How to remove malware and malicious

The above image is the screenshot of my websites, I added about 16 sites on Hestia Control Panel. I received an email from someone who was able to tell me my password and the person was asking me to pay him $600. I did not pay attention to that person. Now I cannot log in to my WordPress dashboard. The two images are the screenshot from when I tried to log in.
Please what can I do to solve this issue?

First of all block all external connections to this server except from your own IP, and then try to figure out what happened.

It is highly likely that this person who hacked you will launch illegal activities from your sites/domains, and the first reaction of your service provider upon abuse report will be to suspend all your services. Or worse.

Unfortunately, to hire a security expert who will tell you how the hacker got in, clean up and secure your sites will cost you much more then $600.

I’m not telling you you should pay this criminal. I’m always against that. First you have to do is to block him.



I would also not pay, better stick to a backup. If it was one wordpress domain only, you want probaly to check the related plugins.

1 Like

1st thing is 1st,
Im also just a free user of HESTIACP since its predecessor since 2016
HESTIA has no issue on this matter.

As i managing 20 of my wordpress client sites inside my server (Note- im the only person managing all sites. My clients has only FTP access. I engage with them as NO PANEL ACCESS via SSH/WEB…
This is the main thing to keep in safer state. Im facing these issues & have custom scripts to search & amend the affected files (~70% guaranteed)

Back to your case,
I can bet you, there is/are hacked plugins installed inside your WP site.
For you to confirm it, just open up your Htaccess/index.php files from subfolders & you could see encrypted text on top.
They can amend htaccess/index.php files. So your site’s index files will error/redirect to other sites.
Im doing this WP-cleaning task for my other clients too BUT not free. :slight_smile:

Nothing really. Only backups, and wait for a new hack.

I do not believe in “super-hacking-skills-that-used-to-hack-entire-infrastructure”.

I guess things very simple and stupid.

For example:

  • premium nulled themes/plugins (very common thing)
  • any plugin/theme/hook/php code/snippet taken from internet, instead of official wordpress repository
  • using outdated plugin(s) / theme or using very new/unpopular ones with few users who installed the plugin
  • using same password everywhere & on wordpress website too
  • using short, simple password for wordpress too
  • keeping open and on default location your wp-login page
  • using very simple/stupid passwords for wordpress connection to database
  • doing/using some php code on your website with what you’re not familiar but used to improve your website functions/features like custom input fields, forms, etc.
  • modifying default configs of apache, nginx, etc that lead to security hole

What can be done?

  1. take backups from server somehow
  2. re-install entire OS on the server with changed password via your provider control panel.
    There are no ways or reasons to keep potentially compromised operation system anymore if you do not know what happened or do not have a guess why that happened.
  3. on your local computer turn off internet, and try to setup your website locally with laragon / openserver or wampp to see how it works.
  4. open chrome dev tools and check for sources
  5. go to plugins directory and themes directory → remove everything from there
  6. download clean copy archive of wordpress from official website
  7. compare folders of clean wordpress & your wordpress, file by file. Check differences, for sure you will find affected files, etc. Fix all of them, make identical to wordpress ones. Tools that can be used like: Meld, Araxis Merge, etc
  8. with wp cli you can try to clean your db, repair, check other stuff
  9. when wordpress files are clean, install any popular plugin to clean your wordpress for dirt of unused plugins
  10. now 1 by 1 return back your plugins via official repo
  11. now 1 by 1 return your theme or custom changes
  12. setup new hestiaCP cp with good password / etc
  13. setup cloudflare or sucuri WAF / firewall ([FEATURE] modsecurity or other waf · Issue #1859 · hestiacp/hestiacp · GitHub) how to install modsecurity correctly? - Vesta Control Panel - Forum Clarification on nginx/apache mod security? (sorry for wrong pointing)
  14. goaccess / or any other access.log analyzer to track what is going on with your access logs and time to time check that, to find out common patterns of attacks
  15. optionally you can setup with cloudflare cloudflare only in to your website, while all others requests to your website will be from cloudflare network only. I.e. hacker wont be able directly hack your website because of cloudflare WAF, etc (hard to explain why, for sure very small chances are still there, but still it’s much better than nothing)
  16. Lynis - Security auditing tool for Linux, macOS, and Unix-based systems - CISOfy to audit your system (./lynis audit system), will show common problems. This is just a tool, on default setup of hestiaCP everything ± great. But there is always room for improvements.

As you see - all of that require a lot of time, efforts, analysis, etc.
No fast or easy solutions.

1 Like

Haha… This is NOT ’ very simple ’

I have seen hacking reductions by adding fail2ban rules with xmlrpc and other vulnerable files.

7g firewall in Nginx has been a game changer.

I also set read only permissions to PHP files and I am testing to intercept db queries to make WordPress database read only.

I have a script that overwrites all themes, plugins and WP Core with the same version numner but just downloaded from source repository.

1 Like
  • ONLY BEST WAY is monitor/follow/find spam strings/ NULLIFY them via bash scripts.

  • Thats why, in our server, we manage everything for our cstmrs. No SSH/PANEL access to them. Only FTP.

  • You are perfect. If all your theme/plugins are purchased, all will be good. You may replace the orgnl files by schedule . But not all of us. To be honest, as long as we are Deve guys, we people always rely on free stuffs. So struggling to with malicious scrips.

  • But there is a challenge updated plugins, updates will be overwritten to previous orgnl version. :slight_smile:

  • DB queries READ ONLY - Also wont help. If we have Wordfence or any other WP firewalls, it need to write logs inside DB for to act against attackers.

  • setting PHP files to READ ONLY will not help. We tried. Well written malware scripts are running as root. Because it is already inside the server.

99% of all the hacks via Wordpress comes via plugins. I have seen a lot of crappy ones even paid themes/plugins…


7g firewall + fail2ban

1 Like

My setup at home

I run hesitacp from home, i have a asus router with 2-way ips (ai protect they call it), with the pennies been stretched these days i had to bring everything on my home network to give me more money to play with.

Hestiacp is on a vlan.

I also have regional black lists in the firewall for india, russia, china etc that i am not interested in for my sites ( india, russia and china where the most recorded hacking attempts in the past for my server).

I check my 2way ips and hestiacp firewall for repeate hacking attemps from ip addresses and block them, i know some isp’s dont give static ip addresses still but alot more do.

I am looking into crowdsec as it supports wordpress.

I also use cloudflare dns service as that blocks known malicious sites etc.

I run my server from proxmox as i say at home and i have several backups clean install, each hestia update etc along with weekly backups that backup to my nas that is isolated from the internet.
Makes restoring so much easier.

I guess taking some of these like blocking region’s etc with some of the above advise would help you when your back up and running.

I would also block ssh and services that you dont want users to access would be a great idea and not to use standard ports.

On my phone so sorry for spelling mistakes.

ei @ereddadigitals

Did you discover the entry way that was used to hack your server? All the recommendations given here are very good but, for me, the most important is to find out exactly what happened.

Is there any tutorial on installing 7g firewall with Hestiacp?

Just checked my firewall and i have alot of attempts on mail and ssh and i mean alot even though i only use hestia to host my own websites.

I also see alot of port scans through my ids/ips

Currently over the past month i am getting about 25 port scans and 50 ish attemts on ssh and mail a day, theres alot of people with alot of apare time on there hands out there.