0

I installed wordpress latest version in Ubuntu 16.04 with nginx. But after some days of installation I see some unknown file in root directory.enter image description here

like alias99.php. How to prevent/block this. I already add 

location ~ /\. {
    deny all;
}

location ~ ^/wp-content/uploads/.*\.php$ {
    deny all;
}

location ~* /(?:uploads|files)/.*\.php$ {
    deny all;
}

in conf file. How can ensure security level. Thank you.

Iftakharul Alam
  • 103
  • 3
  • @deagh I feel it's not a duplicate of that question, because it doesn't go into the stupidity of the default Wordpress setup where it's writable to itself. And beyond that, it teaches one nothing about PHP website hosting security (where reinstalling servers is like overkill). – Halfgaar Sep 09 '18 at 13:07
  • The advice in the compromised server is still valid. Once you have an unknown file injected into your web site, you can no longer be sure what files the server contains. Therefore reinstallation is the only secure way to get rid of the compromise. After that, one should harden the system. – Tero Kilkanen Sep 09 '18 at 15:15

1 Answers1

1

To find out more about that file:

  • run stat on it. Does it have a ctime of just now? In other words, was it really just put there?
  • cat the file. Can you post it in your question?

To continue on the security of Wordpress, I personally feel that webapps should not be able to write to itself. In other words, your files, and probably the dir it's located it, is owned by www-data. Yeah, it's convenient for Wordpress' auto-update feature, but it's really just a bad idea. The fact that Wordpress recommends this approach is beyond me.

What you should do instead, change the unix owner of all the files to some dedicated user, and use wp-cli as that user to upgrade Wordpress.

Having said all this, if this is a new Wordpress and it's already compromised, you may be dealing with something outside Wordpress.

Halfgaar
  • 7,921
  • 5
  • 42
  • 81