All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Please help.. website is hacked
Hi guys my wordpress site is hacked and i couldnt find where the malicious code is.
I'm able to access the admin dashboard and all inner pages works.
-When I access the mainsite (logged in) index.php or the rootdomani is working fine.
-When I access it without being logged-in or incognito the main domain is redirecting to a spam site.
I tried the following but couldnt figure out where the malicious file is.
- Scanned using wordfence, malcare - still no good.
- Temporary changed the wp-config.php databasename - still no good, main site still redirects, but the inner pages stopped working database error.
Checked htaccess
BEGIN WordPress
The directives (lines) between "BEGIN WordPress" and "END WordPress" are
dynamically generated, and should only be modified via WordPress filters.
Any changes to the directives between these markers will be overwritten.
ExpiresActive On
ExpiresByType image/jpg "access plus 24 hours"
ExpiresByType image/jpeg "access plus 24 hours"
ExpiresByType image/gif "access plus 24 hours"
ExpiresByType image/png "access plus 24 hours"
ExpiresByType text/css "access plus 24 hours"
ExpiresByType application/pdf "access plus 1 week"
ExpiresByType text/javascript "access plus 24 hours"
ExpiresByType text/html "access plus 2 hours"
ExpiresByType image/x-icon "access plus 1 year"
ExpiresDefault "access plus 24 hours"
Options -Indexes
Header set X-Endurance-Cache-Level "2"
Header set X-nginx-cache "WordPress"
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
END WordPress
Comments
Install a clean wordpress cooy then move the exported content from old site.
change the theme, any change? If yes, then there's something in your theme files. Look for .php files that you don't recognize. Or, look for ones that have a new modification date (look in SFTP), those are suspect.
Also check plugins from SFTP. Sometimes legit plugins get replaced with hacked versions and will need to be replaced.
Any user accounts you don't recognize? Delete a users you don't need. Change your password.
Look at the contents of the index.php file and other files in your wp root directory. anything with recent changes is suspect. Upload a fresh version of WP (same version that your site is running) if you suspect something has injected bad code into your wp files.
Just a few ideas. Lots of ways attackers can get in.
Thank you guys will try to do all your suggestions
Disable plugins one by one
UPDATES:
Under the table WP_OPTIONS my site url was replaced with an affiliate link from other website. I updated that, but even after changingthe url, my site index is still redirecting to the spam site.
Updated all plugins (Site index is still redirecting to spam site).
I temporarily moved all WordPress files to /test folder (Website stopped working)
I put all files back into the root folder
*Website started working again and it's no longer redirecting to the spam website.
Hmm how come it started working after i moved the files on a different directory then put it back again? Did the site url fixed the problem, and maybe the changes didn't reflect immediately due to CACHE?
Are you using Elementor by any chance?
https://arstechnica.com/information-technology/2023/03/hackers-exploit-wordpress-plugin-flaw-that-gives-full-control-of-millions-of-sites/
good thing i just use html/css
I delt with this for a while. All I kept doing was taking the fresh wordpress files. All except wp-content and my config of course ans replacing them. It would fix the problem for a while. I did this up until my host implemented some sort of protection like cp guard or some other thing like that.
Also. I'm not sure this was the root of my problem. But every time I would update yoast seo it would do this.
You use it because it’s free, not because it is secure
there are paid css libraries iirc
Pro tip:
Install wordfence paid version, do a full scan. The paid version are the only ones that includes zero day or recent threats protection. Additionally you could just use a provider that has immunify360 and that will shield your website from some attacks also take advantage of immunify AV.
Wordfence has a paid service that include their experts cleaning your instance.
Try that.
Download your website archive.
Download official wordpress archive
Compare with MELD or Araxis Merge line by line your current version
100% you will find where is malware code is.
If no differences with all files except plugin/theme - than the problem with plugin/theme.
What to do in such case?
This is well known fact, that code of wordpress plugins/themes smell stinky and done in meanwhile between waiting for a bus on bus station by students. (most of plugins)
If you're not familiar with all of that - setup WAF.
https://sucuri.net/website-firewall/
Disable all plugins and unofficial themes, then upgrade or re-install Wordpress. Once everything works fine then enable themes, plugins one by one to check.
Thank you guys my site is back.
This was the cause - https://arstechnica.com/information-technology/2023/03/hackers-exploit-wordpress-plugin-flaw-that-gives-full-control-of-millions-of-sites/
Told ya
I would agree with that, go with Imunify360 as it gives you real-time protection and the scanning plus other server protections.
@pandabb i suggest you to take a full backup through any plugin like All in one Migration or any another.. and then delete your site and install a fresh WordPress.
** if you are facing a redirect issue then the error is from your web hosting provider.
Bastab : )