Hi -- I have set up many WO sites since discovering this wonderful package. On at least 2 and likely 3 (i killed before looking too hard) very shortly after setting up the sites I was notified by Digital Ocean of Abuse charges..
In each case, the site had been basically hijacked. In the first case the malware was operating as a host in multisite DDOS robot. In the second case (this week) the site became a crypto-mining operation.
1) I installed WO and as the first step I updated all packages then created the site with --wpredis --php74 -le provided user and pass. (on a Ubuntu 20.4 plain box)
2) Next installed the security stack and all elements installed correctly
3) allowed 80, 442 and ssh on UFW, checked fail2ban and ngxblocker for operation.. all good.
4) Logged into WP and imported, using file upload, a theme that I have which is a template for all sites associated with my client -- that theme is a child theme that i created and then kept the template. It installed and I checked it out and it appeared normal.
Lastly I decided not install anything else until I got some other projects fully developed and expected to get back to it later this week.
Yesterday, I got the Abuse Complaint from Digital Ocean. I go in and look around in the root WP directory (and nothing strange in the default var/www/html (which leads me to believe this is a WP install situation) and boom a shit ton of directories and files and /wp-include/ loaded with malware .. I check the clamav logs and nothing -- I then downloaded one of my go-to scanners NinjaScanner (which I have licenses) and it dug up dozens of files for which 1/3rd of which could not be quarantined... I then turned off the site and today I rebuilt it -- without spending adequate time with the log files because I need to get this running.
This happened before and I made a comment here in the forum where I thought, and so did others, that it was the result of the theme that I downloaded from WP themes that caused the problem .. In this case, nearly everything I did in the above install list I did to that site. On a third machine I was notified by DO that it too was running ddos and I destroyed that droplet because it was just a spun up test box .. also a WO install, but really I do not remember the steps taken to create it because I needed to test some python code against a wp database and that is all that was for ..
I do not know how the extensive setup of the crypto miner was possible without files from the install containing malware. Can anyone think of a way this could happen? Clearly it was an inside job and if that is the case is it the default wordpress download ?
Thank you for Wordops it is very powerful and streamlining. Let me know if you have any ideas about these hijackings.