Andrew Nevins
(@anevins)
WCLDN 2018 Contributor | Volunteer support
There are websites that distribute themes and plugins for free or a discounted price, that do so without the authors permission. These themes and plugins often have code that the vendors insert in for them to make money once the theme is up and running on a website. So, that is one possibility.
Have you seen the hardening WordPress article on Codex?
Isn’t it a coincidence though that all of the older sites aren’t compromised? I’ve done a lot of those steps, just changed passwords to FTP and user a week or so ago after the first attack. I only use themes that I find in the WordPress respository. And not all the sites use the same ones.
Just thought I’d mention it.
Andrew Nevins
(@anevins)
WCLDN 2018 Contributor | Volunteer support
What do you mean by they aren’t compromised, that they don’t have the symptom of the hack? Like the spam in those websites?
I’m going to use the term “hacked” even though attacked etc is likely the right terms, just for ease of typing etc.
But yes, that is what I’m saying.
I have 20 sites on one server. Everyone of the updated to 4.3 WordPress was attacked, yet not one of the missed ones (that I hadn’t updated yet) were touched. At all.
So I was wondering if it was possible that there was a vulnerability that exists in 4.3, that wasn’t in the previous version. They seem to have added some files, but mainly they get to:
wp-blog-header.php
wp-includes/nav-menu.php
wp-includes/js/jquery/jquery.js
wp-includes/js/comment-reply.min.js
wp-includes/js/jquery/jquery-migrate.min.js
and the header.php file in the theme.
I don’t know if that helps or not.
Moderator
Jan Dembowski
(@jdembowski)
Forum Moderator and Brute Squad
I’m sure that is the case. And there is a hole in my particular hosting that is allowing this to happen. I’m plugging away at cleaning up the sites, changing passwords again etc..
Thanks.
