Recently I got my website compromised so I cleaned it and enforce security. Among other things I've installed wordfence plugin that now scans everything in my worpdress installation, searched for the correct file permissions, etc...

The problem is that I've found in a scan that many files (theme/functions.php and another files inside wp-includes) were modified AGAIN...so definetely I'm doing something wrong.

Please anybody can give a complete guide to secure files in order no to be modified by attackers again?

Recently I got my website compromised so I cleaned it and enforce security. Among other things I've installed wordfence plugin that now scans everything in my worpdress installation, searched for the correct file permissions, etc...

The problem is that I've found in a scan that many files (theme/functions.php and another files inside wp-includes) were modified AGAIN...so definetely I'm doing something wrong.

Please anybody can give a complete guide to secure files in order no to be modified by attackers again?

• security

• 3 Installing Wordfence won't help you. It's just a plugin - if there's a vulnerability on your site and malware can inject some code (modify files) then it can also modify Wordfence. Also scanning with Wordfence doesn't make much sense - if you think some files are infected, then you shouldn't trust any plugin... You have to clean and secure your site properly - plugins won't help. If the problem occurs more than once, then it's a good idea to find some professional help. – Krzysiek Dróżdż Commented Sep 10, 2019 at 8:42

2 Answers 2

If you have SSH access and WP-CLI is installed you can try running wp core verify-checksums to see if any Core files have been modified.

If things are changing without your knowledge, then your site is compromised. That can be fixed, with some effort. Generally:

• change all credentials (host, ftp, wp admin), using strong passwords
• reinstall WP from the admin,updates screen
• check for any admin users that aren't supposed to be there. Don't just delete them, but change their 'role' to the lowest value.
• check all files (look inside) for bad code. Use an editor that wraps long lines, so the bad code is not hiding.
• reinstall all plugins from original sources (not via add plugin, but download the files locally, unzip, then FTP to the proper folder)
• look for any files with a date other than today (after you have re-uploaded all themes/plugins again).
• look for any funny folders or double-extension file names. Look inside those folders for files that aren't supposed to be there.

The above is not in a specific order. I use my process described here: https://securitydawg/recovering-from-a-hacked-wordpress-site/ . It has worked to 'de-hack' a WP site. Takes some work, but it can be done.