40 posts
  • Has been part of the Envato Community for over 2 years
  • Located in Australia
  • Has collected 100+ items on Envato Market
razzc says

My WP site’s php files have got some code in first line of the codes in all php files. I have been sitting cleaning it up and have done most of them. I was wondering if anyone can please let me know if this is all I would have to do or there is more to it? It has infected the site that just went live a couple of days ago.

I just don’t want to recreate the site.

Its from some site turnitupnow.net if someone knows what I am talking about. I don’t think it would be appropriate to paste the entire nasty code in here but it looks like:

if(!$sessdt_o) and { $sessdt_f = “102”; if(!@headers_sent()) and else { echo “u = “http://turnitupnow.net/?rnd=”.$sessdt_f.substr($ses/strong>

Its a lot longer then this. I have deleted more then half of this poisonous code. Hopefully its ok to post it in here.

Thanks everyone in advanced.

812 posts
  • Has been part of the Envato Community for over 4 years
  • Has collected 10+ items on Envato Market
  • Sells items exclusively on Envato Market
iamthwee says

If it was me I would have started from fresh, changed all my ftp passwords and wordpress passwords.

Then go through the wp files and lock down the permissions.

If that is not possible you should at LEAST change your ftp password and WP admin passwords.

725 posts WordPress Ninja
  • Has referred 1000+ members
  • Has sold $125,000+ on Envato Market
  • Has been a beta tester for an Envato feature
  • Has collected 10+ items on Envato Market
+8 more
TylerQuinn says

1. Change all your info, FTP , WP passwords and database passwords.

2. I would delete everything in the directory as you never know if they added a back door (you can get your uploaded content, just make a copy of it and scan it for anything weird.) and then upload a fresh install of the latest WP.

3. Install with all your new DB login info, all you need to do is create the wp-config file manually and it will hook right back up to all of your DB content.

4. Contact your host if you have more than one domain on that hosting account. Just because the WP site is hacked does not mean they came into your data from that site.

5. I would also run a local scan on your computer to make sure there is nothing stealing your PWs.

488 posts
  • Has referred 1+ members
  • Has sold $40,000+ on Envato Market
  • Has been a beta tester for an Envato feature
  • Has collected 100+ items on Envato Market
+7 more
PixelBuffet says

Unfortunately to make sure it’s secure, you’re going to have to do as Tyler has put above. Anything less and you can’t be sure.

Also once you get the site back up and running, research every plugin you’ve used to see if anyone has reported vulnerabilities.

I had a WP site hacked in a similar way, and it was because they exploited a vulnerability in a plugin. Obviously after re-building, I found another way of solving the problem without that plugin and everything has been fine since.

1313 posts
  • Has sold $5,000+ on Envato Market
  • Has collected 1+ items on Envato Market
  • Located in Indonesia
  • Has been part of the Envato Community for over 3 years
+2 more
canimalition says

One thing you should dont forget, BACKUP ;) I doing this for all my content I have using Internet Connection.

FYI : If you have a Twitter account or something, do not CLICK any link you didn’t know about the link, or if you got the link using bitl.ly, example, bit.ly/fhrfjf, add plus + after the link, example bit.ly/fhrfjf+ , so you will know what exactly link or the real link site on the inside of short link.

This i got in my twitter

\\

and adding + after the link, here I got:

\\

This link got more than 5000+ clicks. OMG

That’s information from me to you ALL :)

40 posts
  • Has been part of the Envato Community for over 2 years
  • Located in Australia
  • Has collected 100+ items on Envato Market
razzc says

@iamthwee, @TylerQuinn, @PixelBuffet and @canimalition

Thank you all for the support. Like TylerQuinn said – I had to clean everything guys and back to ground zero. I sus one of the theme authors that I bought a theme from at themeforest. They weren’t very helpful and I had a go at them. I had to give them my admin credentials to help with css tweaks. So the morale of the story is that you don’t be a moron like me and trust someone you don’t know and if you do, don’t have a go at them and you do both, you change your admin credentials straight away.

Thanks again fellows.

40 posts
  • Has been part of the Envato Community for over 2 years
  • Located in Australia
  • Has collected 100+ items on Envato Market
razzc says

If it was me I would have started from fresh, changed all my ftp passwords and wordpress passwords.

Then go through the wp files and lock down the permissions.

If that is not possible you should at LEAST change your ftp password and WP admin passwords.

How do you lock down permissions?

812 posts
  • Has been part of the Envato Community for over 4 years
  • Has collected 10+ items on Envato Market
  • Sells items exclusively on Envato Market
iamthwee says

^^

Well I tend to follow this: http://codex.wordpress.org/Changing_File_Permissions

As a guideline, although you have to test your site to see if some files need different permissions, especially if you’re using a script to write to a folder or dynamically re size an image e.g timthumb.

One thing Tyler mentioned which is highly important… Your security is only as good as the machine your uploading it from. So if you computer is rife with spyware and virii, it won’t matter what you do to lock down your website….

Also, something that hasn’t been mentioned is try avoid, uploading/signing on from an unsecured connection. With the rise in popularity of coffee franchises offering free UNSECURED wifi, a lot of people out there are logging on – leaving their logon details open to ‘snoopers’ on the network- unless of course, if you’re using https, but this is unlikely for WP-logons.

40 posts
  • Has been part of the Envato Community for over 2 years
  • Located in Australia
  • Has collected 100+ items on Envato Market
razzc says

Thanks iamthwee. I think I shouldn’t allow browsers to remember my credentials. I do that simply because it’s easier to login. Too lazy for my own good.

Thanks for the thoroughness :)
3714 posts Community Moderator
  • Helps us moderate the forums
  • Contributed a tutorial on Tuts+
  • Located in Netherlands
  • Made it to the Authors' Hall of Fame
+9 more
Joost Moderator says

Thanks iamthwee. I think I shouldn’t allow browsers to remember my credentials. I do that simply because it’s easier to login. Too lazy for my own good. Thanks for the thoroughness :)

I don’t quite understand how this posed a security risk, as nobody had physical access to your machine, right?

EDIT : Nevermind, I missed the piece were iamthwee spoke about your machine being compromised ;) Of course then it’s not too great to have the passwords stored in your browser unencrypted (set a master password ) – but for WiFi sniffing it doesn’t matter, and it’s even quite a nice prevention against keylogging (as you don’t type your password for the logger to see)

by
by
by
by
by
by