Been dealing with a persistent hack thing on a few sites I manage. I think I keep getting closer to a full solution when things happen. Here are a few steps I’ve taken to try and get this sorted.

1. Install iThemes Security

Specifically turn on the System Tweaks in iThemes Security (not the Pro version). Turn on all the settings.

I’ve also made iThemes Security notify me of all the files changes everywhere so I can track things down.

This does mean I get notified when people upload images, but I’ve found other files there as well.

2. Find PHP files in uploads

Shouldn’t be any of these at all. Using SSH and terminal on my server I was able to search it for all instances of php files in the uploads directory easily.

find . -name "*.php"

. means current directory so make sure you’re at the current directory you want to search.

-name "*.php" tells it to return php files. So change that for whatever you’re looking for.

I also would search for "*.ico" files since many hackers try to get them in as well.

find . -name "*.ico"

Hopefully we’ve got things under control now.