Multiple Hacks on Website

Hello,

Since the last one week, my wordpress website is getting hacked multiple times. Each time, the attack is more severe and right now I need urgent help to restore the website and also try to fix the rootcause.

1st Attack: Around Feb 22nd
The attack redirected my website to a malware site. I accessed the files from the backend and found some corrupted files. Deleted those. Deleted and restored all plugins and content folder from backup.
Website was restored.

2nd Attack: Around 10 hours ago
As I looked at the files again and issued looked like the same. But this time, even after deleting all files but wp-config, and adding new files from wordpress download, nothing changed. the redirection was still on. So, the conclusion was that the database was also hacked. So we did a clean install from scratch and it was restored.

3rd Attack: Around 04 hours ago
Not sure why but the hacker has found a linking to my unpopular, trafficless site. Anyway, this time, the issue is more severe. I have deleted all the content, renamed the folder and yet when I put the url (harishmarnad.com) it continues to be hacked.

I have used free Cloudflare protection which points to my Hostgator account. If there is no folder there on the hosting provider, the website should not load anything. I am not sure where could the redirection be? If it is not in the website content files if it is not in the database, then where could it be?

I have got to the HostGator support team and they are taking their own sweet time to scan and come back. I need to look for alternatives as I have almost run out of ideas.

Anyone here can guide? any ideas on how to get to the problem? What can I do next to identify the problem and hopefully fix it? Also need guidance on how to avoid another hack but that seems to be far away.

Any help will be highly appreciated.

EDIT: I had basic wordfence on even before the first attack. But since then, we have had itheme, secure (free version) on as well.

EDIT2: After the most recent hack, I was made to think that the website is still hacked even after deleting all the files and folders from the website. It was because of cache. Others have pointed out that the website is not loading.

Has the hosting provider locked your hosting account or changed CHMOD on the www or public_html directory until you fix your issue (virus, malware …) due to SPAM or something else?

True said by your hosting provider. Have you scanned your Website? What results did you got?

If using Cloudflare, you can setup Page Rules, Firewall Rules and Security Options.
Moreover, there are even more options to block bad bots, have advanced Firewall Rules (managed rules) which helps a lot if you do not have any or at least basic security at your origin/host (for examle htaccess rules or if using WordPress some Security plugin like Wordfence, etc.).

You can enable “Under DDoS Attack!” mode in that case also.

Cloudflare does not offer a service (yet) like anti-virus, malware scanning, etc.
If interested in these tools, try to go with Imunifty360, Patchman, Kernelcare, Sucuri scan, etc. - but some, or at least all of them cost some $$ or more just because.

Some free tools like ClamAV can help if on Linux (if HostGator has cPanel?).

Redirection from to where?

Do you use any nulled plugins or themes? Have you regularly updated your WordPress, themes and/or plugins?

Check for CHMOD permissions, check for rules written in the htaccess file, check for PHP usage at cPanel interface.

Unfortunately, Cloudflare can not assist in hacked websites. While Cloudflare does its best to block common attacks, if your site is inherently vulnerable, you’ll need to find a specialist to clean and patch your site. I recommend you install Wordfence and scan your installation and enable its default protection.

1 Like

thanks. I know Cloudflare wont help here. But wanted to share my plight with someone and get some ideas on what can be done.

Thank you so much for a detailed response. I really appreciate it.

Blockquote image

Yes! this is good to see as my cache is still giving me nightmares with redirection.

Blockquote Has the hosting provider locked your hosting account or changed CHMOD on the www or public_html directory until you fix your issue (virus, malware …) due to SPAM or something else?

Not yet! The support person said, they are scanning. I will call them and request to lock my hosting account to ensure that the issue doesnt escalate even further.

Blockquote True said by your hosting provider. Have you scanned your Website? What results did you got?

As we had to restore all files from the backup, nothing much was found on scan. When I get hacked, I cannot get access to backend (wp-admin) to scan and check. It has to be complete restore from a full backup.

Blockquote If using Cloudflare, you can setup Page Rules, Firewall Rules and Security Options.
Moreover, there are even more options to block bad bots, have advanced Firewall Rules (managed rules) which helps a lot if you do not have any or at least basic security at your origin/host (for examle htaccess rules or if using WordPress some Security plugin like Wordfence, etc.).

I have already installed all different free versions of the plugin and nothing much happened. I will be going for a paid plugin and see if it helps. Securi seems to be the best but before going to that at 199$, I will explore some other paid tools and see if I can talk to the support team when the website gets hacked next time.

Blockquote Some free tools like ClamAV can help if on Linux (if HostGator has cPanel?).

Hostgator has cpanel not sure how to use these tools though.

Blockquote Check for CHMOD permissions, check for rules written in the htaccess file, check for PHP usage at cPanel interface.

Will check this and see if anything else needs to be done!

I have a small business where I create websites for individuals. If this is how bad life can be for 1 website, I am not sure how it will be if I have 100s of them. Is wordpress this vulnerable? is it not possible to protect a website from hack? I know that I have not tried everything yet (like the paid plugins) and only after that I will get the answers.

What you think? How can there be so many websites out there running with such threats everyday?

1 Like

Well, yes, life has got up’s and down’s :smiley:

As far as I contribute to development and translation team, The Core itself not so.
True, it has some bugs and security vulnerabilities overtime which are found and are fixed and patched ASAP and released in newer version of it (just like Windows, Linux, Android, Apple, SolarisWinds, CISCO …).

Well, having the basic HTML, but for the most cases that is not always an option.
A Website has a lot of “undergoing” things, the Webpage can be secured, but if the “host” is compromised, then we are in a bad position, etc.

Plugins, themes, etc. are also vulnerable (wrong directory permissions, access, upload and execution possibilities, etc.). Even the basic stuff.

Cloudflare can help you a lot to minimize possible attacks, bad bots, scanners, secure connection, etc. even in a better way when you use some security plugin for CMS or security rules at your hosting. to provide better protection.

Just like viruses in our real life. We have to keep us and siblings healthy as much as we can be, if we want to have a decent life …

Unfortunately, a lot of people do not even think about it, and mostly as far as I saw, they either do not care at first. They start caring on the exact moment when it happens, but sometimes, it’s already late by then.
So, either we have to educate ourselfs and learn stuff, try and practice, put in some work, or pay some specialist to do the job as it is needed to be as @sdayman already stated in his reply.

True. Do not hate and eat yourself up just because if you do not know all the things now. You can, if you want, learn and apply the needed when is necessarily.
We all still learn :slight_smile:

1 Like

Thank you so much again. You are awesome. Your thoughts are so clear and it is very helpful.

I will continue to fight this demon and hope to win. There are no guarantees in life. I will come back if I find the answer.

For now, could you or someone tell me, how to find the rootcause of the vulnerability if I dont get access to the backend, my only option is to replace and reload the website again. and if I have tried…

  1. Removing unwanted plugins and themes
  2. Got a free security plugin and configured it
  3. Have done most of the handening measures
  4. kept the wordpress and other components upto date
  5. Changed the passwords and account details…

If I get hacked again with all this, what am I left with as a choice? What else can I do?

1 Like

WordPress hardening is beyond the scope of this forum. But for back end access:
If your host gives you SSH/Command Line access, and they have WP-CLI.org installed, you can do a lot.

1 Like

OK. thanks @sdayman. will check and try this out.

Well, can you get the backup or zip all files inside the public_html or www directory?
Also, can you dump (export) your database?

Maybe you could also have some script or advertisement running (malware or cryptominer).

If yes, then you can download them and start-up your WordPress site even locally at your PC using either XAMPP, MAMP, WAMP, WinNMP (Web servers with all the needed tools and services).
Or, of you are capable and know how to manage Linux distro, you can setup Web server yourself and do the same.

Other way, even if you got your Website hacked and you pull it from a backup, you would again get a hacked version right?

  • Remove the wp-admin and wp-includes directories. Get a fresh copy of them and inner files from a fresh WordPress download of the officiall WordPress Website.

  • Put your Website to one of default’s WordPress themes.

If you have phpMyAdmin at your hosting provider, do a search over all the tables in your WordPress database for the below values (one by one):

base64_decode
gzinflate
eval
error_reporting
shell_exec

Other usefull links:

Hope it would help you at first.

I’m going to have to shut this thread down, as it’s moved way beyond Cloudflare services. I hope you can successfully restore your site to a healthy state.

1 Like