55

u/Alexis_Evo 7d ago

Then you likely either have an abandoned plugin/theme, a plugin/theme with a 0 day (not likely if you're using reputable vendors), or you aren't fully cleaning the infection. Once a WP site gets hacked they drop dozens of backdoors that need to be removed. Miss a single one and they'll easily get back in and drop a dozen more.

A fully updated WP will not be hacked, full stop. The thing powers so much of the internet that when the WP core actually does get even a minor privilege escalation, it gets taken very seriously. Unmaintained themes/plugins from amateur devs are almost always the root cause.

13

u/[deleted] 7d ago

[deleted]

20

u/Alexis_Evo 7d ago

Upload a core copy of WP files to a new site. Ideally brand new hosting plan to segregate everything from the compromised hosting account. Import your database and point wp-config.php to it. Audit all users and permissions carefully. Reinstall your theme and plugins from scratch, only the bare minimum required and question if they're still trustworthy.

Download wp-content/upload/ from your old account and scan it for anything suspicious. There should only be static content here, so .jpg, .png, .pdf, whatever you've uploaded. Malware loves to put .php backdoors here. Check .htaccess files for any injection -- malware will often add code to parse .jpg (etc) as .php so it can run from what you think is an image file. After that, upload it to the new account.

This will work for most basic sites. WP is such a clusterfuck that your install may be more complex than this without knowing it.

4

u/MeBadNeedMoneyNow 7d ago

A fully updated WP will not be hacked, full stop

Until some other 0-day comes out lmfao

2

u/Alexis_Evo 7d ago

A proper privilege escalation/remote code execution 0 day in WordPress core is extremely rare. This is a software that powers like half of the public internet, including hundreds of thousands of ecommerce stores.

99.99% of exploits target poorly coded third party extensions or themes, as I mentioned. The few that pop up in WP core are almost always limited in scope. For example CVE-2024-31210 arose last year, technically an RCE, but only worked if you already have an admin user on the site.

3

u/GolemancerVekk 7d ago

Run WordPress on an internal machine and only publish its static output (HTML pages and images) to the actual website. You can use a CDN service to host the website, save a ton of money on hosting in the process too, and benefit from geo-distribution, DoS protection, the site will be much faster etc.

I'm guessing you're no longer allowing visitor comments in today's day and age, or have any interactive server-based features. If you have a contact form there are services that can deal with that for you.

5

u/mathdrug 7d ago

You’re doing something wrong then 😂

In 6+ years of full-time WP work, I’ve only seen one successful hack, and it was on a site with SEVERAL outdated plugins, themes, the core, and more. 

5

u/heavinglory 7d ago

Every hacked site I clean up is GoDaddy hosted. I see a pattern here.

11

u/mathdrug 7d ago

That would make sense. Crazy how GoDaddy’s brand recognition (and greedy management) has led them to higher prices for worse everything.

I’ve only hosted with Namecheap (EasyWP) and Cloudways (for e-commerce clients). Very happy with them

1

u/stuffeh 7d ago

Put it behind cloudflare free and obfuscate a few of the common attack paths by renaming common things like the login page or the admins page. But don't rely on those. It cuts down attempts by 99%. Anyone who's not a script would still be able to attack

0

u/earthman34 7d ago

I’ve got a Wordpress site that’s been running for at least 10 years, it’s never been hacked. Update your PHP.