We recently faced a spam injection attack on our website and because of which our Google indexing is hit. We are investigating on how all this could have happened even after we have had all the popular plugins recommended for safety installed in our setup. HMWP is one of the plugin we have installed for the same reason. On going through the table wp_hmwp_ms_intrusions being used by hmwp, we found that PHP code was saved as it i.e. unescaped. We are sharing the table with you along with email for your review. If the PHP “eval” code is saved as it in the DB, then it’s possible that when it’s called anywhere to either display the intrusions or for any other purpose, it gets executed and the code gets infected or other intended actions are taken. E.g. in the 4th row itself we see the value “@ eval (base64_decode($_POST[z0]));”
There are numerous other rows with code similar in nature. As per our team such code should either be escaped or not saved at all, moreover if hmwp was able to detect this as intrusion, why wasn’t it able to stop the execution and prevent this from happening?
Any insights from you will help us in understanding what went wrong how can we prevent this from happening in the future.
Hi, thanks for contacting us. Regarding the “eval” code, I’ve notified it to our dev team. They’ll check this further. I’ll get back to you on this. Please also post here the screenshot of wp_hmwp_ms_intrusions table with rows showing eval code.
Regarding HMWP detecting intrusion, it depends on what kind of attack your site faced. Also depends on Block threshold value set in HMWP.