2

I have a website built with WordPress, unfortunately somebody hacked it several times, deleted my adsense code and put his own adsense.

I tried many security techniques, changed database name, did some stuff to prevent anybody from editing files through admin panel etc...

But this guy infiltrated and put his adsense code again yesterday. Because of this, I couldn't make any money yesterday, google adsense doesn't appear immediately, it takes more than 12 hours.

He only changes 2 files, header.php (template's file) and ads.txt (on the main directory).

How can I renew these 2 files (replace old ones with backup ones) every 30 minutes automatically?

Thank you!

Arnold Rothstein
  • 37
  • 2
  • 19
    While the context itself is an information security problem, your solution of periodically replacing files on the server is not. This is just some cronjob or scripting or whatever your specific system offers, i.e. __off-topic__. But as already said in an answer - your attempt of a solution is a bad idea in the first place since it only (badly) addresses the symptoms and not the cause. And it also addresses only the symptoms you are actually aware of. There might be much deeper problems with your compromised system. – Steffen Ullrich Apr 03 '21 at 08:45
  • 7
    Basically, you propose to relock your door after each break-in... – Aganju Apr 03 '21 at 22:58
  • 1
    The question asked here would be better placed on [Server Fault](https://serverfault.com/). But the *real* question is [how to stop the attacker from tampering with the site to begin with](https://security.stackexchange.com/q/24007/244958). – Brian Drake Apr 04 '21 at 11:01
  • Have you tried looking at the logs to see which user they are using to login and make the changes? How about you then delete or update the password to that user and any other details which may allow them access? – SacredGeometry Apr 04 '21 at 14:58
  • For the time being you could make the that whole directory only editable by a certain user ... also if you are on nix maybe making sure root wasnt compromised. – SacredGeometry Apr 04 '21 at 14:59

1 Answers1

34

Reverting the changes every 30 minutes is not a solution. You absolutely need to find out the root cause and stop this from happening by removing the vulnerability or the persistence. This may include monitoring the logs and other forensics, but also a fresh installation of WordPress (or in worst case the entire server) might be required.

Esa Jokinen
  • 16,100
  • 5
  • 50
  • 55
  • 12
    +1. OP, in addition to the potential causes mentioned above, you may be using a Wordpress plugin that has a known vulnerability. See https://patchstack.com/database/ – mti2935 Apr 03 '21 at 10:27
  • 21
    I keep hitting my head against the door frame. Where can I get an automatic aspirin dispenser? – Barmar Apr 03 '21 at 22:14
  • Maybe change the password too? – Aganju Apr 03 '21 at 23:00
  • Maybe your attacker is using a `cron` job to replace the key files, or some e-mail trigger? Say for example, if you're on *Cpanel*, something to check is the mail filters: a filter can be established that responds to some key e-mail trigger, that will then perform some function via cli. Check `find /home/user/ -name filter -ls` to see if any filters have been installed unexpectedly. While you're at it, check *Cpanel > Track delivery* to see if strange emails are hitting your server and being processed by a pipe. (There would be equivalents on other hosting systems.) – brynk Apr 04 '21 at 09:41
  • 2
    The attacker may be using `cron` jobs or mail filters, but they may also be doing any number of other things. [Nuke it from orbit!](https://security.stackexchange.com/questions/24195/how-do-you-explain-the-necessity-of-nuke-it-from-orbit-to-management-and-users) – Brian Drake Apr 04 '21 at 10:58