Websites getting hacked

  • Resolved thomaswebdesigns

    (@thomaswebdesigns)


    5 months ago

    Hello,

    We are getting multiple website being hacked with trumpweiss user created and plugin with name hellos installed with filemanager and advanced file manager plugins installed. If we clean site, it is getting hacked again and again. even if we replace core wp files. It is happening for atleast 20- 25 websites. Do you have any information about this hack?

    The page I need help with: [log in to see the link]

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Support wfpeter

    (@wfpeter)

    5 months ago

    Hi @thomaswebdesigns, sorry to hear that.

    We always recommend that you make a full backup of your site before making any changes.

    Wordfence is an endpoint firewall that runs after PHP loads, so an external area of attack could have been used. Databases, hosting control panels, and FTP can all be accessed without loading the site with Wordfence protection. That sounds increasingly possible when you’ve completely cleared multiple sites (I’m assuming on the same hosting platform?) and started again. Try to protect all admin accounts (including those for WordPress) with long complex passwords and 2FA wherever it’s available.

    We advise you to update your passwords for your hosting control panel, FTP,  existing WordPress admin users, and database if somebody has gained access to modify any files. Make sure to do this.

    I will provide our site cleaning instructions for you below, which may be useful to check :
    https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/

    Additionally you might find the WordPress Malware Removal section in our free Learning Center helpful. We provide a site cleaning service should you need further assistance, as do other companies.

    Many thanks,
    Peter.

    sahostking

    (@sahostking)

    2 months, 1 week ago

    Hi,

    Yes — we’ve been seeing the exact same pattern across multiple sites recently (especially the trumpweiss user + file manager plugins like “hellos”, WP File Manager, etc.).

    From what we’ve found, this usually means the site still has persistent access somewhere, so even after cleanup it gets reinfected.

    A few key things to check that are commonly missed:

    • Check Users in wp-admin AND directly in the wp_users table (attackers often add users via the database)
    • Review wp_usermeta for any accounts with admin privileges
    • Completely remove any file manager–type plugins (these are heavily abused)
    • Run a full scan with Wordfence Security and make sure “scan outside WordPress installation” is enabled
    • Check for malicious files outside public_html or in writable directories
    • Reset all passwords (WP, FTP, DB, hosting panel)
    • Ensure WAF/ModSecurity is enabled on the server

    In most reinfection cases we’ve handled, the cause was either:

    • leftover backdoors outside the WP install, or
    • a hidden admin user in the database

    I put together a more complete checklist here if it helps:
    https://www.hostking.co.za/wordpress-malware-cleanup

    Hope that helps — this one’s been hitting quite a few sites lately.

Viewing 2 replies - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.