Shared server. Multiple wordpress installations. All hacked with malware that changes all themes to open a random ad based site.
Changed cpanel password, WP passwords, clean installed all WP sites. Malware comes back within a week to all of them or at least 50% of them.
Tried all manner of security plugins and htaccess rules. Server logs, that I could access, showed nothing too suspicious. No logins aside from me.
Finally tried 2 factor and everything stopped. There were quite a few attempted logins using for the first few days but all stopped due to 2 factor. Banned the ips and of course they tried again with the right user name but the 2 factor stopped them.
I’m trying to figure out how they kept getting in so easily even after clean installs, new passwords and even lockouts after 3 bad passwords.
2 Factor stopped them. I can only think it was brute force but the 3 attempts and your out should have stopped that. The only other thing I can think of is that it was server malware, but again, the 2 factor wouldn’t have matter then.
Anyone else have ideas on how they were able to get in before 2 factor given the above?