Getting malware attacks despite of the Cloudflare protection

Hi,

I have connected my site to Cloudflare CDN but still, I’m getting viral attacks and malware code snippets being injected into sensitive files of the website. Can I get to know the reason why this is happening in the presence of Cloudflare? If this is something not covered under Cloudflare protection, then what use is of Cloudflare?

The targeted files include wp-settings.php and functions.php to name a few. I have got an email from my hosting provider saying they have quarantined the malicious files. Please see the attached screenshot.

Upon scanning with Wordfence, this malicious code snippet is showing up:
image

Looking forward to any solutions and suggestions.
Thanks.

Cloudflare protects you from ddos mainly, and for performance.

Think this should be posted in WordPress forums not here, is a2 self managed or managed?

If you do not got backened access and they look after it sounds like you got bad insecure plugins or it’s them that is failing at security.

1 Like

I’m using self-managed hosting and have access to the backend of my website. I have scanned the site using Wordfence and found these malicious snippets inside the files. Additionally, I have checked all the installed plugins and none of them seems insecure or an open door for hackers. All are running their latest versions.

Okay, well you got backend access to many things you need to do. Overall as well WordFence is good, besides the bad performance it can bring, but security-wise its good but remember they may be missing some random plugin that has a vulnerability.

What Distro is the server running? up to date?

Have you locked the server down with firewall rules, SSH, FTP then should allow cloudflare only
Have you (BIG IMPORTANT ONE) set file permissions? literally hundreds of thousands are hacked with all files being like permission 777 public writeable.

Example:
sudo find /var/www/html/wordpress -type d -exec chmod 755 {} ;
sudo find /var/www/html/wordpress -type f -exec chmod 644 {} ;

Next, is PHP up to date? FPM etc, on 8.0? should be we moving to 8.1 soon, for those that live on the edge.

You running apache/nginx? Heaps I can go on about both of those.

for PHP have your hardened your php.ini ← lots to do in this space

Disabled all plugins except most known and essential for a while to see if it re-occurs?

Basically, what I am getting at there is countless things to do and check, the attacker is achieving remote execution, need to go over your security practices one by one.

For the PHP file, i’d ask on stack overflow to be honest or on a security forum like hackerone maybe too.

DO NOT USE OPENBUGBOUNTY FOR THE LOVE OF GOD.

if your website has some kind of system where users can upload images, profile pictures, files it may be vulnerable meaning people can upload PHP shells then with that remotely do stuff with your site i suggest checking your code if you do or asking people on stackoverflow

One or more of your files seems to be backdoored, most likely due to a poor WP setup or using cracked applications.

The snippet of your code that you provided shows obfuscated files; without evaluating its final results, there is no way to determine what it’s doing; as sketchy as it looks, it could be part of a legitimate file. Highly unlikely, but still plausible.

Either way, Cloudflare won’t look after the integrity of your server; it will help by proxying the traffic before it reaches your backend. However, if your server is compromised, there is absolutely nothing that CF can do to help you.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.