Question One of my sites was hacked

[carlsson]

Server operating system version

Ubuntu 20.04.6 LTS

Plesk version and microupdate number

Plesk Obsidian 18.0.74

As the title says, one of my sites (belonging to a client) was hacked.
Backup is restored, WP accounts, FTP accounts and the database account now have new passwords. I found some suspicious files on the site as well (I still have them if someone wants to look ) which are now removed. I have also blacklisted the IP that was adding files yesterday. Everything seems fine, but I'm afraid there are more files on the site that i can't find at the moment.
Is there anything else I should do?

We are in the process of rebuilding the site but that will not be ready until January. I am thinking about locking the site somehow – Lock everything except login from Plesk. Is that doable?

 

[King555]

Did you find out how the suspicious files were uploaded? It might be a software vulnerability, so changing passwords would not be sufficient.

 

[Kaspar]

Is there anything else I should do?

I would recommend running at least a virus/malware scanner the see there are any infected files left. Imunify does a pretty solid job, but others might be useful too.

As a more general preventive measure, I can highly recommend tightening security by disabling PHP functions that can lead to root access or can cause disruptive behavior. However, depending on which PHP functions you choose to disable, site functionally can be impacted if it relies on a function you've disabled.

These are the PHP function I have disabled on my shared hosting servers.

exec,shell_exec,pcntl_exec,system,passthru,proc_open,popen,parse_ini_file

Keeping these PHP functions available, especially exec and shell_exec, will inevitably lead to security problems when hosting popular CMSes like Wordpress.