delete admin users automatically in turdpress

So, Turdpress (aka wordpress) randomly gets hacker users added to the list of admin users.

This sucks.

Hence it is called Turdpress.

To fix: 

Make a folder, something like /scripts/

mkdir /scripts

inside there make two shell scripts, call them delete.sh and run_sql.sh

set up a user, e.g. john, to automatically run mysql as root without authentication (obviously put a strong password on that user). 

mysql_config_editor set --host=localhost --user=john --password

mysql_config_editor set --host=localhost --user=root --password


Script: run_sql.sh

#!/bin/sh
if [ -z "`cat $1 | grep -i drop `" ] ; then
su - john -c mysql < $1
else
echo "Dont like that sql, bye"
fi


Script: delete.sh

#!/bin/sh
for i in cat list.txt ; do (
echo $i
 cat delete.sql | sed -e s/xxx/$i/g > /tmp/delete-$i.sql 
 sh run_sql.sh /tmp/delete-$i.sql
 rm /tmp/delete-$i.sql
) ; done

Now make the basic SQL commands to run. In this SQL, leave the xxx in place but replace #1, #2, etc., with the ID numbers of your admin users stored in wp_users.


SQL file delete.sql:

use xxx
delete from xxx.wp_users where ID not in (1,#1,#2,...);

The script replaces xxx with the name/s of all your wordpress site databases.

Now make a list of your wordpress sites:

echo "show databases" | mysql -u root -p > list.txt

This will create a list of databases. Edit the list and remove those which are not wordpress.


List of databases list.txt:

wp_database1 
wp_site2
wp_site3 
wp_database2 


Lastly

run crontab -e and add a cron job so the script runs daily. This will effectively delete all unidentified users in all wordpress databases. The below syntax runs at 6:01 pm every day.

1 18 * * * /scripts/delete.sh




Popular posts from this blog

enabling web interface updates over FTP or directly

Wordpress can be updated on the command line or the graphical side in the web browser. But in order to do that you need write permission on the server as the user www-data (the webs server), or, ftp access to upload files from wordpress.org to the server you are hosted at. Hence, you can either set the website to be owned by the webserver (and risk that vulnerabilities to the webserver affect your website), or you can enable FTP. The default is to let the webserver (www-data) have write permission: chown -R www-data:www-data /var/www/wordpress/ chmod -R 775 /var/www/wordpress/ To enable FTP, create a user specifically for the purpose on the server's FTP service and give them ownership of the wordpress folder. Put the following code into the wp-config.php file define( 'FS_METHOD', 'direct' ); define( 'FTP_BASE', 'www.myserver.com/www/wordpress' ); define( 'FTP_CONTENT_DIR', ' www.myserver.com /www/wordpress/wp-content/' ); define( 
Read more

changing php version

Wordpress might be fussy about which version of php it wants. Let's say it wants php7.1 specifically. Type the following commands: sudo add-apt-repository ppa:ondrej/php sudo apt-get update sudo apt-get install php7.1 sudo apt-get install php7.1-cli php7.1-common php7.1-json php7.1-opcache php7.1-mysql php7.1-mbstring php7.1-mcrypt php7.1-zip php7.1-fpm sudo a2dismod php7.2 sudo a2enmod php7.1 sudo service apache2 restart
Read more

commandline wordfence (wf-cli)

There is a commandline version of the wordfence plugin. You can use this to automate or script scanning your websites for malware. The output is just files which seem to be malware. You can then pass that list to the RM (remove) command. This is what I did. mkdir /scripts cd /scripts apt install python3.10 git clone https://github.com/wordfence/wordfence-cli sudo python /scripts/wordfence-cli/main.py scan /var/www/html/ I then took that list of files and gave them to the "rm" command. When it runs for the first time it will ask you to provide a "key" to it. You get that from wordfence's website.   https://www.wordfence.com/help/api-key/
Read more