Is WordOps safe to use?
Can I restore the latest versions of my websites?
Do you use any additional tools to protect your server?

I have been using WordOps for more than 8 years, and this is the first time I have been hacked.

I am using Ubuntu 24.04 LTS and regularly update it using aptitude safe-upgrade. However, all three of my websites were suddenly hacked. So at this moment wrong information is shown in my domain.

I can still access my previous user ID and root account using su without any issues. I have already changed the user ID password since the hacking incident.

Here are the details of the affected directories:

/var/www/xxx1.com
Files created by the hacker: about.php, hplfuns.php
A backup folder was also created by the hacker.

/var/www/xxx2.com
File created by the hacker: hplfuns.php
A backup folder was also created by the hacker.

/var/www/xxx3.com
A backup folder was created by the hacker.

Thank you so much.

    • Mmarty

      Level 82
    • Post #2
    • Edited

    The majority of 'hacked' WordPress sites are due to flaws in plugins/themes (also look out for plugins that are no longer supported - no update available does not mean current). Weak or reused passwords are the next most common issue. All WordPress sites get slammed all day long by automated tools looking for known flaws (Cloudflare can help block bad traffic) - and trying to guess logins. WordOps has some protection built in against various common attacks.

    Also consider what other externally accessible applications may be on the server (e.g. you mentioned before using Mautic, which had a bunch of high severity security fixes last year).

    Have a close look at your log files and you may be able to figure out what's happened.

    But also bear in mind cleaning up this kind of problem is rarely as easy as deleting a couple of obvious files. There's usually more hiding elsewhere and/or malicious code hidden in real WordPress files. So consider hiring an expert to look at this. Unless you determine and fix the cause, the server is probably still vulnerable and therefore likely to get compromised again.

    • corus9

        Level 37
      • Post #3

      honggian hplfuns.php

      that's from the compromised plugin

      go search in the google hplfuns.php you will find lots of website with these files

      remove plugins folder and download each plugin from wp directory again

        Hosted by VirtuBox