1

After the second hack, we did all the necessary things written here - https://wordpress.org/support/article/hardening-wordpress/ , https://security.stackexchange.com/a/180925 and we also changed the file permission (wp-config.php to 400). We added WordFence, Limit Login and Bad Robot Black hole plugin to secure the installation.

The hack redirects my site to another site.

We run WP 5.4.1 with the theme https://gracethemes.com/themes/music-wordpress-theme/. All plugins and theme are updated.

How can I prevent future attacks?

Added below in wp-config.php

define('DISALLOW_FILE_EDIT', true);

Added below in htaccess

# Block WordPress xmlrpc.php requests

<Files xmlrpc.php>

order deny,allow

deny from all

allow from 123.123.123.123

</Files>

<files ~ "^.*\.([Hh][Tt][Aa])">

order allow,deny

deny from all

satisfy all

</files>

<files wp-config.php>

order allow,deny

deny from all

</files>

# Block the include-only files.

<IfModule mod_rewrite.c>

RewriteEngine On

RewriteBase /

RewriteRule ^wp-admin/includes/ - [F,L]

RewriteRule !^wp-includes/ - [S=3]

RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]

RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]

RewriteRule ^wp-includes/theme-compat/ - [F,L]

</IfModule>
schroeder
  • 125,553
  • 55
  • 289
  • 326
cilapo1541
  • 25
  • 5
  • 1
    Perhaps they left a backdoor, or one of the plugins has a vulnerability. Maybe the credentials of the server are easy to guess or stolen (wp-admin, ftp or mysql)? Many things can go wrong here. Do you have access to the server logs? There you should find some hints about how the attackers got in. – roy.stultiens May 04 '20 at 19:41
  • All passwords are super hard to guess like 345^#!Ad4104# type. Auto gen by WP. When an admin logs in my site, I will get email alert from WordFence which I did not get. But all my plugins are updated. – cilapo1541 May 04 '20 at 19:55
  • Should I use MalCare or Sucuri or WordFence to clean the site? Which is better? – cilapo1541 May 04 '20 at 19:55
  • You say the hacker is redirecting your site to another site. Do you know how they are doing this redirection? – hft May 04 '20 at 19:56
  • @hft No idea. They installed some index.html or index,php file I tink from the last scan by WordFence – cilapo1541 May 04 '20 at 20:09
  • You might want to go with the nuclear option. Wipe server completely and reinstall everything. – hft May 04 '20 at 20:22
  • Malcare just declared that my site is clean. If so, how could they have entered? SITE IS CLEAN Last scan:an hour ago |Scan frequency:1/week No Malware Detected WordPress version is up-to-date – cilapo1541 May 04 '20 at 21:32
  • 2
    If they have a backdoor process listening on your server they can just keep using that same backdoor to get back in and re-hack your site. Just because some little scanner app says it is clean is meaningless since the backdoor malware might employ a process hiding component to make it invisible to the malware scanner. The only way to be sure is to wipe and reinstall. – hft May 04 '20 at 22:30

1 Answers1

3

My WP site just got hacked for the third time even after following WP hardening guidelines

(Emphasis added).

I would suggest that you Nuke It From Orbit.

This would entail completely wiping the infected systems and reinstalling everything from scratch.

As the quote goes: "...It's the only way to be sure."

hft
  • 4,940
  • 17
  • 32