@Stew
When it comes to WordPress, the majority of breaches are the result of:
- WordPress not being updated, or;
- Plugins not being updated, or;
- Themes not being updated
…
The first step I would take is to make sure WordPress is updated to the latest release – then do the same for all plugins and themes. That should, at the very least, patch any known issues.
If after the above is done, you’re still seeing someone break through, then I would recommend taking a close look at directory and file permissions. All directories should have a chmod
of 755 and all files a chmod
of 644.
If any files or directories are using a chmod
of 777, that’s an issue as that allows for global read, write, and execute (i.e. if anyone can get a file in one of those directories, they could do exactly what the attacker is doing now – upload a file, execute it, download content, and perform any allowed commands using PHP’s built-in system()
function, or one of many others).
You can quickly change directory and file permissions by using something like:
find /path/to/wordpress -type d -exec chmod 0755 {} \;
and
find /path/to/wordpress -type f -exec chmod 0644 {} \;
Where /path/to/wordpress
is the direct path to your WordPress installation (i.e. where index.php is).
Note, this won’t stop that script from changing permissions, so ideally, I would stop Apache, which will prevent script execution since the website will not longer be available due to the web server being down – then clean up instances of that script, then run the commands above to change file and directory permissions, and then restart Apache to bring the site back up.
…
If it turns out that everything is updated (WordPress, plugins, and themes) and changing permissions did not help after a clean-up, then there may be a bigger issue, but the above will get you started.