The hack is in a WP core file! Can't blame it on updates - always updated.
- This is a nice way to call me a liar - I posted to be helpful and with much detail.
To fill in some detail we (myself and another person) started to build the website http://www.alabamahabitat.org in October and posted it live on February 19th during that time we worked on the site several times a week. (Prior to that I have 2 other wordpress based sites http://www.alabamarestore.com and http://www.alabamahabitat.org/greenteam) both have been live for some time and not hacked. So while not on the site everyday were on one of them frequently enough to see updates and push them through, it is after all a 5-10 second process. In that time there have been 3.5, 3.5.1 and 3.5.2, not many. And there are at most 3-5 plug-ins on any of the sites (and several of them, but not all, are the same).
The other sites have allowed users to register and comment. the hacked site has never allowed users to register and comment and there have only been just 3 persons ever to log in and post and only 4 accounts total.
- - -
All the security advice on the web is outdated for the current round of attacks.
Where exactly have you been looking and what have you been reading?
Every single link on this page and many others - from searching the db for key terms (never found) to files in plug in folders (never there). The other points - your stuff is outdated (not) and user error.
So fine I will take the user error - perhaps there was something. BUT the point is everything listed as "this is it" - are not it. I listed the compromised files - are they in any of the links?
I gave specific file names - are these names or locations mentioned in any of the referenced articles? No. So my assertion that the web based advice is out of date is true. Does this mean there is only one kind of hack out there? No
Do hacks change and improve over time? Yes Do you update your 'virus' protection regularly? Yes.
And yes this is a ding on the WordPress core files. Several security scanners readily identify that the cor WP file wp-includes/general-template.php has been altered. If there is not reason for any person or plug-in to alter this file, why is it not a 'protected' file?
To just back all the issues back to the users is not a winning strategy that Microsoft recently gave up on and decided - yes virus and malware protection is something the OS should handle - not be left to a third party.
So if the most common hacks rely on - standardized wp_ table prefixes? Why is this not randomized (or user selected) for new installations? This should be easy?
Why leave user #1? Why admin as a default user?
Why have default WordPress database table prefix?
Why have wp-content, wp-includes, wp-admin always with the same name?
Why keep the urls for WordPress dashboard including login and admin as the same default?
The more of these that are variables chosen at install, the more secure the site is from cut and past hackers, virus, worms and trojans, especially the older ones.
Of course you can't make everything a variable - but if plugins like better WP security can, why are at lease some of these not baked in to WP directly? (Or is this just security theater, to make users feel better, like they have done something, when they haven't?)
For that matter... in the Famous 5 Minute install it gives the barest lip service to security and then only "For maximum security, use two different sets of 4-6 random characters. Then the password field has a "Random" button that generates an 8-character password. You may also add more characters to the password for maximum security"
Which very much gives you the impression that WP is much more secure than it really is. Why not start the installation with a suggestion / information about security? Best practices for a WP install are...
So while I was attempting to 1 - let another user know their site is compromised and 2 - that is was a different hack than mine and 3 - the clear your hack advice referenced and found did not address my particular hack - I was called out as a liar. Nice.
If someone here wants a copy of our database and wants to look at it for hacked code, for the benefit of our site and the world in general as this appears to be a different attack than those prior. Ask away.
I mention the urls and log-ins because since I have enabled Wordfence's lock out unknown users on the first attempt; over the last 4 days there have been three attempts from Chinese IPs to log-in or post with unknown usernames including 'admin.' Sounds like a WP issue? Everyone knows where the 'door' to the website is found.
So I am attempting to post helpful information. Perhaps not always worded the best - it has been a 'learning' experience - and the hope that someone else can resolve this more recent hack with less than 48 hours of digging and frustration.
And for all the suggestions that I "read the resources listed above" - Let me ask Did you read my post?
Let me restate #6
6. when not hacked the wp-includes/general-template.php file is ~76 kb when hacked is ~177kb
- The contents of the hack is an enormous stack of encrypted code. Perhaps there is more - but the file with the code manually deleted in cPanel and the file "restore" from the WP installation files are the same... so I think that is all the 'bad' code for that file. Does that help?