Help! Malicious Account Activity

[vekou]

Hi! I recently received an email notification from Google Webmasters Tools that someone was verified as a new owner of a directory of my website. When I logged in to CPanel's File Manager, a new folder was created with PHP scripts with .htaccess which allows verification of site to Google.

My site is Wordpress and I want to know how was it possible for the user to upload and create a file on my www directory. I want to know if it was due to a Wordpress/Wordpress plugin that caused the security breach, or was it something else.

I'm using the latest Wordpress 4.4, and here are the plugins I'm using:

• Akismet
• All In One SEO Pack
• Customize Admin
• Disqus Comment System
• Exec-PHP
• Google XML Sitemaps
• Hello Dolly
• Prism Highlight
• SyntaxHighlighter Evolved
• Theme Check
• TinyMCE Advanced
• W3 Total Cache
• WP Smush
• Yet Another Related Posts Plugin

The underlined ones are the active plugins I am using, the rest are deactivated and their folders are renamed in wp-content to prevent directly executing scripts.

 

[caftpx10]

I would compile a list of plug-ins that either upload/edit files or allow server-side code execution.
What I would also do is change the password on both WordPress and X10 just in case the password was figured out.

I would say Exec-PHP, though I can't seem to find any vulnerability reports for it.
Would Exec-PHP allow users/guests to execute PHP in their posts?

 

[vekou]

I don't think so, it executes the php code in the post, but other than that, I don't know. But to be sure, I disabled it and removed the directory of the plugin.