ConfigServer Community Forum

Hello,

I've been struggling with this for a while now, I have wordpress sites where everything is up to date but attackers are still able to upload files to the server. One such person has been trying to upload a backdoor since 1am in the morning. I can see 5 files with the same name quarantined.

Is it possible to identify how these files were uploaded?

I'm starting to loose my mind here, I even put up cloudflare to see if that would help but the files are still being uploaded.

Any help would be greatly appreciated, thank you.

Do you use modsecurity?

If not consider installing OWASP rules or Comodo WAF ruleset both which are free.

Usually they upload via a outdated plugin or some flaw in one.

If not that then if you have no modsecurity then your server is vulnerable.

Best to have Firewall + Modsecurity + CXS + ClamAV with unofficial signatures added. Then you should be fine.

Note if using CSF then LF_CXS can be used to block IP for certain period of time. You could then search the access logs of the domain in question for that IP to see what plugin was used to upload the files.