C4talyst

Wow, thanks! I will check this out.

No way to use wp_rewrite within the plugin?

This plugin has become pretty important for our operations, and one I’d certainly buy.

Hey Matt, about 20 of my sites got hit with this a couple days ago, along with the ‘backup’ user being installed in all our WP sites across all the mysql db’s.

Could this have been the culprit?

https://blog.sucuri.net/2015/10/security-advisory-stored-xss-in-akismet-wordpress-plugin.html

Also, how would a few outdated cores and plugins on other sites explain the files showing up on brand-new 4.3.1 sites running no plugins?

I don’t think the server was rooted through any of these attacks. Are you saying there are past WP or plugin exploits that allowed database users to be added to other sites?

It’s generally pretty obvious to tell when a server has been rooted, especially if the attackers are using it for anything (usually spam).

In the case of this attack, these sites all received the uploaded file I mentioned, and the added user (and nothing else) on the morning of October 10. I think these sites were all hit individually using an automated tool.

“Traversing” the database makes no sense…the attackers would be limited to using the one account they had access to, if they could read wp-config.php.

My server. I’ve been through the logs but I’m not running mod_security so the information is limited. I’m just now starting to go through all the sites. Several were running older WP versions and have some outdated plugins however, a few were running WP 4.3.1 with only a handful of up-to-date plugins in place. It looks like in each case, an admin user named ‘backup’ was also added.

Tara, I mentioned that guide in my post. I posted here mainly due to concerns that this may be a new exploit within a plugin or the WP core.

Derp…nevermind. Always found after I make the post…

It turns out our feed id’s in the wp_postmeta table didn’t match between the sites. Once this was fixed, we were good to go. Many thanks to the author, Charles, for emailing us back with this tip.

Wouldn’t work for everyone’s needs, but did in my case.

add_filter( 'rpwe_default_query_arguments', 'dw_news_post_types' );
function dw_news_post_types( $args ) {
    $args['post_type'] = array('post','news'); // Changing the number of posts to show.
    return $args;
}

Any chance this will be implemented in the future? Dying for this feature.

I ended up disabling the plugin to do my imports. Not ideal…but worked.

This sucks…posting to track in case someone discovers a new method for disabling wpautop.

Ok, read the other post linked to from here and fixed my issue by using [js][/js].