My site index.php gets attack twice a day & index.php is changed automatically with unreadable code.

One of my site is hacked twice a day, seems like some malware or bot attack is being done. It’s like almost a month now I have been facing this issue daily. This site is actually a xenforo cms, but the index.php changed to wordpress index.php with some unreadable code. I have attached them below. I have to replace index.php everyday to make it work. Please help me address this issue. I have changed password for root, digital ocean & also cms admin but the issue is same. Thanks.

Original index.php Hacked index.php

Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.


This sounds like a vulnerability in your CMS rather than a server vulnerability.

What I could suggest is checking your access logs and finding out what request is used to insert this malicious code into the index.php file.

What you could do is first check the time that the index.php file was modified (you can use ls -lah index.php to check that), and then in your access log, look for this specific time period.

Once you have the request that is responsible for the problem, you will be able to tell which part of your CMS is being exploited and patch it.

I am not very familiar with Xenforo itself but I would recommend making sure that you do the following:

  • Make sure that you are running the latest version of xenforo so that it includes all of the latest security patches
  • Update all of the plugins and themes that you have for Xenforo
  • Remove all of the themes and plugins that you are not using

Let me know how it goes. Regards, Bobby