My Wordpress blog keeps getting hacked


I need some help - my Wordpress blog keeps getting hacked.

Hackers are accessing my index.php file in the website root (not the template files) and inserting this script (malware)

<script type=“text/javascript” src=“http://<snip/>:8080/Newsgroup.js”></script><script type=“text/javascript” src=“http://<snip/>:8080/Newsgroup.js”></script>

I have upgraded wordpress, upgraded all the plugins, deleted inactive plugins, changed my admin username, installed suPHP on my server & configured my blog to use it and I made some changes to php.ini to restrict scripts from doing things they’re not supposed to…

But the line of code keeps coming back into my index.php… its really affecting my organic search traffic…

Any ideas? I’m stumped… :injured:

Avast anti virus have a mac version. I use avast on my windows machine, and have previously used their mac version. You can use it free for a month I believe.

It may also be that the hackers have left a backdoor script on your server, or it may be a vulnerability in wordpress, or if your on a shared sever, it may not be your site at all that they are using to get in, but are then attacking your site from the compromised site due to insecure file permissions.

You can’t rely on datetime stamps as the hackers are using backdoor shell scripts that provide them with the ability to “touch” the files with a certain date and therefore make all the files the same datetime or to set them to a specific datetime.

You undoubtedly have a backdoor shell script on your site. This gives the hackers remote control of your site without needing any passwords, or leaving any clues in log files other than the access.log which many people don’t look at anyway.

Some strings you can look for in .php files are:


Sorry I can’t be more specific, but those are the most common strings we find in the hacker’s backdoors.

The typical scenario is that the hackers gain access to a website via stolen FTP password, then place various backdoors on the site to provide them with access even after the FTP password has been changed. They also frequently change file and folder permissions to 777 which are another area very few people check - until after they’ve been hacked.

how bout your plugins? the plugin directory is the favorite place to hide files and scripts.

i would get new plugins as well. look through the server in any directory for suspicious files and folders, as these kind of things can embed itself to existing filkes, and disguise itself as images or scripts etc… being on a mac doesnt mean you are secure. there are viruses ,worms and rootkits for mac as well as windows, there are also cross platform viruses and other things to take into consideration.

I would first clean up and have a look at all files and folders on my server, then replace it with new ones, and not a backup with some embedded malicious code - then i would have a look at my puter and clean it up as well.

I’ve been hacking Donncha’s Exploit Scanner plugin recently.

It comes with an array of the Core file hashes, which it can check against to determine if any have changed. If any have changed it then searches them for some of the common “hack strings” (i.e. WeWatch’s list). It also searches the database.

IMHO an excellent strategy, but it doesn’t go far enough for my needs. So my hacks add a CRON, email notification, automatic replacement of the hacked file, inclusion of all blog files in addition to Core files, and checking for extra or missing files.

Once I’m done testing I plan to send it on to Donncha, whether or not he’ll want to use any of it.

But you could try the plugin as it is now. Every step you take to improve security can only help.

Are you with a reliable host? I strongly suggest you contact them and tell them a bout the problem.

in your config.php file update all of your keys

Please everyone, don’t recommend FTP. It is evil. Please use SFTP, it is secure and if your host won’t set this up, find a new host.

If you have problems setting it up, I have some tutorials, so PM me. I am new to this forum and don’t want to start putting links to my stuff yet:)

It is free and contains several videos on setting up your website securely.

I got hacked again. FML.

Can anyone recommend a good virus/malware scanner for Mac? Freeware or paid software.

Have you checked the last modification time of the altered file against http and ftp logs? What’s the chmod value for the altered file?

You should also change your FTP password and check your local computer for malware. If you have FTP logs, check if index.php was uploaded by FTP.

So far so good, haven’t been compromised again

Thanks for everyones input

You might want to scan your server for malware (eg backdoor) scripts too.

Before you update the index.php, take a note of it’s last modified date.

Perhaps you can use this to track an IP address from the servers access log.

Never know - the hacker could be stupid enough to use a direct IP you could track from

Also, you may want to check your ISP hosting control panel. Change that PW and check to see if there are any scheduled CRON jobs. If they had access to the CP a CRON job could be updating your file CHMODs


PS: Mac’s are just as vurnable to viruses and malware as PCs are. It’s just that PC’s being the dominant % of the market get more attention from the virus writers and media. Check yer Mac just in case.

I have now changed my FTP password as well - thanks.

I have a Macbook so the chance of a Malware/Virus issue is unlikely, right?

Will do a complete reinstall of WP 3.0

Thanks for the advice

Very true. In most cases of ‘code injection’ a stolen FTP password gathered through spyware/malware is the cause.

When you say “upgraded” do you mean a complete uninstall/reinstall or the one-click auto? If the latter try a complete reinstall.

And DON’t forget to backup your database first, check the entries, then restore to a good backup if it was contaminated.

Also, check and double check your folder/file permission settings.

If you haven’t talked to your host, it might be a good idea to do so, it could be coming from your “group”.

I would like to recommend you, refer following URL to secure wordpress sites.

And if still you face problem than ask your hosting provider to virus scan your hosting account content.