Have a specific reoccuring hack

I believe I have some malicious script that specifically keeps changing user credentials. This type of hack starts with one account and then changes all the others to the same email. (I’m starting to think it usually happens with theme edits) Is this a familiar trend where I can look up some specific code or file to spot this? I’ve done extensive cleaning in the past. It’s gotten much better, it’s slow to completely take over now and only requires a password change early in it’s stage to restore my site.

  • aecnu
    • WP Unicorn

    Greetings Annabelle,

    I am sorry to hear that you are having an issue.

    Good security starts with the host but of course must also be observed by the site owner.

    Is this a familiar trend where I can look up some specific code or file to spot this?

    Usually the thing to look for or at, is file dates. Make a backup which you should download to your computer so you can replace any files that you delete.

    Using an FTP program look through your files at their dates.

    Usually an exploit shows its face by the date not matching. Delete any suspicious files that the date looks like it should not be.

    Make your htaccess file hide your database details by adding this code at the beginning of the htaccess file:

    <files wp-config.php>
    order allow,deny
    deny from all

    Once this is added, change the database user name in your hosting control panel and then put the new password in the wp-config.php file.

    The new password will be protected by the above htaccess coding meant to specifically protect you wp-config.php file.

    Good hunting.

    Thank you for being a WPMU Dev Member!

    Cheers, Joe

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.