Title: backdoor script Last modified: June 16, 2017 --- # backdoor script * Resolved [verityr](https://wordpress.org/support/users/verityr/) * (@verityr) * [8 years, 11 months ago](https://wordpress.org/support/topic/backdoor-script/) * For months now, someone has been uploading a backdoor script named “temp1-1.php” to my core files. I have 3 different security plugins running, including yours, and none of them have alerted me that this script is being uploaded; it’s my host that has been alerting me if I don’t catch it first. At least your plugin allows me to delete the script effortlessly. When I went to delete the script this morning, I noticed that in the Audit Logs I noticed an orange dot on the line with the time and User authentication succeeded, and my I.P. address. I was asleep during that time. Your plugin caught something fishy going on, but how? And with my I.P. address? What did your plugin suspect that it should show the orange warning dot next to it? I’ve been trying to stop this person from doing this for months, but to no avail. Viewing 3 replies - 1 through 3 (of 3 total) * [Gabriel Carrivale](https://wordpress.org/support/users/delreyagency/) * (@delreyagency) * [8 years, 11 months ago](https://wordpress.org/support/topic/backdoor-script/#post-9235213) * You need to check logs and stats into your cPanel or server control panel. There you will find more useful information. * Find any strange url that your visitors are accessing. Pay attention to the top URLs. There for sure you will find the method that they are using. * Example: [http://yoursite.com/admin-ajax?action=function&method=create&user_login=blabla&user_pass=blabla&role=blabla](http://yoursite.com/admin-ajax?action=function&method=create&user_login=blabla&user_pass=blabla&role=blabla) * Thread Starter [verityr](https://wordpress.org/support/users/verityr/) * (@verityr) * [8 years, 11 months ago](https://wordpress.org/support/topic/backdoor-script/#post-9237431) * Thank you very much for this information. * [yorman](https://wordpress.org/support/users/yorman/) * (@yorman) * [8 years, 10 months ago](https://wordpress.org/support/topic/backdoor-script/#post-9320963) * [@verityr](https://wordpress.org/support/users/verityr/) — You opened a different ticket here [1] asking a similar question. I hope you have found the security hole in your website that is allowing people to upload malicious code into your web server. Please consider to install a firewall in front of your website to protect it against reinfections and future attacks, there are many options in the market, if you are interested in a premium service take a look at the features offered by the Sucuri Firewall [2]. * [1] [https://wordpress.org/support/topic/malware-keeps-being-uploaded-to-my-core-files/](https://wordpress.org/support/topic/malware-keeps-being-uploaded-to-my-core-files/) [ 2] [https://sucuri.net/website-firewall/](https://sucuri.net/website-firewall/) Viewing 3 replies - 1 through 3 (of 3 total) The topic ‘backdoor script’ is closed to new replies. * ![](https://ps.w.org/sucuri-scanner/assets/icon-256x256.png?rev=2875755) * [Sucuri Security - Auditing, Malware Scanner and Security Hardening](https://wordpress.org/plugins/sucuri-scanner/) * [Frequently Asked Questions](https://wordpress.org/plugins/sucuri-scanner/#faq) * [Support Threads](https://wordpress.org/support/plugin/sucuri-scanner/) * [Active Topics](https://wordpress.org/support/plugin/sucuri-scanner/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/sucuri-scanner/unresolved/) * [Reviews](https://wordpress.org/support/plugin/sucuri-scanner/reviews/) * 3 replies * 3 participants * Last reply from: [yorman](https://wordpress.org/support/users/yorman/) * Last activity: [8 years, 10 months ago](https://wordpress.org/support/topic/backdoor-script/#post-9320963) * Status: resolved