Nothing is worse than a hacked website. It’s hard to determine the source. Mitigating it is difficult because it’s hard to determine the entry point. In this case it was an old user set up for a former employee that got put into the hands of a spammer. It must have had a “weak” and easy to brute force password.
First it was determined that the user had 100’s of posts whereas the admin only had 60 or so. So the user stood out. All of the posts except the posts this user made years ago were spam.
Fortunately the user permission was “Editor” so it had no access to actual functionality.
Steps to mitigate hack:
-
From the WP Engine side the user and all associated posts were deleted
-
Core WordPress, every plugin and theme was updated to latest
-
All older or inactive plugins were removed
-
All inactive themes were removed
-
Revolution Slider, a constant nuisance, was removed and replaced with a static image placeholder, will replace with LayerSlider
-
All other users passwords were updated
-
The associated IP’s were banned server side (Austria was the origin)
-
Plugin “Loginizer” was installed with only the admin IP whitelisted, and any brute force or failed attempts will be logged and sent via email to me