Title: Determining IP from hack
Last modified: November 4, 2022

---

# Determining IP from hack

 *  Resolved [beantown123](https://wordpress.org/support/users/beantown123/)
 * (@beantown123)
 * [3 years, 7 months ago](https://wordpress.org/support/topic/determining-ip-from-hack/)
 * I’ve been investigating a hack on my site and trying to figure out where it’s
   coming from. When I view my logs of File Changes on that specific day, it lists
   677 Added, 7 Removed, 29 Changed. I can see the two files that were hacked/changed
   but trying to figure out the IP of the person who changed them. I see at the 
   top of the page it lists one remote IP under Raw details but that can’t be the
   IP associated with all of the changes since some were plugin updates, etc. Is
   there anywhere I can view the specific IP for one changed file in particular?
    -  This topic was modified 3 years, 7 months ago by [beantown123](https://wordpress.org/support/users/beantown123/).

Viewing 2 replies - 1 through 2 (of 2 total)

 *  [nlpro](https://wordpress.org/support/users/nlpro/)
 * (@nlpro)
 * [3 years, 7 months ago](https://wordpress.org/support/topic/determining-ip-from-hack/#post-16167912)
 * Hi [@beantown123](https://wordpress.org/support/users/beantown123/),
 * I’m afraid the info you are looking for is not included in the details logged
   for a **File Change** scan.
 * +++++ To prevent any confusion, I’m not iThemes +++++
 *  Plugin Support [chandelierrr](https://wordpress.org/support/users/shanedelierrr/)
 * (@shanedelierrr)
 * [3 years, 7 months ago](https://wordpress.org/support/topic/determining-ip-from-hack/#post-16180466)
 * Hi [@beantown123](https://wordpress.org/support/users/beantown123/), thanks for
   reaching out, and apologies for the delay. As mentioned by [@nlpro](https://wordpress.org/support/users/nlpro/),
   there is no way to determine the specific IP address responsible for the file
   change inside the File Change Raw Details. The IP address in the log is the IP
   that caused the scheduled scan to run, typically when a visitor triggers WP Cron(
   you can see this in the URL field). I recommend contacting a malware removal 
   service or hosting provider to determine the malware entry point to prevent it
   from occurring again. I hope this answers your question.

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘Determining IP from hack’ is closed to new replies.

 * ![](https://ps.w.org/better-wp-security/assets/icon.svg?rev=3529351)
 * [Kadence Security – Password, Two Factor Authentication, and Brute Force Protection](https://wordpress.org/plugins/better-wp-security/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/better-wp-security/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/better-wp-security/)
 * [Active Topics](https://wordpress.org/support/plugin/better-wp-security/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/better-wp-security/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/better-wp-security/reviews/)

 * 2 replies
 * 3 participants
 * Last reply from: [chandelierrr](https://wordpress.org/support/users/shanedelierrr/)
 * Last activity: [3 years, 7 months ago](https://wordpress.org/support/topic/determining-ip-from-hack/#post-16180466)
 * Status: resolved