WordPress Site - File Randomly Changed

Garrettj94

• October 04, 2018 13:36

I got notified one of my clients site was down. I checked /wp-admin and it showed the db was pointed to a different IP. I checked the wp-config.php file and saw this: I have no clue how this was changed. Since then I restored the correct info, changed the FTP password, Root password, and installed a security plugin. Anything else I can do?

• 

  rpvw

  • October 04, 2018 19:43

  Make sure that the Wordpress core, every Plug-in and Add-on and every Theme (irrespective of whether they are in use or not) are updated to the latest available versions. Delete any Plug-in, Add-on and Theme that are not being used to reduce your attack surface. Also audit all the Plug-ins, Add-ons and Themes to ensure they are still being actively supported by their developers ,and have not been abandoned. Ensure that any additional FTP users have been deleted, or have had their passwords changed as well. If your web host has enabled your access; disable any PHP options (eg file_uploads, allow_url_open etc) that you don't need, you will have to check what the site and its features needs - the two that I listed were meant only as examples, not suggestions ! Check your logs for any indication of a 'PUT' method around the time your config.php file was changed. Switch ON ModSecurity if it is available to you. If you are really unsure about whether the method used to change the file has been blocked or not - download the website file-set and also a copy of the Wordpress core and all plugins and themes from their source and "diff" them to see if any strange code resides in any file. If all else fails - reinstall Wordpress and all the plugins etc fresh, and reconfigure the site. Disclose the event to your web host, and ask for help in attempting to ascertain the point of access from logs. It is remotely possible that the access originated through another site altogether, and your web host needs to satisfy himself that the rest of his clients are safe as well. Hope this helps

  0
• 

  Anupam SG

  • October 05, 2018 05:13

  In addition to what @rpvw has said, ask your client if he has uploaded any "nulled" modules/plugins. These are usually paid plugins, which people download from a shady site for free, in an effort to save money. And these "free" plugins almost always have the risk of malicious code inserted in them which is used for all sorts of black-hat purposes. The code can be hard to find and is sometimes disguised as an image file, which is executed through some other code located in some other file.

  0
• 

  cPanelLauren

  • October 08, 2018 22:53

  Please note that external links are not allowed, if you have a screenshot please attach it to the thread directly. Please let us know if the advice provided by @rpvw and @Anupam SG helps or if you have any further issues or concerns. Thanks!

  0

Please sign in to leave a comment.