Mutiple wordpress accounts hacked on 1 server

CraftyPanda

Well-Known Member
Nov 15, 2012
93
2
58
cPanel Access Level
Root Administrator
Hi,

This morning we have had mutiple wordpress accounts hack on 1 of out servers.

Amoung other things, the hacker changed the username of all affect accounts to Ridiz.

every account has either shell access disabled or jailed. the server itself can only be accessed via SSH from the office.

So the only thing i can think of is somekind of wordpress vunrability. All accounts use different plugins etc.

Can anyone advise if they have seen anything like this before? I have opened a ticket, but they are yet to respond and for some reason it wont let me expedite it.

Thank you
 
Last edited by a moderator:

adeyjones

Well-Known Member
Apr 26, 2019
52
5
8
Merseyside, UK
cPanel Access Level
Root Administrator
I have seen similar hacks but unfortunately it is not a cPanel/WHM issue and I doubt they'd support the resolution of it, as the issue is with the websites themselves and not the hosting software, however they may assist to just get your access back in to WHM, the previous hacks i've seen haven't gone as far as locking out of the server itself.

Regarding the sites, Was your database the default wp_ prefix? Was your admin username the default 'admin'? Did you have any security plugin installed such as Wordfence or All in One security? Any additional rules in .htaccess? And did you keep core WP and all plugins up to date to latest versions?
 

CraftyPanda

Well-Known Member
Nov 15, 2012
93
2
58
cPanel Access Level
Root Administrator
Hi Adeyjones,

Thank you for the reply.

Some of the sites do appear to have the default prefix, but others affected did not. They were not default admin username. All sites have wordfence installed.

None of the sites were on the latest version of WP, but only 1 or 2 core versions behind.

Ill see what cPanel support say. I understand that wordpress is not their area. I just want them to help me confirm the server itself hadnt been compromised. I think its not likely though as not all accounts on the server where individually hacked.

Not had something like this happen for quite a few years!
 

fmosse

Well-Known Member
Jan 6, 2002
59
1
308
Hi!
InWHM > Service Configuration > Apache > "Global Configuration", search for "Symlink" and check "Symlink Protection" is disabled. It should be "enabled"