: When a "Bank of America Online Banking" page is available on my WordPress site, is it hacked with a phishing scam? We just got a note from CloudFlare that we got reported for phishing. The

@Murray155

I think your plugin scure-bank has backdoor for hackers and they found it easy to hack the site.

I would recommend you following things that you should do now:


Take backup of your database if you did not do this already.
Take backup of all files of your site. It means all files, plugin files and everything.
Delete now all files from server as you have already taken backup.
Install fresh and latest version of Wordpress now, You can download latest Wordpress version from here: Latest Wordpress Release
Now check all theme files one by one from backup and remove malware code or malicious code if you find.
Make sure that your code it written in standard way if you have created any custom template. Code should be secure against SQL injection, URL injection, XSS etc.
If you have backup of files before the site was hacked, then you can compare file code easily one by one.
Once you clear all things about code then upload your this theme to server.
Now, check for latest version of all plugins you have installed. If any require update then please update it.
If you made any custom plugin then again make sure that code is standard and there is no backdoor.
Activate all plugins once you update all to latest version.
Change username & password of your wp-login. I request that use complicated password and different user name (not like "Admin")
Change all password related to FTP & Cpanel.
Set permission 755 for all Wordpress folders and 644 for all files:

755 – owner can do anything with the file or directory, and other users can read and execute it but not alter it.

644 - owner can modify file and everyone can read file
Disable all files and directory listing for users, You can achieve this by .Htaccess file.


Above are enough to make your site running again with starting level security. There are many things can be done yet to secure Wordpress site.

Vote Up Vote Down

@Angela700

I'm looking at the URL tail alone...

/wp-content/plugins/scure-bank/fea7b6cabec2fd724dd2d1b4ca7e898d/thankyou.php

and it seems that banking scripts were probably installed in the scure-bank folder.

ClosetNoc has good suggestions, but first I'd suggest downloading any content you believe is good from the server to your computer to keep as backup so that when you do a whole website restoration, you can upload any important content back that may have disappeared during the restoration process.

If you can, download all the server logs and see what logs show entries related to any portion of the URL you mentioned. Then take note of the IP address and block it, or better yet, block the group the IP address is in. The group can be found by doing a whois search on the IP. At least that way, the restoration process can be done a little easier and maybe faster.

Once everything is restored, take Closetnoc's advice and set completely new passwords.

If you use a MySQL database server, try to set it up so that only connections can be done from the same server instead of from the outside world. See the skip-networking setting. It can be applied to the configuration file.
dev.mysql.com/doc/refman/5.0/en/server-options.html#option_mysqld_skip-networking

Also, use only the least amount of outbound ports required for everything to function properly before the phishing attack. Definitely keep port 80 open as it is standard for websites.

As for other ports, if you assign new numbers instead of standard numbers and you have client software that can connect with new port numbers, then that's all the better since it gives hackers a much harder time.

And for secure shell access (if you have it), try to make it a two-step login procedure for root access (meaning guest has to login to another account first in order to access root).

And lastly, make sure you're using a good secure network, not one that hackers can sniff data from.

Vote Up Vote Down

@Jamie184

Wordpress is the single most hacked software on the planet and has been for a long time. It is not that the Wordpress programmers are doing poor work, quite the opposite. With so many plug-ins and themes, Wordpress, even with vulnerabilities within it's own code in the past, remains the most vulnerable software available.

It becomes imperative that all Wordpress site owners maintain their site with the latest code and ensures that any plug-in and theme are secure and free from vulnerabilities. It is not always possible to know what vulnerabilities exist for all code, but vigilance must be maintained daily for Wordpress installs.

To answer your question:

Update all software including Wordpress and service software including e-mail, FTP, DNS, and Bind, as well as, plug-ins, and themes on your site.

Ensure that all software does not contain vulnerabilities. You can use the CERT NVD site to look for any known vulnerabilities. web.nvd.nist.gov/view/vuln/search?execution=e2s1
Reset all username passwords- no exception. It is possible that an existing account can be used to regain access.

Review all usernames to ensure that new usernames have not been created.

Perform a CLAMAV anti-virus scan on your entire sets of hard-drives including rootkit. There are viruses that will make a safe Wordpress site vulnerable again.

Restore your site database and site files from backups. It is possible that backdoor pages have been created. You may have to remove suspect files or all files prior to restoration. This may be a tricky process. I would check the Wordpress site for information. wordpress.org/
Review your site pages for anything that does not belong and remove any page you are not sure of.

I am not a WP expert, however, this outline should help you get started and ensure that you are safe again.

Vote Up Vote Down