PHP code injection and file permissions change

Admittedly I’m a newb when it comes to linux systems so I’m not going to supply much information initially, but hopefully someone can point me in the right direction. Someone is changing the file permissions and injecting code into my index.php file. The site in question runs Wordpress, but they’ve modified other index.php files in other folders in the past (not WP related). From what I can tell, it’s just this one file and they add an include to redirect to their site.

I’ve adjusted permissions and changed passwords all to no avail. I set permissions to -rwx-r-x— but they change it to -rw-r–r--.

They aren’t logging in via SSH or FTP as I have those ports blocked, only port 80 is open in this server. The few plugins I use for this WP install are reputable and updated. Where can I go to start looking? The couple of logs I’ve found don’t appear to give me any meaningful information.

I just set this server up so it’s a fresh install of Ubuntu 16.04, Virtualmin was installed using the install.sh --minimal script.

Thank you for the help!

hi griffgj,

well with wp it could be anything really, I mean any other plugin or even badly coded theme (reply to the post, or perhaps search bar or even some functions build into theme - or plugin). Check your theme files, all plugins and disable plugins your really don’t need to use. Also have look at suspicious files within wp dir, you may have backdoor already placed there - perhaps some php shell. Also if possible disable the comments on your site, it would save you very much hassle to delete or remove spam or useless comments. If you still want comments on a site use something like 3th party commenting system or set wp to approve every comment on your site manually.