I have numerous sites with different hosting companies, about 5 of the sites hosted with one company have been hacked. It is no big deal but I am trying to get to the bottom of how they got in.
None of the sites has the same FTP & Password combination
None of the sites have the same WordPress admin logins
The WordPress admin logins are not default
The passwords are strong and generated by a security system
There is no common code, plugin or theme (e.g. Timthumb)
The hack encodes all the PHP files a bit like IonCube, it clickjacks users on the front end once a day, so laods normally on refresh.
The backend is all messaged up although you can still login.
Looking at the backups there are some random PHP files in the root, they tend to have two words separated by an underscore e.g. Random_plate.php the files is encoded itself, I suspect it is called by something.
Anyone recognise the hack and what caused it?