Hi, so I have two websites running pre- 1.9.6.1 on ICDsoft hosting. Both have been flagged for malicious activity. It just seems strange that both these sites had this happen- I am wondering if this is a cause of the security issue? Here is the email I received for one:
Here are web server log entries that show malicious activity:
188.166.179.135 - - [14/Feb/2024:10:18:04 -0500] “POST /ahoqmcro.php HTTP/1.0” 200 4920 “http://ballengeestudio.com/” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 Edg/115.0.1901.183” 0 0 “on:TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256” 12278 281046 192.252.154.24 www.ballengeestudio.com proxy:unix:/home/ballengee/.config/php-fpm/.sockets/php-fpm-uPFjLRzgMafPNB9ASnRbArtET.sock|fcgi://worker - 188.166.179.135
We strongly recommend that you follow these steps in order to secure and upgrade WordPress:
- Save the wp-config.php file, your images, and your personal files one by one (not the folder as it may contain unwanted files).
- Make sure that there is no malicious code in the saved wp-config.php file.
- Wipe out the entire folder where WordPress is installed.
- Upload a new clean full package of the latest WordPress version.
- Re-upload your wp-config.php file and images.
- Re-install the latest versions of your plugins and themes.
- Change the passwords for all WordPress admin users. Please use passwords that are hard to guess.
- Change the hosting Control Panel password and all MySQL passwords.
So far I can get in the back end with the password they sent, it looks fine, so I have exported out templates to rebuild.
Seems like a lot of work to do, I wonder if I can just update Bricks and I’m good to go?
Any thoughts greatly appreciated!
Jim