Easy Engine Install keeps being Hacked

Hello rtCamp,

We have a few sites running on Easy Engine which keep being compromised. Where should we look to further secure these sites?

They are --wpfc sites. We do have some site wide redirects, perhaps they allow php injection?

Such as:

rewrite /sites/all/files/(.*)$ /wp-content/uploads/download-manager-files/files/$1 permanent;

Would that allow script to upload and be executed?

Logs also show activity on theme editing:

BYPASS [14/Dec/2014:13:00:30 +0000] "GET /wp-admin/plugin-install.php HTTP/1.1" 200 18559 "http://www.trc.qld.gov.au/wp-admin/theme-editor.php?file=404.php&theme=twentyfourteen" "Mozilla/5.0 (Windows NT 6.1; rv:34.0) Gecko/20100101 Firefox/34.0"

An update,

It appears an Oauth vulnerability in W3TC was used. We are thinking our rewrites as above allowed a vector to be uploaded and executed to install a compromised facebook Oauth Plugin and gain access to WP admin.

Any other thoughts?

Hi, @TRC

Nginx rewrite directive doesn’t allow execution of code.

There may be vulnaribilty in your WordPress theme or a plugin.

You may try http://sitecheck.sucuri.net/ to scan your site

Hello @TRC

I hope your query is resolved. I am closing this support topic for now.

Feel free to create a new support topic if you have any queries further. :slight_smile: