Really I think it is backdoor or etc. Or MySQL injection, but hacker can read wp_postmeta files in Database.
I resolved the problem with openssl_encrypt / decrypt function and save_post add_action:
require dirname( __FILE__ ) . ‘/../../../wp-admin/encrypt-decrypt.php’;
/* Шифрование ссылки при обновлении записи */
function update_my_post( $post_id ) {
if (defined(‘DOING_AUTOSAVE’) && DOING_AUTOSAVE)
return;
if (wp_is_post_revision($postID))
return;
if (get_post_type ($post_id) == ‘post’) {
$download_url = get_post_meta($post_id, ‘wpcf-post-download-url’, true);
/* Encrypt link with AES-256 */
if (substr( $download_url, 0, 4 ) == ‘http’) {
$download_url = encrypt_decrypt(‘encrypt’, $download_url);
}
else {
}
/* Write link to postmeta */
update_post_meta($post_id, ‘wpcf-post-download-url’, $download_url);
update_post_meta($post_id, ‘wpcf-post-key’, 1);
}
}
add_action( ‘save_post’, ‘update_my_post’, 20, 2 );
/* Decrypt link */
function wpv_get_link( $attr ) {
/* extract(shortcode_atts(array(
‘id’ => ”,
), $atts));*/
$id = do_shortcode(‘[wpv-post-id]’);
$download_url = get_post_meta($id, ‘wpcf-post-download-url’, true);
$post_key = get_post_meta($id, ‘wpcf-post-key’, true);
/* Если ссылка зашифрована, то расшифровать её */
if (($post_key == 1) && is_user_logged_in() && !current_user_can(‘administrator’)) {
$download_url = encrypt_decrypt(‘decrypt’, $download_url);
}
return $download_url;
}
add_shortcode( ‘wpv_link’, ‘wpv_get_link’ );
/*encrypt-decrypt.php */
function encrypt_decrypt($action, $string) {
$output = false;
$encrypt_method = “AES-256-CBC”;
$secret_key = ‘Secret Key’;
$secret_iv = ‘Secret IV’;
/* HASH */
$key = hash(‘sha256’, $secret_key);
// iv – encrypt method AES-256-CBC expects 16 bytes
$iv = substr(hash(‘sha256’, $secret_iv), 0, 16);
if( $action == ‘encrypt’ ) {
$output = openssl_encrypt($string, $encrypt_method, $key, 0, $iv);
$output = base64_encode($output);
}
else if( $action == ‘decrypt’ ){
$output = openssl_decrypt(base64_decode($string), $encrypt_method, $key, 0, $iv);
}
return $output;
}
