site hacked, host wants two "compromised" files replaced

Support Area Forums Forward site hacked, host wants two "compromised" files replaced

Tagged: 

Viewing 4 posts - 1 through 4 (of 4 total)
URL to the page in question: www.merrillsmarauderspd.org
  • Author
    Posts
  • April 27, 2015 at 18:38 #29217
    Sheila Fredrickson
    Participant

    Howdy!

    I am a volunteer for a very small organization. Recently I upgraded the several-years-old HTML website to WordPress with the Forward theme. It looks great.

    The password on the original site was not complicated enough, and I should have changed it immediately. To make a long story short, after completing the work on the new site, the WordPress site went live about two weeks ago. Last weekend, a Google search showed the words “This site may be hacked.” Google Webmaster Tools said it was clean; Sucuri Site Check said it was compromised with SEO spammy code. I couldn’t find anything on the pages myself, so I asked our host to check it thoroughly.

    Here’s what they said …

    A scan of your account found following infected or malicious files:

    /wp-includes/functions.wp-date.php
    /wp-includes/class.wp-date.php

    They suggest that I either replace these scripts with clean copies, or delete the entire site and upload a clean copy.

    I would assume I could unZIP the theme file, find these two files and just upload them via FTP, but I could be wrong.

    Is there a better way to do this, and is it really necessary to replace the entire site? I sure hope not.

    The host is iPage, not one of my favorites. You get what you pay for, but I’m not at liberty to change the host. They have also recommended something called SiteLock. (Sounds very similar to Sucuri, but about half as much.) Anyone know anything about it?

    Thanks for any help!

    Sheila

    April 27, 2015 at 19:01 #29219
    Bill Robbins
    Moderator

    Sheila,

    So sorry to hear about that. Those two files that have been modified are part of the WordPress core. You may be able to fix them by reinstalling the current version of WordPress, or by making an update if one is available.

    To do that go to the Updates screen in your WordPress dashboard. At the top of this screen there will either be a notification of an available update or a button to re-install the current version. Go with the update if it’s offered, otherwise reinstall the current one.

    That should take care of those files and hopefully fix things. Keep an eye on it because sometimes these hacks are programed to reinstall themselves if deleted.

    If I can help out, let me know.

    Thanks,
    Bill

    April 27, 2015 at 19:36 #29222
    Sheila Fredrickson
    Participant

    Thanks, Bill.

    I updated to 4.2.1. I didn’t realize there was another update available already. Seems like I just I just saw an update a few days ago.

    As quick as I finished the update, I ran a BackupBuddy full backup. Don’t know if it will help, but it couldn’t hurt. I’ve never tried to restore one of these.

    What is the best way to know if a core file is modified? Use one of the monitoring services?

    Sheila

    April 27, 2015 at 20:08 #29227
    Bill Robbins
    Moderator

    Your memory is good. There was a security issue discovered this morning and so a new version to fix the issue was pushed out this afternoon. Hopefully that will fix the previously modified files.

    For monitoring you’ll probably want to go with a service. I host with WP Engine myself in part because they scan sites for hacking attempts and will fix them if ever there is one. VaultPress from Automattic also provides security monitoring as part of their backup service. There are most likely many others too out there.

    If I can help out with anything, just let me know.

    Thanks,
    Bill

  • Author
    Posts
Viewing 4 posts - 1 through 4 (of 4 total)
  • The topic ‘site hacked, host wants two "compromised" files replaced’ is closed to new replies.