Title: Sites keep getting hacked–executable upload
Last modified: August 20, 2016

---

# Sites keep getting hacked–executable upload

 *  [mikejulian](https://wordpress.org/support/users/forkvoid/)
 * (@forkvoid)
 * [13 years, 11 months ago](https://wordpress.org/support/topic/sites-keep-getting-hacked-executable-upload/)
 * Hi folks,
 * I’m somewhat responsible for a multitude of WP installs on many different servers(
   some of which I don’t directly administer).
 * Each of these installs range from 100% up-to-date to slightly out-of-date (no
   more than a couple point releases behind). Some have lots of plugins, others 
   have only the two default. In one case, a bone-stock, unused install was even
   involved.
 * On June 2nd, a rash of compromises hit a server I directly manage. I’ve got it
   all cleaned up, but I need to figure out how to prevent this.
 * As far as I can tell, a zip file is getting uploaded either to the plugin folder
   or the upload folder. Somehow, this zip file is getting unpacked, resulting in
   a PHP file. This file is an uploader script, so from there, they have total control
   over the account.
 * What I don’t get is how in the world they are able to upload this file to begin
   with?
 * Server is cPanel-run, with up-to-date LAMP stack. SuPHP is active on all accounts,
   and they are all jailshelled. Permissions are set according to the WP hardening
   guide (755 directories, 644 files). I can verify all of this was already set 
   prior to the attack.

Viewing 6 replies - 1 through 6 (of 6 total)

 *  [The Hack Repair Guy](https://wordpress.org/support/users/tvcnet/)
 * (@tvcnet)
 * [13 years, 11 months ago](https://wordpress.org/support/topic/sites-keep-getting-hacked-executable-upload/#post-2793750)
 * Any coincidences, like the same plugin installed in each?
 * Same theme installed in each?
 * It seems unlikely it’s a WP core file issue, and more likely something you’ve
   similarly installed in all of your sites being compromised.
 *  [MickeyRoush](https://wordpress.org/support/users/mickeyroush/)
 * (@mickeyroush)
 * [13 years, 11 months ago](https://wordpress.org/support/topic/sites-keep-getting-hacked-executable-upload/#post-2793768)
 * This is how the timthumb hack is sometimes done. Do you use any theme or plugin
   that uses the timthumb script?
 *  Thread Starter [mikejulian](https://wordpress.org/support/users/forkvoid/)
 * (@forkvoid)
 * [13 years, 11 months ago](https://wordpress.org/support/topic/sites-keep-getting-hacked-executable-upload/#post-2793866)
 * Thanks for the responses, guys.
 * The Hack Repair Guy: All of them have the twentyten theme installed, but none
   have it active. All of them have akismet and Hello Dolly. They diverge from there
   as to what they’re using. Those are the only common things.
 * MickeyRoush: I’ve been doing a ton of research into the timthumb problem. Not
   all of the sites hacked had any form of timthumb anywhere (I searched via command
   line, grep’ing for the string inside files that identifies a timthumb script).
 *  [MickeyRoush](https://wordpress.org/support/users/mickeyroush/)
 * (@mickeyroush)
 * [13 years, 11 months ago](https://wordpress.org/support/topic/sites-keep-getting-hacked-executable-upload/#post-2793870)
 * @ forkvoid
 * The timthumb script may have been renamed. You’ll have to verify per theme/plugin.
   I’ve seen the timthumb script go by the following:
 * > timthumb.php
   >  thumb.php resizer.php crop.php cropper.php
 * And there are probably more.
 * To protect your uploads directory, you really need to use something at the server
   level. Like only allowing image files via .htaccess.
 * Something like this:
 *     ```
       Order Allow,Deny
       <FilesMatch "^[^.]+\.([Jj][Pp][Ee]?[Gg]|[Pp][Nn][Gg]|[Gg][Ii][Ff])$">
       Allow from all
       </FilesMatch>
       ```
   
 * Note that is only partially what you can do, you need to disable the php engine
   within directories that do not need any php execution. But the above is a start.
 * I create an .htaccess file for every plugin or theme that I use.
 * Here is an example for Akismet:
 *     ```
       Order Allow,Deny
       <FilesMatch "^akismet\.(css|gif|js)$">
       Allow from all
       </FilesMatch>
       ```
   
 * I believe every plugin should come with some form of .htaccess within like the
   one above that I use for Akismet. There are a small few that do.
 *  [The Hack Repair Guy](https://wordpress.org/support/users/tvcnet/)
 * (@tvcnet)
 * [13 years, 11 months ago](https://wordpress.org/support/topic/sites-keep-getting-hacked-executable-upload/#post-2793871)
 * Try the “Timthumb vulnerability scanner” plugin next.
    It’s the poor mans malware
   scanner, and may help ID some back door scripts or old timthumb installations
   as well.
 *  [MickeyRoush](https://wordpress.org/support/users/mickeyroush/)
 * (@mickeyroush)
 * [13 years, 11 months ago](https://wordpress.org/support/topic/sites-keep-getting-hacked-executable-upload/#post-2793873)
 * The new WordFence plugin has a built in scanner. And the author is very experienced
   with the timthumb script. He was one of the first to actually provide security
   updates on his own.
 * [http://wordpress.org/extend/plugins/wordfence/](http://wordpress.org/extend/plugins/wordfence/)

Viewing 6 replies - 1 through 6 (of 6 total)

The topic ‘Sites keep getting hacked–executable upload’ is closed to new replies.

## Tags

 * [hacked](https://wordpress.org/support/topic-tag/hacked/)

 * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
 * 6 replies
 * 3 participants
 * Last reply from: [MickeyRoush](https://wordpress.org/support/users/mickeyroush/)
 * Last activity: [13 years, 11 months ago](https://wordpress.org/support/topic/sites-keep-getting-hacked-executable-upload/#post-2793873)
 * Status: not resolved

## Topics

### Topics with no replies

### Non-support topics

### Resolved topics

### Unresolved topics

### All topics