One day, I went to check the website traffic statistics. It seems unusual that there are no visitors for 24 hours. In my web browser, I see a pure white page. I tested another application on the same server, a forum using xenforo, and it worked fine. I guess someone is hacking my website.
First, I checked the log on the server and there was an abnormal request from “anonymousfox.co”. Next I checked the error log and saw an error called a strange program, which is not common on wordpress platform :
Cannot redeclare smrequest_uri()And I also found so many 404 error, 500 error. Then I found the code declared on the homepage, the attacker wanted to bring traffic to their website
@set_time_limit(3600);
@ignore_user_abort(1);
$xmlname = 'mapssOM_ENEBAM2.xml';
$dt = 0;
$sitemap_file = 'sitemap';
$mapnum = 2000;I immediately performed a database backup and downloaded a clean copy from the official wordpress website. Install wordfence and scan for malicious code that an attacker may leave on your website.
How to get premium Wordfence ?
Step 1: Install the free Wordfence plugin from https://wordpress.org/plugins/wordfence/
Step 2: After installing DO NOT ACTIVE (ACTIVE) plugin
Step 3: Open the file wp-content/plugins/wordfence/lib/wordfenceClass.php.
Find the following code (from line 2043-2047):
$updateCountries = false;
if (!WFWAF_SUBDIRECTORY_INSTALL && $waf = wfWAF::getInstance()) {
$homeurl = wfUtils::wpHomeURL();
$siteurl = wfUtils::wpSiteURL();Step 4: Add after this paragraph:
wfConfig::set('isPaid', 1);
wfConfig::set('keyType', wfAPI::KEY_TYPE_PAID_CURRENT);
wfConfig::set('premiumNextRenew', time()+31536000);Step 5 :Save and activate the plugin. So you have a premium license for 365 days without limit.
Final though: never install nulled plugins, themes from unknown sources
