If you have gone to the trouble of removing viruses and tampering from your WordPress site, but are immediately reinfected (tampering due to hijacking), here are the causes and remedies.
0 Reasons why you are immediately reinfected even after disinfection of viruses and malware
After a hacker tampering with WordPress, you may be reinfected immediately after examining your files and cleaning up the files notified by the server company to get rid of the tampering.
There are four main reasons for this.
1 The site has been hijacked, allowing hackers to log in as administrators
2 The site is still vulnerable.
3 A backdoor has not been removed to allow the hacker to deface the site.
4 Another WordPress site on the server is infected, and other sites are being defaced via that WordPress site.
We will introduce measures to prevent reinfection for these reasons as much as possible.
1 Change the password of the user with administrative privileges
If a hacker has already obtained your password and has access to the WordPress administration screen, he or she can easily tamper with your files from the administration screen.
If you have had WordPress tampering removed, change the passwords of all users with administrative privileges.
If possible, we recommend that you use a strong password that is automatically generated by WordPress.
2. Set the folder and file write permissions to disabled.
Since hackers can remotely tamper with files, it is quite effective to connect to the server with FTP software and make everything except the wp-content/uploads folder (the folder where images and other files are uploaded) un-writable.
Using software such as FileZilla, uncheck write permissions and change permissions on folders and files.
3 Let’s detect backdoors
A backdoor is a back door that allows a hacker to easily rewrite a site’s program. While harmless in themselves, backdoors are very dangerous to leave behind because they can generate tampering files on a site in any way they choose.
For example, the following code is a backdoor
eval($_POST["mycode"]);
In many cases, hackers obfuscate and hide the code to prevent this backdoor from being discovered.
Example of obfuscated code
${"G\x4cO\x42\x41L\x53"}["\x64\x7aa\x77h\x78\x78\x5f\x5f\x5f\x6c_\x62y\x62t\x63o\x68h\x6dx\x67y\x64\x62\x65q\x61q"]
Backdoors can be detected for free with the WordPress Doctor Malware Scanner. We hope you will use it.
4 Update your vulnerable plugins and themes!
Vulnerabilities in the program’s code may allow hackers to send code to your server to assist them in defacing your site or other activities similar to the backdoor mentioned above.
The easiest way to eliminate vulnerabilities would be to update WordPress itself, themes, and plugins to the latest versions.
You can use the WordPress Doctor security scanner to check for vulnerabilities in the plugins and themes on your site, and we recommend that you update your plugins and themes immediately if there are any high-risk vulnerabilities.
WordPress Vulnerability Assessment Security Scanner
5 Suppress brute force attacks to avoid losing administrator privileges
The most common method used by hackers to steal administrator privileges is a brute force attack.
A list of tens of thousands of passwords is used to find the passwords by mechanically logging in to the site repeatedly.
The WordPress Doctor Malware Scanner developed by WordPress Doctor has a function to suppress brute force attacks, so you can greatly improve your security by enabling it.
6 Detect and block hacker tampering in real time!
WordPress Doctor Malware Scanner is the world’s first WordPress security plugin to block hacking before malware infection.
Once hackers discover a vulnerability, they may immediately try to deface your site again, even after you have eliminated the malware by embedding a backdoor or other means. This feature allows you to capture the moment a hacker sends malware code, block it, and log it, including its IP.
The hacker’s IP can also be completely blocked with the IP blocking function to prevent the hacker from accessing the site.
This feature can be enabled by subscribing to the latest malware patterns.
7 Check for other websites on your server that have been tampered with!
If you have multiple sites on your server, even if you clean the site directory for a particular WordPress site, other WordPress sites in other folders may have been tampered with as well, causing the tampering to skip over that folder.
You can use websites such as Sucuri Site Check to check for other sites on your server that may be infected.
https://sitecheck.sucuri.net/
This site checks from the outside and is not as accurate.
Please use the WordPress Doctor Malware Scanner to check other sites on the same server for malware from the inside.