I added the following triggers.
CREATE TRIGGER trg_update_wp_options BEFORE UPDATE ON wp_options
FOR EACH ROW
IF (NEW.option_id IN (1,2)) THEN
SIGNAL SQLSTATE '45000' SET MESSAGE_TEXT = 'Cannot update locked record';
END IF
/
CREATE TRIGGER trg_update_wp_posts BEFORE UPDATE ON wp_posts
FOR EACH ROW
IF (NEW.post_content LIKE '%<script%>%') THEN
SIGNAL SQLSTATE '45000' SET MESSAGE_TEXT = 'Script not allowed in post';
END IF;
/
Just need to see if anything appears in error.log
Not sure if this is significant, but I’ve detected a user wordpressssadmin (wordpressssadmin@test.com) role=None. Now removed.
Also we’ve been having quite a few login attempts using real admin usernames. Even though I’ve changed them, the new names are appearing in the failed attempts list. ” Prevent discovery of usernames through ‘/?author=N’ scans, the oEmbed API, and the WordPress REST API” is ticked, and the IDs don’t appear in a posts or pages that I can see. Which makes me suspect something is acting from the inside?
Hey @ahall41,
Wordfence protects against a vast variety of attacks. Whether you were hacked because of an unknown attack method or because there is some other issue in your system is hard to say. Some plugins contain vulnerabilities that are so bad that Wordfence can’t protect against them. The same goes for servers.
It does sound like the site is compromised. I’d suggest updating all passwords including WordPress, sFTP, hosting control panel, and database.
You can use the guide below to further comb the site. But if the issue or any other oddities return I’d suggest reaching out to a professional hack repair service to have the site cleaned and patched.
https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/
Thanks,
Gerroald
Thanks for the reply. I suspect we may have been hacked before we installed Wordfence … all the plugins we have now seem to be respectable. The spurious user has been removed – only 3 have access to create/update posts. All we can do is wait and see (except I think I should also add a trigger to prevent creating posts with <script>
tags.