Mutiple wordpress accounts hacked on 1 server

C

CraftyPanda

Well-Known Member
Nov 15, 2012
94
2
58
cPanel Access Level
Root Administrator
Hi,

This morning we have had mutiple wordpress accounts hack on 1 of out servers.

Amoung other things, the hacker changed the username of all affect accounts to Ridiz.

every account has either shell access disabled or jailed. the server itself can only be accessed via SSH from the office.

So the only thing i can think of is somekind of wordpress vunrability. All accounts use different plugins etc.

Can anyone advise if they have seen anything like this before? I have opened a ticket, but they are yet to respond and for some reason it wont let me expedite it.

Thank you
 
Last edited by a moderator:
A

adeyjones

Well-Known Member
Apr 26, 2019
75
11
8
Merseyside, UK
cPanel Access Level
Root Administrator
I have seen similar hacks but unfortunately it is not a cPanel/WHM issue and I doubt they'd support the resolution of it, as the issue is with the websites themselves and not the hosting software, however they may assist to just get your access back in to WHM, the previous hacks i've seen haven't gone as far as locking out of the server itself.

Regarding the sites, Was your database the default wp_ prefix? Was your admin username the default 'admin'? Did you have any security plugin installed such as Wordfence or All in One security? Any additional rules in .htaccess? And did you keep core WP and all plugins up to date to latest versions?
 
C

CraftyPanda

Well-Known Member
Nov 15, 2012
94
2
58
cPanel Access Level
Root Administrator
Hi Adeyjones,

Thank you for the reply.

Some of the sites do appear to have the default prefix, but others affected did not. They were not default admin username. All sites have wordfence installed.

None of the sites were on the latest version of WP, but only 1 or 2 core versions behind.

Ill see what cPanel support say. I understand that wordpress is not their area. I just want them to help me confirm the server itself hadnt been compromised. I think its not likely though as not all accounts on the server where individually hacked.

Not had something like this happen for quite a few years!
 
F

fmosse

Well-Known Member
Jan 6, 2002
68
1
308
Hi!
InWHM > Service Configuration > Apache > "Global Configuration", search for "Symlink" and check "Symlink Protection" is disabled. It should be "enabled"
 
You must log in or register to reply here.
Thread starter Similar threads Forum Replies Date
A ModSecurity to disable for Wordpress Security 8
WebHostPro Is there a WordPress outdated plugin, theme, and version checker? Security 1
E SOLVED Received email "WordPress Updates Digest" Updates were not installed Security 6
upsforum mutiple ssl on single account Security 1
S mutiple SSL sites under one dedicated IP - how ? Security 3
Similar threads
ModSecurity to disable for Wordpress
Is there a WordPress outdated plugin, theme, and version checker?
SOLVED Received email "WordPress Updates Digest" Updates were not installed
mutiple ssl on single account
mutiple SSL sites under one dedicated IP - how ?
Top Bottom