Blocking Unauthorized Users and Link Injection Cleanup

[Vigor Daily]

New Pro user here, great plugin by the way.

Prior to getting the plugin we had a Pharma hack on a little server that had around 10 sites, some of which were locked down very well and some had older WP installs due to their reliance on older plugins.

We are not sure of the entry point, but they were able to inject an admin user across ALL domains (probably not through WP) and inject outbound links into even the most secure and up to date sites.

1. My intention to prevent against this in the future was to use DBM to select ‘File Size’ on the users table (most of these sites do not accept subscribers) and try to slow it down that way, but since I’m sure the attack is automated they will likely gain access and inject code between scans.  What is the best way to use the plugin to block new users and/or stop them from injecting code?
2. If we do have a cart system that regularly adds subscriber users, is there a way to block just new unauthorized Admins or Editors, or just receive alerts for those roles?
3. If a user does add links, for instance, to some pages, is there a BEST way to use the plugin to help remove that code? Rather than searching for it and removing it manually?
4. Can you recommend any other settings to help protect against this type of attack without being constantly bombarded by alerts?

[AITpro Admin]

You want to make 100% sure that you have found all the hacker files and code throughout your entire hosting account or the hack will return again.  Take a look at this forum topic for help info about cleaning up a hacked hosting account/websites:  https://forum.ait-pro.com/forums/topic/wordpress-hacked-wordpress-hack-cleanup-wordpress-hack-repair/

The BPS Pro Database Monitor feature is not very user friendly and is pending additional work to make it user friendly.  Currently DBM is only good for a general heads up check since if you want to the exact change that occurred in your database you have to jump through some hoops and use the DB Diff Tool.  DBM development is currently on the back burner due to higher priority tasks taking precedence.  Once we get all top priority tasks completed will start DBM development again.

1. Make sure that your hosting account is 100% clean of all hacker code and files.  If files are being used to inject links then once you are sure your hosting account is clean of all hacker files then AutoRestore|Quarantine will quarantine any new hacker files if the hackers try to upload them to your hosting account.  If the injected links are coming from your database then you also need to make sure your databases are 100% clean.  Overall BPS Pro already has security features that will block any new hacking attempts/methods, but once again you need to be 100% sure that your hosting account is cleaned up.  If you have a plugin or theme installed that is exploitable and that is the entry point for the hacker then the hack may return again.  There is a limitation with all security plugins and that is if something is seen as the “normal” functionality of a plugin or theme, such as a plugin or theme upload form then security plugins will not interfere with that is seen as “normal” functionality in another plugin or theme, otherwise security plugins would break all other plugins and themes.  With that said, BPS Pro does block external attacks/exploits before they be used against an exploitable plugin with the BPS Pro Plugin Firewall.  Unfortunately, any feature in a plugin or theme that is frontend accessible to all users cannot be fully protected by any security plugins for the simple reason that the “normal” functionality of that feature would be broken.  So once you are sure everything is cleaned up in this hosting account and if the hack returns you will need to look at any frontend forms in plugins or themes that are exploitable.  Example:  A plugin or theme upload form that is not properly secured or has a coding mistake that makes it exploitable.  Most likely just cleaning up the hosting account will be enough.

2. Subscribers do not have sufficient permissions to do anything that could hack your site so there is no reason to limit/restrict or block them on the fronted or on the backend after login.  With that said, let’s say there is a coding mistake in a plugin or theme that allows Subscribers to do something they should not allowed to be able to do in the backend.  Since that coding mistake cannot be detected or prevented by any security plugins then that coding mistake would need to be found, the plugin or theme author notifed and fixed by the plugin or theme author.

3. Instead of worrying about things that occur “after the fact” such as link injections.  You instead need to get the hosting account 100% clean to remove the source of the hack and returning hack.  Once the hosting account is 100% clean then you should no longer see any new link injections.  The link injections are “after the fact” and not the origin or source of the hack.

4. See #1, #2 and #3.  I think you get the general idea – you need a 100% clean hosting account, make backups of everything and then if the hack returns you need to find the entry point.  Most likely just cleaning up the entire hosting account will take care of the problem and the hack will not return again.

[Author]

Posts