Hi All, I have a VPS with 4GB RAM and I host only one wordpress site on it. Since its installation my site has been hacked too many times. I just scan it with maldet and remove the injected code again and again. But as you know this is a tedious job and I have come to a conclusion that this is due to lack of/ incorrect file permissions. I have gone through http://codex.wordpress.org/Hardening_WordPress but I don't understand the line "all files should be writable only by your user account" and "intended to be writable by your user account and the web server process." Could someone please guide me what is a user account and web server process ? I assume that a user account means the client account that we create from ISPC UI, the one that starts with the name web1, web2, ..., webn and blongs to the group client1,client2,...,clientn. I also assume webs server process means the www-data account. Are my assumptions right ? In addition, I have installed wordpress from APS installer of ISPC. So I think the permissions should be set correctly by the installer, but I guess it is not the case. Guys please help. Thanks in advance. Regards, Vikram
The hacks that you encountered do not happen due to wrong file permissions, they happen because your wordpress install contains a vulnerable plugin or it is not up to date. Or your cleaning attempts missed a file, maldetect is good but it does not always find all hacked files. The files and folders inside the web folder are owned by the user that runs php, in case of a ispconfig installation, this is the web[ID] user e.g. web1 for the first site, web2 for the second site etc.
Hi Till, Thanks for replying. I even scanned with wp-scan and corrected as much errors as possible. My wp-login is protected by .htaccess. Could you recommend some other tools to find all the infected files on the domain, so that they can be cleaned. Also, I am a bit reluctant to update the plugins as that might break my code. What do you recommend ? Regards, Vikram
Find the exact timestamps when a file was hacked and then check the access log of the website to which request the hacked file upload might belong, if your blog has not that much traffic, it might be possible to identify the hacked scripts this way.
