TL,DR: I exempted admin-ajax.php from AUTHentication and the scan logs now show without a problem. I think the firewall setup alert also improved.
I went ahead and started over with fresh install of wordpress (6.2.2). I had an older backup and also I made a zip backup copy ofwp-content/uploads + wp-config.php folder prior to just nuking everything. I did do a wordfence scan prior to this, but most people will likely be so locked out/frustrated due to the hacker penetration that they are better off just starting over with fresh WP, lock down WP, then upload their backup content/databases/re-add plugins one-by-one as needed.
Innerplanet webhost reset cPanel password after they unsuspended the account (suspended due to the sudden surge in spam email + fake netflix phishing page from account). Their live support was pretty helpful; good to have a shared host where you can still chat with someone and support tickets are answered by humans. They actually reinstated account access fast. Changed name and password of wp database user in cPanel and updated that in wp-config.php, along with new salt keys.
cPanel access: webhost sent new email with reset password. They disable cPanel ‘forget password’ function; you must contact support manually to regain access.
cPanel email management: reset all email passwords.
cPanel acronis backup (download older backups; had host support restore backups and assist in generating backup zips from older backups)
cPanel File Manager: zip wp-config + wp-content/uploads folder; move files around in GUI.
SFTP FileZilla: download large files quicker and with resume capability / upload backups quicker vs cPanel
Putty SSH: delete large folders faster than SFTP or cPanel alone. Move all the content you want to delete in the public_html folder into a single folder _deleteme. then navigate to the _deleteme folder and use use SSH rmdir command rm -rf to delete that folder. use this command with caution. SSH rm-rf command is much quicker and less errors than cPanel or SFTP, but use caution not to delete the wrong folder.
cPanel phpMyAdmin: Removed all xxxx_user database entries of hacker usernames; reset valid username passwords (or clear password).
Interestingly enough, another plugin I used a while back (wp-reset or something like that) made backup database; I was able to look at the backup tables and compare to find out more precisely the parts of the database that were infected….mainly it will be user and comments tables if they are enabled).
==============================================
Upload latest version of wordpress (or last stable version for you). Or you can install fresh copy using your web host / cPanel installer. Softaculous Apps Installer or something similar. Softaculous has an advanced option that allows you to setup cron job backup every x days. And after y backups, it will auto-delete the oldest backup. (The webhost also has a separate auto-backup + manual snapshots can be requested via cPanel backup / acronis backup)
Lock down WP. There are numerous articles for this, including WP’s official hardening WP article. I want to be as pragmatic and effective as possible, using the least amount of plugins. So I did the following:
Password protected wp-login.php and /wp-admin/ folder. Here is sample code [assume Apache 2.4x, 2.2 has some different syntax]:
# New root settings require ErrorDocument be explicitly stated
ErrorDocument 401 default
# harden wp-login.php to prevent public access.
<Files wp-login.php>
AuthUserFile "/path-outside-public_html-folder/public-home/.htpasswd"
AuthType Basic
AuthName "Restricted area"
Require valid-user
</Files>
# New root settings require ErrorDocument be explicitly stated
ErrorDocument 401 default
# protect wp-admin folder by requiring password
# exempt admin-ajax.php
SetEnvIf Request_URI "admin-ajax\.php" exempt
AuthType Basic
AuthName "Restricted area"
AuthUserFile "/path-outside-public_html-folder/public-home/wp-admin/passwd"
<RequireAny>
Require env exempt
Require valid-user
</RequireAny>
*Use this site to generate .htpasswd username/password salted combos.
And ignore this silly 2014 Wordfence article about not doing that. Even the comments concurred that you simply allow admin-ajax.php to bypass AUTH, which will allow plugins that require this module to still work.
Password protect these pages takes care of about 70% of the attack vector. The other 30% come from other “doors” like xmlrpc.php and rest-api.
Disable file editing. Even if hacker gains access to the admin portal, it cannot edit any plugins. Open wp-config.php and add this line define('DISALLOW_FILE_EDIT', true); like this:
/* Add any custom values between this line and the "stop editing" line. */
#remove PHP editing inside WP admin panel
define('DISALLOW_FILE_EDIT', true);
/* That's all, stop editing! Happy publishing. */
Lock wp-config.php There are several ways to do this. Primarily through .htaccess and setting correct file permissions.
# Harden wp-config.php to prevent public access. Also Set CHMOD to 400/440
<files wp-config.php>
<RequireAny>
Require all denied
</RequireAny>
</files>
File permissions: use cPanel File Manager, SFTP, or SSH and set wp-config.php file permission to 400 or 440. This means that the user (you) or the User and the Group (other site members) have read only permissions. The World (public) has ZERO access to do anything, and even other users cannot edit it. If you need to edit wp-config.php, you would first need to edit the file permissions to 600. But this file is rarely edited once you make the initial lockdown settings.
An additional layer of protection would be to move the vital config settings to another php file above the public_html folder. And then include this php code into the main wp-config file. This is an extra step so that if attacker somehow does obtain the wp-config file, they wouldn’t have the important stuff. Now that I think about it again, this extra step is likely overkill, IF you have already blocked wp-config.php via .htaccess and with 400/440 file permissions set.
Secure xmlrpc.php Again, edit .htaccess in the same folder the file is located in. In this case, I restricted it by IP, but you can deny access to all if you want to.
# limit xmlrpc.php access
<Files xmlrpc.php>
<RequireAny>
Require ip 123.45.678
</RequireAny>
</Files>
Use strong passwords. That’s really more of a given. And of course separate password for Auth Basic vs wp-login page vs cPanel/webhost login. Suggest to use a password manager like BitWarden or 1Password to save all these passwords in one place.
Limit Login attempts, hide wp-login.php I havent done this yet. But it is already handled with AUTH protection on wp-login/wp-admin. So hackers can’t brute force doors they can’t even reach. cPanel login does have brute force protection, which is quite strict. As does SSH/SFTP login. Again, use a password manager.
At this point you have installed WP and locked most of it down. Now you can install plugins one-by-one. Start with Wordfence and/or a security plugin that can scan your files and detect changes. WF is good because it can scan files and tell you if they have been injected with trojan. Then continue with 1-2 other security plugins that do specific things to secure wp that you don’t want to do itself. If the plugin isn’t doing something specific, and necessary for your site….then you dont NEED it.
WordFence Security
Disable REST API
Website File Changes Monitor
Simple History
Do a scan with WordFence and see where your site stands. Then activate the security plugins one-by-one.
Think about which website content plugins you absolutely need. For me, it is
Elementor (free + Pro versions),
OoohBoi Steroids for Elementor [i might not even need this now]
Tripetto form builder
and probably about 3-5 other plugins to facilitate taking orders and/or customer engagement.
Edit wp-config as needed to reconnect to old wp database credentials and use SFTP to upload wp-content/uploads. After unzipping, do another WordFence + File Changes Monitor scan. Note any discrepancies. For me, uploads folder had some infected files caught by WordFence, which were promptly deleted.
Now you are ready to activate all needed content plugins and then do another WordFence + File Changes Monitor scan. So that you can get the changes documented.
Automatic updates for WP and plugins are disabled. Why? The same reason why I don’t auto-update most software on my computer, including the Windows OS. Functionality breaks. I don’t auto-update the radiator in my car either. As long as its original purpose is being served, you keep using it in its original state until it becomes necessary to upgrade.
I only make sensible changes to any software as the need arises. I’ve had windows VPS running for years without any updates or reboots. VM was paused and switched to another node if there was any major hardware changes needed. In that context, the public access was very limited. And the only entry points are properly sealed off.
I didn’t realize originally an errant WP plugin could do so much admin-level damage; otherwise I would have taken steps. But in any case, my security protocols needed an upgrade anyways, so I am better off for the “lesson” the security breach taught me.
—————————————————————————-
Honestly, as I mentioned before I want to rely on plugin for security as least as possible for my security. In fact, if a threat already has made it to WordPress login, then the security has already failed in many regards. So the firewall (hardware/software) should be at the server level or even before the server (like a CDN or other service that can properly filter traffic).
Also, plugin must be very specific about how it is doing what it does. It should not be mystical. But it should make sense the steps were manually implemented, but the plugin automates the steps to make it more efficient. The plugin that was the root cause of the problem….I ultimately wasn’t even using it. It was active, but I wasn’t using any of its features.
