I had suspended the user and the site. But now when I am trying to remove the suspension, it still says the site is suspended. Why is that? @Raphael @falzo
No idea, check the logfiles maybe? You most likely don’t want to reenable that page as it was anyway.
Rather deploy a new user and rebuild your page step by step as @mehargags alreadx mentioned.
It will lead you nowhere, if you don’t find what was causing the breach, it will simply happen again…
This will not help and is not needed. You need to clean your Wordpress site… not the whole server
Your site was inside isolated user and access of scripts / malicious items is still jailed to user’s directory.
Resurrect your site from clean new updated WP-Core, plugins, theme and you should be good.
Scan your uploads folder for any scripts that might be malicious before copying to newly created site.
Restoring any files other that media in /uploads can lead to getting hacked/ infected again very soon.
which tool do you recommend to scan the wp-content files? Can I scan from the SSH commands?
I’m sorry, but this is not related to hestia itself. Please try to spin up some google searches about malware scan for wordpress, probaly wordfence and maldect is also an option.
1 Like
find . -type f -name '*.php'
delete if you find any. You will need to go inside and browse through to see if you can get any other scripts that catch your eye.
There are many tools like Wordfence and other WP integrity checker tools that you can use… it is out of scope to discuss them here. Good luck
Thanks.
What does this command do? I run this command and it output all the .php files. Do I need to delete all files ending with .php?
Where are you running this command?
It should be run inside wp-content/uploads and ideally should not show any .php files.
Yes, but I think this command only finds files that are ending with .php extension.
Often the malware is injected in a file which does not look like a php or any other programming file.
This is another case of the benefits of mod_sec. 
Time to close this thread, seeing as it’s a WP issue?
Is mod_sec part of Hestia?
You could do with better powers of search/research.
Look around.
mod_sec is a apache module, so it’s just an apt-get install away and a custom vhost template that makes use of it
I searched in the forum about mod_sec and I got the impression that it’s not very easy to get it working with Hestia. Especially for someone like me who does not know more than a few linux commands.
You are probably referring to this thread, the discussion there was about enabling modsecurity modules in nginx.
So if we don’t integrate it in nginx, and only install it using the apt-ger install as you said, will it function OK?
I only have 1 wp site on the server and don’t plan to add any other site, just in case if it matters.
@attiqfsd Please keep us posted about the hack you suffered, particularly if there are any signs of “systemic involvement” (i.e. any malware files outside of the WP user’s home dir).
@kpv I am not sure about that. I only had 1 WP site and 1 user in the VPS. I have already reinstalled the system and cleaned the hack (I hope)
The malware was in a lot of plugins and themes. I had to grab fresh copies of all of them from the source. After that, I ran a search in the database and removed the malicious code.
Lastly, I ran Wordfence scan and it did not find anything so I really hope I cleaned it 100%
Thanks for the update. It is important to understand how the hack happened (e.g. through a wp plugin, or password, or system hack etc) and fix it, otherwise another hack will happen sooner or later.
https://wordpress.org/plugins/sucuri-scanner/ Does a good job of comparing core files, enable Sucuri > Settings > WordPress Integrity Diff Utility and finding non wordpress files in the core folders.