#Update on #whackingWPYII2, the #fakeplugin invading #wordpress #wp

Have to say I was a *little* premature on declaring success. I’ve got a couple of updates to my previous post about this pernicious WordPress hack (Disinfecting for WPYII2 – the #fakeplugin invading WP and how to kill it #wpyii2 #killwpyii2).

  1. Do get rid of all the excess .htaccess, but if they keep reappearing in directories where they aren’t necessary (a) delete the code and insert some harmless text eg. #boil your head wpyii2# to stop them affecting the function of your website and (b) you’ve definitely missed some of the fake app’s php files, see (2) below.
  2. Fake php files are hidden in a variety of directories where you may not be familiar with what *should* be there. Obvious vector directories are in the plugins – particularly the ones everyone has. Akismet is an obvious one to examine. File names include a series of numerals, as well as the following that I’ve seen: index2.php, content.php, radio.php. The latter, non-numeral files, tend to be c. 4.41kb in size and will have a date last modified later that the files in which they sit. As previously mentioned wp-admin is also often used, particularly /wp-admin/css/colors/
  3. Some recommendations for those of you that can’t upgrade to the latest (greatest) version of WP – which you should absolutely do if you haven’t a very VERY good reason not to.
    1. Use a fully configurable firewall app such as WordFence – this has a bunch of very useful features straight out of the can. But it is subscription so you might want to also implement the plugins like following instead, or as well as:
    2. Login No Captcha reCAPTCHA (Google) by Robert Peake and Contributors – this will stop hackers getting into the admin area by force – or at least it has so far.
    3. WP Force SSL by WebFactory Ltd if you have SSL – which you should by now.
    4. BBQ Pro (as recommended in the last post) by Jeff Starr 
    5. Make sure you have in your “define( ‘DISALLOW_FILE_EDIT’, true );” config file, and that this file is linked in to your WP install’s directory rather than hosted there.

I am happy to report all websites are now clear and functioning perfectly, even the ones on deprecated versions of WP, plugins and themes.

X