Update performed without me doing it.
-
Hello,
I received an email from Wordfence informing me that JSON files from the TwentyTwentyFive theme had been modified and that some old system files had not been updated during the update.
So, I logged into the admin panel and, without having to enter my credentials, I was prompted to update the database, as if I had just performed an update.
I then connected to the server via SSH to check for files that had been modified in the last 30 days. I noticed modifications in the TwentyTwentyFive theme files. I extended the search period to 60 days and saw that system files had also been modified during that time. Expanding the search to one year, I found that files had been regularly modified throughout the year, even though I had not performed any manual updates and had disabled automatic updates.
Now, I know what you’re going to say: updates should be done regularly. I am aware of that. I have my reasons for not doing so. Please do not bring up this topic, as my goal is to fix the issue I am currently facing.
I checked other sites I manage, and none of them have had system files modified over the past year.
I believe hackers might be exploiting the update system to carry out their actions.
I have backups from 30 days ago, so restoring a backup that I could confidently call clean is not an option. The TwentyTwentyFive theme was modified on 02/23/2025, and I have backups from the 21st and 22nd.
Have you ever encountered a similar issue? How can I restore a clean installation?
Thanks in advance.
-
Hey, The fact that your other sites are fine makes me think this one might’ve been targeted or had a vulnerability exposed, but first make sure its you that has access to the site or only the people you authorize. You can check that in your dashboard – Users, if you notice someone or something you’re unfamiliar you should remove it and change your dashboard password too.
Anywho since your backups from February 21st and 22nd are from before the theme changes on the 23rd, you’ve got a decent shot at restoring a clean version. Here’s what I’d do
- Restore the Backup: Grab the February 22nd backup (it’s the closest clean one). Test it on a local setup or staging site first to make sure it’s good—no funky behavior or weird files.
- Compare Files: Use SSH or a file comparison tool (like diff) to check the restored files against the modified ones. Look for anything odd in /wp-content/themes/twentytwentyfive/ or core files like wp-includes/. Hackers often hide stuff in places like functions.php or random .php files.
- Clean Install Option: If you’re paranoid about lingering issues, download a fresh WordPress install (same version as your backup) from wordpress.org. Swap out the wp-content folder and wp-config.php from your backup, then upload it to the server. This ensures no tampered core files sneak through.
- Lock It Down: I can’t stress this enough because the database update prompt without logging in is a red flag it could mean someone’s already in and I’d bet they exploited something in the theme or an outdated plugin. Since you’re skipping updates (no judgment!), it’s possible an old flaw got hit. So what you should do after restoring is, change all passwords like I said in the beginning i.e (admin, database, SSH) and check for rogue admin users in Users – All Users. Maybe toss in a security plugin like Wordfence to scan for leftovers.
Let me know how it goes.
-
Thank you for your message. I chose the method from point 4, which is the safest. I also changed the FTP, database, and all user account passwords. I used SaltShaker to change the password hashing keys. I deleted the default themes that Wordfence flagged as having modified files, even though the files were JSON. I also uninstalled Wordfence (enabling the options to remove its tables upon uninstallation) because Wordfence generates a file at the root (
auto_prepend file). I also performed a strict Wordfence scan to ensure nothing was left.A huge thank you for your help!
- The topic ‘Update performed without me doing it.’ is closed to new replies.
WordPress.com Forums 