Were you hacked at one point in the past? And, if so, did you clean up the vector they used, or just the symptoms of the attack. If you didn’t clean up the vector they used, they still have a door wide open, and no amount of hardening will protect you.
If the above is true, remain calm and carefully follow this guide.
Thread Starter
RBX
(@rbx)
I have only a faint idea of what you mean by vector.
I followed the guide, and have already once tried replacing my whole installation with a ~ 2 week old backup, and have changed salts since then, and have done a lot of other things suggested by iThemes Security plugin.
Since I didn’t scan my database then, only removed what seemed out of place, I tried scanning for any injected code using this mentioned here
SELECT * FROM wp_posts WHERE post_content LIKE '%<iframe%'
UNION
SELECT * FROM wp_posts WHERE post_content LIKE '%<noscript%'
UNION
SELECT * FROM wp_posts WHERE post_content LIKE '%display:%'
and didn’t find anything.
The first time I was hacked, the hackers had uploaded a file named ws.php with obfuscated code. I let the file be there, made it empty and read only.
I have also tried removing insert/update access to wp_users table using phpmyadmin but didn’t succeed. I will now look into OSSEC, and will also scan my system using a good antivirus, though I’m quite sure my system is clean.
If you did follow everything in the guide, then I’d have to suggest that the vulnerability could be with your hosting provider and the server configuration.
You might also want to consider hiring a specialist like https://sucuri.net who have great standing in the community.
Thread Starter
RBX
(@rbx)
What do you think about exec() ability? I once enabled it to use EWWW image optimizer. Does it, or any other similar feature pose a risk?
Any feature can pose a risk if someone gains access to your server or hosting account, and yes exec() could be used in an attack, but the fact that it’s also used by EWWW (as well as a few thousand other plugins) would suggest that it’s not directly your problem. 😉
Thread Starter
RBX
(@rbx)
Can one vulnerable site on server cause other sites to be hacked?
We have several sites on same server, and these days I ensure proper security on new sites right from start to avoid possibility of malware creeping into backups.
My sites are still getting hacked, and all of them get hacked around the same time. I have enabled file change detection on several of them, and no changes seem to be made to files. Just all usernames are renamed to admin and passwords probably to admin123.
Moderator
t-p
(@t-p)
Can one vulnerable site on server cause other sites to be hacked?
websites live in a complex ecosystem of interconnected nodes around the internet.
https://blog.sucuri.net/2015/05/website-security-how-do-websites-get-hacked.html
My sites are still getting hacked.
Make sure that you carefully follow this guide completely. If you stop after removing the symptom, you’ll miss the vector, and the hack will just continue.
When you’re done, you may want to implement some (if not all) of the recommended security measures.
