0

I could not find any similar error after searching the web and struggling with the problem for around two weeks.

One of the Wordpress sites I'm managing keeps getting hacked. There has been no damage so far and I verified the integrity of the WordPress core files. I performed pretty much every hardening for WordPress I found, including directory protection of the wp-admin directory. Nevertheless, after a day, I find that all my users in the database have the username m4shell and their passwords are changed.

Has anyone experienced a similar problem?

Configuration of Server:

  • WordPress: 5.3
  • PHP: 7.3.11
  • SSL: YES
  • Forced SSL: YES
  • 2Factor Authentication activated. (2FAS Light)
  • Theme: DIVI v.4.0.7- (Purchased)
  • Other Plugins:
  • Child Theme COnfigurator
  • Disable XML-RPC
  • Enhanced Media Library
  • GDPR Cookie Consent Banner
  • Loginizer
  • Post Types Order
  • Shortcodes Ultimate
  • Sucuri Security - Auditing, Malware Scanner and Hardening
  • Theme Authenticity Checker (TAC)
  • Ultimate Posts Widget

All plugins are up to date. I have never installed any pirated plugins or themes. Passwords are generated by pwSafe password manager (25 characters mixed) No users except for me and a second user, which my girlfriend uses to upload pictures.

If anyone has an idea what this is or what I could further do, please help I'm really stuck.

  • 2
    I would suggest you to contact a professional in this case. If you can't locate where the compromise happened, then just restoring the server back to where it was will not help. (Full disclosure: I am an information security professional working in Austria. I'm saying this not to generate more customers for my employer, but because it's solid advice.) –  Dec 03 '19 at 19:54
  • Have you searched all your php files for "m4shell"? One of your PHP files will likely have a script that changes usernames to that and a password hash of "103286836c1b86b2ba7805c8cbee02a6" – schroeder Dec 03 '19 at 20:10
  • 1
    Always pay attention of when was the last update for some plugins. For example take a look of this one "Disable XML-RPC", last update was 8 months ago. It wouldn't be the first time, that plugin which you thought that is up-to-date has been unmaintained. – Mirsad Dec 03 '19 at 20:21
  • Thanks for your tips. I added and removed the website. @Anders you're right. – Vincenz Mössenböck Dec 03 '19 at 20:24
  • You had included the URL and I removed it. – schroeder Dec 03 '19 at 20:44

0 Answers0