Title: Malicious file upload php attackes Last modified: January 19, 2018 --- # Malicious file upload php attackes * Resolved [fleurette](https://wordpress.org/support/users/fleurette/) * (@fleurette) * [8 years, 4 months ago](https://wordpress.org/support/topic/malicious-file-upload-php-attackes/) * Hello, * Yesterday I saw in Wordfence that I had 17 malicious file upload php attacks, all attacks going to my wp-content plugins. I am worried about seeing such a large number of attacks, what does it mean and how can these happen> Here is one example: wp-content/plugins/sharexy/ajaxresponder.php or wp-content/plugins/ codecanyon-157782-video-gallery-wordpress-plugin-w-youtube-vimeo-/upload.php I am worried if my site is being hacked. * Can you please help and advise me? Just before I had 6 alerts regarding plugins, but these issues are resolved I contacted the owners who did updates. I only have one that is not up to date and needs to be replaced. I am frightened by seeing all these attacks and hope you will be able to advise me. Thank you very much Viewing 12 replies - 1 through 12 (of 12 total) * [wfyann](https://wordpress.org/support/users/wfyann/) * (@wfyann) * [8 years, 4 months ago](https://wordpress.org/support/topic/malicious-file-upload-php-attackes/#post-9883521) * Hi [@fleurette](https://wordpress.org/support/users/fleurette/), * Please follow the steps outlined in our [site cleaning guide](https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/). * Thread Starter [fleurette](https://wordpress.org/support/users/fleurette/) * (@fleurette) * [8 years, 4 months ago](https://wordpress.org/support/topic/malicious-file-upload-php-attackes/#post-9885871) * Thank you very much! I had some alerts from September, but since then not anymore. As Wordfence regularly scans my site, if it does not report new issues, then everything is safe again? Thank you again! * [wfyann](https://wordpress.org/support/users/wfyann/) * (@wfyann) * [8 years, 4 months ago](https://wordpress.org/support/topic/malicious-file-upload-php-attackes/#post-9886523) * [@fleurette](https://wordpress.org/support/users/fleurette/), * If you’ve taken actions to remediate the reported vulnerabilities/issues then your site should be safe. But I still strongly advise following the site cleaning guide. * Thread Starter [fleurette](https://wordpress.org/support/users/fleurette/) * (@fleurette) * [8 years, 4 months ago](https://wordpress.org/support/topic/malicious-file-upload-php-attackes/#post-9887156) * Hello again, * Thank you for your reply. I am afraid, I am not a website developer and don’t have the technical knowledge to recognize if there are malicious file, I would be afraid of doing something wrong. I have never done anything like this before, and don’t feel comfortable deleting directories. What could I do? I am replacing the unsafe plugins with up to date ones and deleting the old plugins. Thank you for your kind assistance in this matter! * [wfyann](https://wordpress.org/support/users/wfyann/) * (@wfyann) * [8 years, 4 months ago](https://wordpress.org/support/topic/malicious-file-upload-php-attackes/#post-9891619) * Hi [@fleurette](https://wordpress.org/support/users/fleurette/), * What I recommend is to make a backup of your site (**files + database**) before deleting any directory; that way you can always roll back if anything seems to have gone wrong. * Replacing/removing unsafe plugins and making sure the remaining ones are up-to- date is most definitely a smart move! * Thread Starter [fleurette](https://wordpress.org/support/users/fleurette/) * (@fleurette) * [8 years, 4 months ago](https://wordpress.org/support/topic/malicious-file-upload-php-attackes/#post-9904252) * Hello again, * thank you, I am doing backups regularly and now removed the plugins Wordfence pointed out to me. I could not see anything unusual uploaded in wp-content, so I hope, as Wordfence blocked the attacks that everything is fine. I saw in live- traffic that these attacks keep happening from countries all over the world. * I am still unsure about a setting in Wordfence: How should we treat google crawlers– what option is best to use? I read the article about it but still am not sure whether to set it to verified Goolge crawlers have unlimited access or treat Google like any crawler. Would you be able to advise me? * Also, I had – if anyone’s request exceeds…set to 60 per minute, your article mentions 240, what is best to do? * The rule – how long is an IP blocked when it breaks a rule, what is the best setting for it? I often block IPps from Russia permanently as I noticed they keep coming back if I don’t. Is it advisable to set this to a longer time, ie 10 days? * Does the web firewall be optimized without premium? * Thank you very kindly for your assistance! kind regards, Fleurette * Thread Starter [fleurette](https://wordpress.org/support/users/fleurette/) * (@fleurette) * [8 years, 4 months ago](https://wordpress.org/support/topic/malicious-file-upload-php-attackes/#post-9914631) * Hello, * I would like to ask one more thing regarding the attacks on my website. Recently I noticed in Wordfence that almost daily I am receiving malicious file upload attacks from bots all over the world. I did not notice these before, and still feel alarmed. Is that a recent change in Wordfence, or is there anything I should do? I am concerned about these attacks. Wordfence scan showed no more alerts, but it still shows ongoing attacks like these: Vietnam Hanoi, Vietnam was blocked by firewall for Malicious File Upload (PHP) Can you please help me? Thank you very much, Fleurette * Thread Starter [fleurette](https://wordpress.org/support/users/fleurette/) * (@fleurette) * [8 years, 3 months ago](https://wordpress.org/support/topic/malicious-file-upload-php-attackes/#post-9941094) * Hello again, * I checked diagnostics in Wordfence and saw a red alert regarding connecting to Wordfence servers. There is a long error message in “connecting back to this site”. How do I fix this, and what is the issue? This is what it says at the beginning of the message: test back to this server failed! Response was: 403 Forbidden
* I also would like to inquire, what means the response code 200? Thank you very much! Fleurette * [wfyann](https://wordpress.org/support/users/wfyann/) * (@wfyann) * [8 years, 3 months ago](https://wordpress.org/support/topic/malicious-file-upload-php-attackes/#post-10013562) * Hi [@fleurette](https://wordpress.org/support/users/fleurette/), * Sorry about the delayed response. * In order to launch scans Wordfence needs the server to connect to itself; in your case it seems it isn’t allowed to do so. I suggest you reach out to your hosting provider so they can look into the reason why this is happening. * The response code “200” means OK: the request was successful. * Thread Starter [fleurette](https://wordpress.org/support/users/fleurette/) * (@fleurette) * [8 years, 3 months ago](https://wordpress.org/support/topic/malicious-file-upload-php-attackes/#post-10014077) * Hello again, * thank you so very much. It is strange I do have a green hook next to it yet it shows the red alert again: wp_remote_post() test back to this server failed! Response was: 403 Forbidden
..and much more. I will try to ask my hosting provider about it, thank you so much. Does that mean Wordfence is not able to scan my site at all? * Thank you so very much for your support, I truly appreciate it. * kind regards, Fleurette * [wfyann](https://wordpress.org/support/users/wfyann/) * (@wfyann) * [8 years, 3 months ago](https://wordpress.org/support/topic/malicious-file-upload-php-attackes/#post-10028328) * Hi [@fleurette](https://wordpress.org/support/users/fleurette/), * Could you please share a [screenshot](https://www.wordfence.com/help/advanced/troubleshooting/#how-to-take-a-screenshot) of that page –make sure to hide any sensitive info (IP addresses, paths,…). * The 403 itself could be caused by blocking access to “_wp-admin/_” with “_.htaccess_“. Is it the case? * Thread Starter [fleurette](https://wordpress.org/support/users/fleurette/) * (@fleurette) * [8 years, 3 months ago](https://wordpress.org/support/topic/malicious-file-upload-php-attackes/#post-10030433) * Hello again, * I am so very thankful for your reply. Yes, that may well be, I never thought that it would affect Wordfence. Nevertheless, I think the scans still happened as Wordfence made me aware or risk issues with outdated plugins. * I contacted my host provider who found that a file indeed had been uploaded, and they said they now took care of the situation. It seems my site may really have been compromised, sadly. But they said they took care of it all. * I do thank you so much again for your kind support and assistance, I am really grateful. * Thank you again for everything! Fleurette Viewing 12 replies - 1 through 12 (of 12 total) The topic ‘Malicious file upload php attackes’ is closed to new replies. * ![](https://ps.w.org/wordfence/assets/icon.svg?rev=2070865) * [Wordfence Security - Firewall, Malware Scan, and Login Security](https://wordpress.org/plugins/wordfence/) * [Frequently Asked Questions](https://wordpress.org/plugins/wordfence/#faq) * [Support Threads](https://wordpress.org/support/plugin/wordfence/) * [Active Topics](https://wordpress.org/support/plugin/wordfence/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/wordfence/unresolved/) * [Reviews](https://wordpress.org/support/plugin/wordfence/reviews/) * 12 replies * 2 participants * Last reply from: [fleurette](https://wordpress.org/support/users/fleurette/) * Last activity: [8 years, 3 months ago](https://wordpress.org/support/topic/malicious-file-upload-php-attackes/#post-10030433) * Status: resolved