Hi.

Where exactly in the code does this appear? I don't think this is a hack. Hacking does not look like that. There is no sense in this. Most likely, they simply copied the content from the WP website and did not clean its code before inserting to Joomla editor. Especially it happens if the content was copied from the WP page made through Elementor

Hi Pavel

WP-Content appears as a ordner in Joomla.....and I never used Worpress.....all those Joomla I migrated from Joomla 3 to 4....and I don't know Elementor .....hmm....it happens also in a new Joomla4 installation...a few days later.....and I use always helix ultimate...the newest version...

It is strange to have this problem in different websites. Even I delete this ordner.....a few days later it happens again....changed the password...it doesn't help....

appears as a ordner in Joomla.....

I don't understand this your description. A correctly asked question is 50% of success to obtain the correct answer.

and I never used Worpress

I'm not saying that you are using WP. I say that you could copy content from another site that uses WP and add by this action the garbage code to the Joomla editor

in the joomla administration there is an ordner called wp-content ... i will send you a picture as soon as i have this problem again

its a folder in joomla.. sorry for my english

hmm... they told me its not a server problem...

so i need to ssk in a joomla forum

this is a hack something similar happen to me a year ago..

how did you fix it?

Hi there,

I appreciate you reaching out. I sincerely apologize for this oversight. I have checked files and folders. But, there is no code of WordPress related.

-Thanks

yes, i fixed it yesterday.., but i am afraid it happens again in a few day, like before

I found something in Joomla-Forum....they told me to add this code to the .htaccess-datei:

<Files wp-login.php> Order Deny,Allow Deny from all </Files>

I will see, if this helps....

Maggie, If I may....

Spam/hackers bots scan random websites and they make php requests, they do not check what CMS is .. just do they job. It's like a thief who walks around and grabs handles.

On my Joomla firewall logs I had a lot of WP request even 2-3 years ago.

Nothing to worry by now, you have to just lock them via htaccess rules and lock IP one by one.

p.s.

If you are using WordPress CMS somewhere there are methods to hide login URL etc..

<German Text at the bottom>

If these folders always re-appear, you might have a more serious problem. As i don't have details about your server it is hard to say, where the problem exactly lies, but it could be that the Administrator account is compromised, that has access to all the client sites.

The "Hacks" usually consist of an uploaded PHP File, that then downloads an actual payload. The payload has no easy readable code inside, either base64-encoded or a mixture of hex and dezimal values. For WP it would be for example the ini.php. Mostly these exploits are used to control the server and/or to send a ton of spam over it. Check the mail queue of the server in question. If you get a ton of bounces and potentially a mail queue with thousands of mails in it, the server is definitely compromised. In that case each site needs to be checked. There are also many other logfiles available, that can help to identify the problem. This is a very good example, why virtual servers should be running in a jail, so if one gets compromised, the others are safe unless they can be as easily compromised.

Hi, wenn die Ordner immer wieder auftauchen, könntest du ein etwas größeres Problem haben. Da ich aber keine Details über den Server habe, ist es schwer hier etwas genaueres zu sagen. Der Account des Admins könnte kompromitiert sein, der auch Zugriff auf alle Client Home Ordner hat.

Die "Hacks" arbeiten in der Regel so, dass eine Datei auf den Server geladen werden kann, die dann wiederrum einen File Drop runterladen und ihn im System verankern. Das kann auch so gemacht werden, dass man auf der eigentlichen Seite nichts sieht. Schau dir mal die E-Mail Queue der Kunden an. Wenn du tausende Mails in der Queue hast, ist das schonmal ein sicheres Zeichen, dass der Server zum Spammen genutzt wird. Auf dem Server gibt es auch jede Menge Log-Dateien, die weitere Infos beinhalten können. Das ist ein Paradebeispiel, warum man Kundenseiten immer in einer Jail laufen lassen sollte. Somit können andere Seiten nicht "befallen" werden, wenn eine Seite kompromitiert wird. Das Bereinigen eines Servers kann eine recht aufwendige Sache sein, die auch einiges an Zeit in Anspruch nimmt. Der Server muss im Grunde genommen eine recht lange Zeit überwacht werden und evtl. bestimmte Netze blockiert werden. Persönlich filter ich Netzverkehr von bestimmten Ländern raus. Niemand aus China hat zum Beispiel etwas auf meinem Server zu suchen. Und falls es doch mal jemand geben sollte, dann hat er halt Pech gehabt. 99,99999999% vom Traffic sind aber halt nur Angriffe und da habe ich keinen Bock drauf, also werden alle APNIC Netze blockiert.

Wenn du Hilfe benötigst, finden wir sicherlich eine Lösung in Kontakt zu geraten.

Tom

Hallo Thomas

Vielen Dank für Deine ausführliche Information. Ich werde Deinen Beschrieb meinem Provider zustellen und hoffe, mit ihm dieses Problem stoppen zu können.

Vielen lieben Dank.

Gruss Maggie

The problem of website security is a very complex one, and it's getting more challenging every year. Sometimes the problem is a poorly secured server, sometimes the website CMS or installed extensions .... there are many windows through which a potential GOOD hacker can get in.

Yes Paul, as Thomas wrote, its very complex... I have to be careful not to lose the fun with it....

Now I hope with this order in the htaccess-datei:

<Files wp-login.php> Order Deny,Allow Deny from all </Files>

it will be fixed....I will see.....