y2asafemeds Posted September 23 Posted September 23 I am trying to login from https://y2ameds.com/wp-admin/ Not able to login. Receiving this message. Forbidden You don't have permission to access this resource.
wolstech Posted September 23 Posted September 23 All of your permissions are jacked up (files need to be 644, a bunch of things are 444 or even 044 which makes no sense), there's 2 suspicious PHP files in the docroot (ipdi5.php and xynz1.php), and your index.php has been replaced with malware. You got hacked...very common for WP, and it only took like 2 days for it to happen. Delete the entire site and rebuild it.
wolstech Posted September 23 Posted September 23 (edited) I've added a deny from all to .htaccess to block the entire y2ameds.com site until you can clean it up. If this happens a second time, it's likely that one of the extensions or themes you used had a backdoor in it. EDIT: Your logs are full of hacking attempts too. All that traffic from the 172.68.0.0/14 range of IPs are hackers attempting to get into your site. If you rebuild your site, I'd recommend you block that entire range. Edited September 23 by wolstech
y2asafemeds Posted September 25 Author Posted September 25 Thank you for guiding me. I will clean up my site and block the traffics from the IP address that you mentioned. I will rebuild the site again. @wolstech But my account is again suspended. Kindly, unsuspend it, so that i can do the steps that you have told me. Thanks & Regards
wolstech Posted September 25 Posted September 25 It would be best if we just reset the account to delete everything so you can start over. There's no way of knowing what the hackers did. Do you want me to reset your account? if not, I'll delete the WP install and its content manually for you before I unsuspend it. Please let me know how you want to proceed.
y2asafemeds Posted September 26 Author Posted September 26 Please reset the account. It is easier. I will try installing everything again. If the problem persists even after taking all the measures, then i will use another script. Regards
wolstech Posted September 26 Posted September 26 The account has been reset. Please look for an email to finish setting up a replacement account. I would suggest blocking this IP range in .htaccess once you set the new account up before doing anything: 172.68.0.0/14 This range is where the attack came from.
y2asafemeds Posted September 26 Author Posted September 26 Thanks for resetting the account. Also, I have blocked the IP address you have mentioned in Cloudflare's firewall I have recreated my account and installed Wordpress. But now, I am not able to login into the admin page of Wordpress. www.y2ameds.com/wp-admin Receiving the following message. Not Found The requested URL was not found on this server. Please look into it. Regards
y2asafemeds Posted September 26 Author Posted September 26 Its working now. Might be a delay in install. Thanks. Please dont do anything, regarding that Regards
wolstech Posted September 26 Posted September 26 A domain can take up to 2 hours to work properly after you finish resetting your account. 404 errors are normal during that time. Please let us know if you need anything else
y2asafemeds Posted September 28 Author Posted September 28 My account is suspended again. I have blocked the IP address mentioned by you. I only tried to install and edit the site yesterday. Seems, like Helio Host is not for my theme or maybe some hackers are already into my theme through some back door. I installed the plugins and other things that was mentioned in the blog to reduce load. Thanks for your time and efforts. Regards
wolstech Posted September 28 Posted September 28 It's high load again, and it's due to the software you're running. WordPress is notorious for high load, especially if certain plug-ins are installed (wordfence, woo commerce, and elementor being the big three common offenders). WordPress is an issue often enough that it has its own page on our wiki: https://wiki.helionet.org/misc/wordpress it's basically the number one cause of load suspensions. For what you want to do, a VPS would be the best choice since removing extensions is not going to be a feasible solution. And it looks like you're using 2 of the 3 the biggest offenders. VPS is a little bit more challenging to administer since it comes with SSH access to a command line instead of a UI (although we can install a control panel like Hestia if preferred), but it has no load limits. If you want to try reducing your load, let me know and I can unsuspend you. You're not hacked this time, it's just the software was too heavy.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now