1. Home
  2. Forums Index
  3. WebmasterWorld / Webmaster General 2:04 am May 21, 2026

Forum Moderators: phranque

Message Too Old, No Replies

My websites on a WordPress service provider keep getting hacked

         

cipangohill

3:48 pm on Dec 21, 2020 (gmt 0)

5+ Year Member



I'm having this big problem. I have 3 Ubuntu VPS boxes with [a WordPress service provider] and a dozen websites on each, and the problem affects all of them. All are Wordpress.
What happens is, I keep cleaning the sites and they get re-injected with malicious files. I wonder how they regain access.
I have some newly built sites on clean installations that also got infected, so I suspect the infections bleed from one site to the next. [This WordPress service provider] puts all the website folders under the same www-data user, so scripts that want to go between folders aren't blocked by permissions.
All I could do to slow this down was to make root the owner of the sites as I clean them. I put all WP files, plus the themes and plugins folders under root. Everything else in WP-Content stays under www-data. This seems to stop the reinfection of these sites, but then they need to have permissions changed every time I update something.
I do not see new Wordpress users. I haven't changed user passwords or database passwords lately, I admit.
Could database injections be the cause for reinfection?
Today I was hardly finishing up cleaning a site when some files were already reinfected. This is consuming increasingly more of my time, and I don't see a solution.

[edited by: phranque at 9:08 pm (utc) on Dec 22, 2020]
[edit reason] hosting specifics [/edit]

phranque

9:11 pm on Dec 22, 2020 (gmt 0)

WebmasterWorld Administrator 10+ Year Member Top Contributors Of The Month



welcome to WebmasterWorld [webmasterworld.com], cipangohill!

i would suggest asking these questions in the support forum for your WP service supplier.

JorgeV

9:52 pm on Dec 22, 2020 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member Top Contributors Of The Month



Hello,

When you proceed with a clean install, do you use a robust password?

phranque

10:00 pm on Dec 22, 2020 (gmt 0)

WebmasterWorld Administrator 10+ Year Member Top Contributors Of The Month



When you proceed with a clean install, do you use a robust password?

I haven't changed user passwords or database passwords lately, I admit.

tangor

12:36 am on Dec 23, 2020 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



Where are you obtaining your data to "clean up" ... are you using a backup? Is that backup clean? The one COMMON source for all you've described is YOU. Perhaps the malicious is in your backup?

These kind of things are a nightmare to clean up.

MEANWHILE, change all passwords for ANYTHING you use that connects to the site(s).

cipangohill

5:42 am on Dec 23, 2020 (gmt 0)

5+ Year Member



Thanks all for the responses. Turns out this VPS may be compromised. I started moving the sites to a new VPS one by one, and once cleaned, they appear to stay clean (hope I'm not speaking too early).

I use GOTMLS, WP Cerber and Wordfence for scanning. Each is useful in its own right. GOTMLS and Wordfence scan the files one by one, WP Cerber uses checksums on the WP files, theme and plugins. One of the sites also had an SQL injection that GOTMLS detected.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. WebmasterWorld / Webmaster General 2:04 am May 21, 2026