Security Issues with Self-Hosted WordPress Sites
-
Hi there,
I am reaching out to you because, for the past few months, I have been experiencing issues with my self-hosted web server and my WordPress sites.
I am using the latest versions of Debian, Nginx, and PHP 8.2 with FPM. To manage my various sites, I use ISPConfig, which was installed using the automatic setup and installation script available at
https://get.ispconfig.org.For several weeks now, all the WordPress sites hosted on my server have been repeatedly hacked using the same method :
• Numerous different IP addresses send GET and then POST requests to various WordPress PHP files (
wp-cron,wp-load) ;• Randomly named PHP files, such as “
bdb7871b1c3c28ad1a33ea14cc307cd1.php”, are created at the root of the websites, and multiple POST requests are sent to these files ;• These PHP files are subsequently deleted ;
• Certain WordPress PHP files are modified to insert malicious code (often different files each time – in plugins or themes) ;
• Administrator accounts, posts, and comments are created.
In my
wp-config.phpfile, the constantdefine('DISALLOW_FILE_EDIT', true); is correctly set. Passwords are systematically changed to complex ones, and administrator usernames are also modified.I use the “Wordfence” and “Malcare” plugins to protect these websites. The infections are always detected retrospectively by the paid version of “Malcare” after the site has already been hacked. Malcare is able to identify the modified files and restore them to their original state by removing the malicious code.
These issues have persisted for several months, and I have not been able to eliminate them.
Although “Malcare” disinfects the sites each time, they get reinfected a few days or even hours later, always through the same process.
I suspect a misconfiguration in Nginx or PHP that allows malicious code execution. I have attached the Nginx vhost configuration for one of my sites (they are all identical) :
Do you have any ideas on how to resolve this issue, or any suggestions that could help me troubleshoot it…
Regards,
-
What’s happening?
Basically, hackers are finding a way to upload malicious files to your WordPress sites, then running those files directly through your web server. They’re using that access to edit your plugins, themes, and even your WordPress user accounts. It’s a common type of attack, but it’s happening over and over because the underlying hole is still open. Why does this keep happening?
There are a few possible reasons, and they’re probably working together to make life miserable:
- Nginx is too open.
Your Nginx config is probably letting PHP files (like these weird random files you keep seeing) run from places they shouldn’t be allowed to. - File permissions are too loose.
The folders where WordPress stores images and files (/wp-content/uploads) might allow uploading and running PHP files, which is a bad combo. - Something (a plugin, theme, or even WordPress itself) got hacked months ago, and the backdoor is still there.
Even if you clean up, the hacker’s backdoor might be re-creating itself. - Your server setup (ISPConfig automatic install) is “one-size-fits-all”, not hardened for WordPress security.
It’s convenient, but also leaves some common doors open unless you manually lock them.
What you need to do (the fixes)
Here’s how to actually stop this for good, not just clean up after the fact: 1. Stop PHP files running where they shouldn’t
2. Lock down your main config files
Make sure your
wp-config.phpand other critical files are not writable by anyone but root. Same goes for the Nginx config files.3. Tighten up Nginx’s PHP rules
This is important — right now, Nginx is probably saying “any PHP file can run anywhere.” Instead, it should only run PHP files from approved places (like the main WordPress files).
4. Block dangerous PHP functions in PHP itself
In your
php.ini, disable functions that hackers love to abuse. - Nginx is too open.
- The topic ‘Security Issues with Self-Hosted WordPress Sites’ is closed to new replies.
WordPress.com Forums 