Need Help

[studio6x]

Hello my website as been hacked I have a plugin called wordfence I created htacess login only by my ip but they still manage to put a malware script on the header theme.

Any ideas

 

[reptille]

if you have any backups revert to them before they hacked in

 

[caftpx10]

Is your WordPress installation the latest?
What plugins are enabled in your installation (include the version of them if possible)?
Was the password complex enough (web host account, FTP [if additional users are set], WordPress login)?

Even if a backup could be restored, it can quickly end up in the same state if the method of entry is not sorted out.

 

[studio6x]

Is your WordPress installation the latest?
What plugins are enabled in your installation (include the version of them if possible)?
Was the password complex enough (web host account, FTP [if additional users are set], WordPress login)?

Even if a backup could be restored, it can quickly end up in the same state if the method of entry is not sorted out.

I have very larges passwords for wp login and ftp login and I forgot to metion I have 7 websites on that server all of them had the same malware script all wordpress with the latest 4.5.2 update only the joomla website was not attacked.

 

[caftpx10]

Alrighty. Sounds like the entry might be to do with WP.
What plugins do you have installed on all your WP installations and which versions are they on? Perhaps one is vulnerable.

 

[studio6x]

Alrighty. Sounds like the entry might be to do with WP.
What plugins do you have installed on all your WP installations and which versions are they on? Perhaps one is vulnerable.

all plugins are up to date and worpress as well I even changed the theme they still managed to put the same script again on the header php file yesterday

do you think maybe is the hosting server

 

[essellar]

Okay, they're the latest versions. That means nothing, really. You were asked (by somebody who wants to help and just may have some knowledge, or even just some more advanced Google-fu) which plugins you're running. The latest version of something with a known vulnerability just means that you're using the most up-to-date vulnerability.

 

[studio6x]

the plugins that im using are
Askimet
Aspexi Facebook Like Box,
Coming Soon Page & Maintenance Mode by SeedProd
Hello Dolly
Jetpack
LayerSlider WP
Wordfence Security
W3 Total Cache
WordPress Importer
Shortcodes Ultimate
Revolution Slider
MOJO Marketplace

 

[caftpx10]

It looks like Revolution Slider (2.4.1) could be allowing this according to the exploit EDB-ID 35385 (Google it, not linking to the site with the details just in case).
'Hello Dolly' looks to have some dodgy history so that might also need looking at.

 

[studio6x]

do you think they may have access to the ftp details because all wordpress websites that are on the hosting im using all of theme were attacked only the joomla website was not attacked

 

[essellar]

It's easier to look for an installation of WordPress (or whatever) with an exploit than it is to try to brute-force FTP logins. With an exploit available, you just need to fetch a bunch of web pages looking for a particular string or two of text; you don't much care which site(s) have the exploit as long as you can get your malicious code out there somehow, to as many places as you can. A script kiddie can hit a few thousand sites in a day with a bot they found online. With the FTP thing, it means throwing some resources at a particular site/server; if you happen to stumble across an easy login, great, but unless you have a particular site you want to deface it's usually more trouble than it's worth to take that approach. Changing your password might be a good idea, but it's far less likely that FTP was their way in.