing cleans, we recommend keeping backups of your site in case anything happens.
That’s really strange.
The email you received was a Wordfence email, warning of someone using a login to your WordPress site of a user that doesn’t exist?
The two things that can help you find out what happened is getting the email headers (from the warning email), and getting a look at any Access Logs from the time the email was sent. Your hosting provider can help if you are unfamiliar at how to download them.
There are a couple of possibilities you can find out from this.
One might be phishing (the email providing a link to a form that isn’t your site, but pretends to be a wordpress admin login ‘to check out the problem’).
Email headers from the email could tell you if the email was sent from your website or not.
A second option is that someone used malware to create a user, log in, and perform some actions, then deleted the account. But that is unusual because the actions someone would perform for that would be to leave backdoors, and a new user account is one such backdoor they’d want to leave behind.
If you have access logs for the server from the time of the email (your host may be able to tell you where they are), that could tell you if someone had actually accessed the server.
A third outcomes might be a staging site or a cloned site. If you have a staging site, it could be that site that is being logged into (and have the user).
A fourth, rarer possibility is that someone had cloned the site – an exposed backup of your website could be downloaded. Essentially if you have a backup plugin saving copies of your site in a location a visitor can download, sometimes that site is then cloned and by someone else (who then administrates that clone).
If they happened to clone your site, including the Wordfence settings and email, you would receive warnings when they log into their copy of your site.
That sounds unusual. We have seen malware in the past that deliberately conceals maliciously created administrators from the web control panels.
When you have checked which users exist on your website, are you checking via the WordPress administrator panel, or through examining the database?
A single infected website can be used to infect all the other websites in the same hosting account unless special protections are in place. Even if the website is the only one on the account, it can be infected and controlled by others until it is cleaned.
I would have your contact help you in cleaning these files.
To protect websites, use up-to-date plugins and themes, good passwords, and avoid installing obscure plugins and scripts. It could be an old plugin or theme.
This may help you protect websites in the future.
https://www.wordfence.com/learn/how-to-harden-wordpress-sites/
wp-config.php
…
The issue type is: Backdoor:PHP/rogueinclude.6167
…
“This is your main configuration file and cannot be deleted. It must be cleaned manually”This means the file should not be deleted.
If you have someone familiar with how, they can clean the file manually. But do not delete that file.
These look like malware infections.
These files are important to clean up, as they can often be used to reinfect a website.
The report can be helpful to clean the files, if you have a web developer who knows how to perform this.
We offer site cleaning services if you need assistance with cleaning the site.
https://www.wordfence.com/wordfence-site-cleanings/
Greg