We host a WordPress site that has more than once been hacked. To my surprise, somehow the entire site was deleted earlier today. I did not think that was possible. We restored the site, tweaked WordFence adding a list of IP ranges to block 90% of overseas attacking IP's and updated WordPress. We deleted unused plugin's and made sure all was well. It lasted 8 hours before it was hacked again. One .php file in the root did not look right and indicates how they did it. It contained the following line:
$fp = fsockopen("udp://$host", $port, $errno, $errstr, 5);
There was a previous comment a few years ago where the server admin created a file with the following at /etc/php.d/myconf.php
expose_php = Off
disable_functions = show_source, system, shell_exec, passthru, exec, popen, proc_open
session.cookie_httponly = 1
Can you confirm this is a new file and if placed in this location and then rebooting Apache would stop the fsockopen attack? Is there any other suggestions on how to protect this server, and the other several Virtualmin servers we have? Do you think it would break any sites? Suggestions welcome. This is pretty scary and it got by WordFence without any problems at all.