dream11

so in your case the login details where in a third party server, but does that means in your case the login url was still xxx.com/wp-login.php ? maybe access to the login URL is a must for the bug to take efect, even if the way the manage to join is bypasses ese real login data

any of the people hacked had the default /wp-admin or login.php changed so they can't be accessed ? or you all like me had the default URL setting to login access wondering if this bug also affects on wordpress installs that had this feature ofuscated for better security

i see, well, i can't use another CMS right now because the plugin i use to connect to another company is not available for a lot of platforms, well it is, but the rest are payment platforms, shopify, bigcomerce, bigcartel, ecwid...blablabla, anyway thnks for response

i have been trying wordpress on tommy but usually i feel like the server is pretty slow on response, usually even more when something has to be modified in the database, sometimes its talkes like minutes to response, until it finally writes the cahnges, the page doesn't load specially faster neither, i wiped all the content and made a fresh install with a lightweight theme, i use very very simplistic website, but still load considerably slow, since other sites i loaded with plain html usually loads quite well, might be a database related problem? maybe there is some bottleneck or so, but its for sure the connection to the db fails eventually like 30 to 60 seconds,

google and youtuber tutorials are your best friend

i downloaded the ofuscated shell file and avira started to scream, its not possible to install some antivirus in the server so php file shells can't be hosted ? that might help ?

i just found cpanel also accepts 2FA, i know that would not had helped a lot if someone success to install a php shell over a wordpress bug, but enabling it, would had helped to avoid a cpanel password change? or even access to other website in the same host? like they did, since i found the leafmailer also inside a second website i have in my account, and its not made with wordpress, just wondering if the way they used to change the cpanel password might had been done in such way a 2FA would had made no difference,

but, does that explain the fact they were able to change cpanel passwords? if they can compromise any clean wp up to date, then looks like makes no sense restoring any backup or just make a site again on wp until someone identify the actual bug,

i fail to understand how a compromissed wp account can be "extended" to other wp accounts, might be related to a softaculous issue? i did use it to install wp, and i remember over softaculous its possible to access to wp-admin in a single click, dont know if there might be any correlation, same server... and lot of updated wp accounts... they all must have something in common

has the culprit been identified already? we know its not a plugin we all were up to date on wp we all got the cpanel pass compromised too i dont want start over from zero if i can't identify the culprit, a server issue? two 0 day that allowed first to access to wp then scalate to the cpanel?

mines are those, but not all are enabled anyway, just installed and as far as i see, we dont share a single one right now

my cpanel pass was not the same used on wordpress admin,

how can they change the Cpanel password with a wordpress bug? is that possible?

what you mean with nuke? delete all content from public_html? i end up changin the nameservers to avoid access from the URL but it might take some time to update... need to know what was the bug, i mean, maybe a plugin we all have in common? started to deactivate most plugins i have, how to know the compromised plugin if its that the problem? might be a wordpress zero day? i am so puzzled

he is even playing with my wp! he changed the slogan, OMG...