This is a case of general security. At a minimum do the following steps:
- Delete the file you found in wp-admin
- Delete the htaccess file
- Download the official wordpress from wordpress.org and upload it to your server, overwriting anything it finds. If possible delete the wp-admin and wp-includes folders and any files starting with wp- in the root folder.
- Do the same for any plugins or themes, use local backups if they aren't from the repository
- Set up the correct permissions for your folders very important
- Move wp-config.php one folder up from your index.php if possible
- Do the same for any other WordPress installs on that server, if one is compromised, they're all compromised, and you need to keep them all up to date
- Check for Timthumb, if you're using it consider using the WordPress APIs instead, and if you won't, then make sure you're using the very latest version.
- Run your active themes through the WordPress theme check plugin, fix as many of the warnings and deprecated notices as is possible
- Check your plugins for security breaches. Some people use plugins that are by design gaping security holes, e.g. embedding PHP code in posts
- Perform appropriate checks on any non-WordPress software installed.
If you have backups, remember that simply restoring them will not make everything fine, as you're still open tot he same attack. You need to close the hole that let the malware in.
For good measure you should also:
- Use FTP or shell to change the file system, and do manual wordpress/plugin updates, only the wp-content/uploads folder should be writable
- Change the first admin user to a normal user and use a different admin account, and change the user name
- Use any database prefix other than
wp_ - Use the WordPress upload mechanisms and WordPress filesystem API instead of reinventing the wheel when writing uploaders or writing/reading files using the native PHP file APIs
- Disable the use of
evalin php.ini - Always keep WordPress up to date and avoid deprecated APIs
https://wordpress.stackexchange.com/questions/46972/malware-on-site/46980
Sunday, January 20, 2019
