How to resolve a hacked website? Webshell wordpress website - wordpress

I think I got hacked...
my wordpress website looks like that yesterday:
and today looks like that:
I have a backup on the database. I don't know how to handle that now, I run a wordpress on a Centos 7 apache server.
I have received webshell alert from yesterday but first of all I am not really sure what is webshell alert and secondly I have no idea how to resolve that.
Some files with webshell alert are:
/alidata/www/phpwind/wp-content/themes/twentyfifteen/genericons/pop-up-cache.php
/alidata/www/phpwind/wp-content/themes/twentyfifteen/genericons/wp-infos.php
/alidata/www/phpwind/wp-content/themes/twentyfifteen/genericons/wp-console.php
/alidata/www/phpwind/license.php
/alidata/www/phpwind/wp-res.php
etc

This could be a list of (some) compromised files. But you really need to import a full file and database backup, as well you should change all passwords and update WordPress including all plugins to the latest version. Most likely there was an exploit in WP or in any plugin that enabled an attacker to upload a webshell.
It will be easier as searching for compromised files because you can forget something.

Have You used any Nulled Plugin ??
If You've then you are boomed !!!
Happened With me too !!!

Related

My wordpress website being hacked with code eval($_SERVER['HTTP_81DB2B3']

I have a problem with my website, I get information from wordfence about my WordPress website getting hacked
enter image description here add found a code eval($_SERVER['HTTP_81DB2B3'] so i removed it but in a few second the code going back. someone, please help me
I had something very similar to this. Go to your cPanel and search for "Cron Jobs" and scroll down to see if there's any malicious cronjobs setup. You might have some that look like eval(gzinflate(base64_decode(.... that are essentially causing this to reoccur. Not a complete fix to this issue, but you'll have to delete those cronjobs to ensure that that line of code doesn't keep reappearing. In addition to that, you'll also need to make sure those cronjobs don't show up again. Use a plugin like Wordfence (suggested above as well) to look for malicious files and if it helps replace your home directory (except for wp-content and wp-config) with fresh files.
If your website got hacked then I guess more than 1 file was affected by it,
case-1: If you are able to access the Wordpress Backend In this case, if you are able to access the Wordpress backend then I suggest you
Step-1: Add one plugin called (Wordfence Security – Firewall & Malware Scan
) and scan your website with it.
Step-2: After scanning the site remove all suspicious code from the site.
Case 2: If you are not able to access the Wordpress backend then you have to update your Wordpress manually with the hosting file manager or FTP.
Please Note: Please take a backup of your website before do any changes.

How to manually back up wordpress website

I have never used wordpress before, My boss has given me access to a site which was created using wordpress. then He asked me how I am going to make sure I don't break the site accidentally, I told him I would create a backup on my local computer so that all my changes can be restored if I mess up.
I have the wordpress dashboard up. How do I back up EVERYTHING, I hear there are two separate things I need to back up? someone please help me.
PS: I don't think he would like me to do this with out the use of additional plugins.
There are two separate things:
Your website database. Simply export all the MySQL tables from the database, which is dedicated to your site.
The site files, everything you've got under WordPress folder, /wp-includes, /wp-content, /wp-admin directories and all files.
This should do it all. You can test on your localhost to make sure it's everything that's necessary.
You can backup your WordPress either from your hosting account (preferable) or from your WP dashboard.
You need to backup two things - all the files (the root of your Wordpress installation) and the database for your WP installation.
Since you only have access to the dashboard, you have to use plugin for this.
Two of my favorite free backup plugins are:
BackupWordpress - https://wordpress.org/plugins/backupwordpress/
BackWPup - https://wordpress.org/plugins/backwpup/
They are intuitive and easy to work with, so you shouldn't have issues.
If you go to the dashboard go to "tools" in the left toolbar. Select "export". On the export page you can report that you want to export "all content". This will get you the items that you need from the server.
Then you need to install wordpress to your machine. You can download that from: https://wordpress.org/download/
Once you have that on your machine you also need a local server to run it and test it. I like WAMP, but it partially depends on your operating system. I suggest the following video to get you up to speed on how to get the localhost set up and running: https://www.youtube.com/watch?v=snFzbPm_RUE
Hope this helps!

How to searching in files for signs of a code injection

Hi the website of a friend was hacked.
Many files have gotten code injections. His programmer deleted all these.
Now the situation is, that the site (wordpress with shop plugin) is still running realy slow sometimes. Sometimes it goes fast.
Now after searching the web for: "troubleshooting code injections", "find code injections" and stuff like that, I have no idea to troubleshoot the problem, because his programmer has no local backup and changed all files so I cant look for recently changed files at all.
What would be the way of choice to get the problem?
Possible Solution or Suggestions:
Use these very famous virus scanning and detecting website
By using above site you will come to know if virus still exist or not.
Suggestions:
As you said you are using wordpress so it will be very easy to detect virus.how?
Use following security plugins for scanning core files.
All In One WP Security & Firewall
wordfence
Lastly
To hacker's or malware lives in follow important files of wordpress
Check all theme files specially
header.php
footer.php
index.php ( mostly infected )
also do a upgrade of wordpress so it will make sure that core files are not modified.
thanks
hope it helps

Two Wordpress Installations on the Exact Same Database?

I'm in the progress of setting up a development and live development environment for some basic projects I'm working on. Ideally I want git to push changes from the development server to the live site. However I want each version to use the exact same database so the posts and content are identical at all times.
Obviously the Site URL is set to only the live site so the development site's links don't work. If I overrode the site url in the wp-config.php file of each and used .gitignore to ignore both wp-config.php files would this be enough for this to work or is there something else I'm missing?
I'm posting in the hope somebody has tried it before me and that might have any answers to problems I encounter now or in the future.
Thanks in advance, Ollie
Make sure you add the .gitignore entry before changing and committing the wp-config.php.
Once you update wp-config.php, it's going to go through and update URLs in the database. Since WordPress is stateless - to say there is no session management, there is no way of tracking if a database has been swapped.
Lastly, WordPress uses a MySQL database, which wouldn't be versioned unless you went through a lot of work to do so. Aside from wp-config.php, there aren't any other stored references of what the site's URLs should be.

Wordpress API works with VPN only?

I'm working on a project on my localhost for sometime now, and i've recently tried to make it online. My project works perfectly on my localhost, and I can post new articles to wordpress blogs with no problem.
The problem is, after uploading my project to a online web server ( Hostgators Baby Plan ) , I tried to add a new post to one of my wordpress blogs and I got the following error :
faultCode 500 faultString You are not allowed to do that.
The thing is, I've searched everywhere in the past few days in-order to solve this problem and had no luck.
Do you guys think this problem is caused because i'm using a webserver and not a VPS? If you have any other solutions I'll be glad to hear them out.
It might be related to file permissions or something like that.
There is no need to use VPS. I manage my website on a shared server and I've tested WordPress on free hosting services too.
This is probably due to incorrect permissions either on the file structure or the mySQL DB user or something like that. Take a look at this article on the WP codex about file permissions.
Big services like Hostgater usually have an "auto-install" feature for common software like Wordpress (via Softaculous or something similar). I don't know how you migrated your site from your local version to the server but it may be worth installing a fresh Wordpress instance through Hostgator and then simply loading in the wp-content folder and your development database on top of that.

Resources