This article contains instructions for both share servers as well VPS server users with or without Shell access. Please do read the instructions twice before you break anything.
Shell Procedures:
1. Scan the account using ClamAV: /usr/local/cpanel/3rdparty/bin/clamscan -ir /home/*/public_html/
[Install this free antivirus if your server does not have one by referring: https://www.clamav.net/documents/installing-clamav#rhel ]
2. Find files that are PHP & changed in last 30 to 60 days:
find /home/username/public_html/ -name *.php\* -mtime -60
Run Again, without PHP filter:
find /home/username/public_html/ -mtime -30
3. Exclude php execution on wp-includes:
# Block the include-only files.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>
4. Search for all .htaccess on your account and cat command them to look for unwanted codes:find /home/username/public_html/ -name *.htaccess\*
5. Find PHP files on your Upload directory:
find /home/PATH-To-UPLOAD/uploads/ -name *.php\*
6. Secure UPLOAD directory:
Add an .htaccess:
# Kill PHP Execution
<Files *.php>
deny from all
</Files>
7. Go to phpmyAdmin for the database of hacked wordpress, check for wp-users table and remove any/all unknown/unwanted database users. Repair database tables, change admin password, log into WordPress & update any/all plugins & themes. Remove any/all unwanted plugins & themes.
8. Find all executable files in your wordpress:
find . -executable -type f
9. Fix file & directory permissions:
find . -type f -exec chmod 644 {} \;
find . -type d -exec chmod 755 {} \;
10. Block All for xmlrpc:<files xmlrpc.php>
require ip 127.0.0.1
</files>
You can also use mod_security tools to prevent bruteforce or wordpress plugins to stop bruteforce for each installs.
