We were (are?) hacked by the famous "Pharma Hack" which we are fairly certain is a whole in Word Press. The hackers are only able read and write file for the one user on this one domain. This domain uses static HTML files and only a single directory for PHP/Word press:
/ many different folders, with plain html files
# word press is installed here
Now, these hackers are able to write to locations like
What they are doing is cloning existing pages in
index.html #where this file will have a single line of PHP inserted the top; it executes a base64 encoded string which when uncoded look like "include /var/lib/Dovecot/control/thisDomain/boc
this "boc" file (and others) are copies of, e.g. /public_html/flowers/index.html
with links to online pharmacies for Cialis and Viagra.
Google crawls our site.. the line cause the "boc" file to be inserted on top of the flowers/index.html...
Later if you search "Mydomain Flowers" in Google you will see cached pages with the Pharma links.
NOW: we are undertaking steps to harden security upgrade everything. But I want to prevent future attacks.
I need one thing today:
How do I prevent the execution in any file on the server that is outside of
/blog # Word Press is here; PHP needs to execute
index.html # is here... even if a php script is added to the page, I don't want it to be executable.
what do we do?