WordPress Theme and Core files being removed daily (Unwanted)

[mario_rdz_jaramillo]

Hi,

Every morning (around 7:35am [UTC−06:00]), several files from the** wp-includes directory**, plugins directory and the theme stylesheet get removed by some unknown dude or script.

This has been going for the last five days or so, it started by just deleting the stylesheet, then it went to the WordPress core files.

After the second time it happened, I changed passwords for FTP, cPanel, WordPress Administrator, and installed some plugins that were recommended in several articles regarding WordPress security ( Sucuri [free version], BruteProtect, Bulletproof Security, Better-wp Security and wordpress file monitor plus).

Did most of what those plugins recommended, like modifying .htaccess files, moving WordPress to it’s own folder (it was in the root) and many other procedures. Also replaced all the WordPress files (except the wp-content folder) from a fresh copy.

None of that worked. Many files were removed again this morning. Since i know now at what time that happens, i was monitoring the FTP activity and cPanel said no one was there.

Any thoughts? I’m desperate!

[chrisburton]

Have you tried disabling all plugins to see if that is the cause?

[mario_rdz_jaramillo]

No, actually I didn’t. I’ll try it though i’m not going to know if it works or not until tomorrow morning.

Right now i have installed the following plugins: qTanslate, advanced-custom-fields, debug-bar, debug-bar-cron, better-wp-security, bruteprotect, bulletproof-security, login-logo , password-protected, sucuri-scanner, wordpress-file-monitor-plus and no-category-base.

*Italics are not active.

I had like 5 or 4 unused plugins and after the first time it happened, i removed them all and reinstalled only the used ones ( removed Duplicator, MailChimp for WordPress, and a couple more i cant recall ).

[__]

Have you actually checked your server to make sure there are no unwanted files there? Adding security patches won’t do any good if the attacker already has their own kit on your system.

Actually wipe everything and then re-install. Check any folders accessible to you (even below your site root). Inform your host about the attack.

After the second time it happened, I changed passwords for FTP, cPanel, WordPress Administrator,

Good things. Did you change the DB credentials too? If you have registered users, you need to inform them, and should also force them to pick new passwords.

installed some plugins that were recommended in several articles regarding WordPress security

This sounds good, but you need to understand what these plugins do or have a reliable recommendation as to their veracity and quality. No offense to WP, but there are tons of WP articles and most of them are crap. Plus, the “crap” ones tend to have better SEO placement. Unless you read it from someone you know and trust, doing something based on information from “several articles” could do more harm than good.

Disclaimer: I’m telling you to find a well-qualified WP guy, but I’m not that guy.

[TheDoc]

Disable all plugins and change both your WordPress and FTP passwords.

[Author]

Posts