Wordpress Site hacked, need urgent help to recover

@poly1

If they hacker was able to do this much damage, the first thing I will recommend you is to setup a new server and move everything there after a tight checkup. (Better download new php files for WP and Forum from source and ditch all the old ones).
With such hack, you never know which other file may have a backdoor on your serve now.

Also as George suggested, you may want to add few functions in the "disable" list.
This is what I have

Code:

disable_functions = show_source, system, shell_exec, passthru, exec, popen, proc_open

 

@eva2000 Curious why these aren't disabled by default? I'm guessing most off-the-shelf PHP apps don't use these functions because too much risk they'll be installed on a locked-down system and be barraged by support requests from less-tech-savvy customers. So seems like the safer default might be to turn these off and then a user can open them back up if he/she really needs?

 

That makes sense.

I'd vote to keep the more open version as default, and just add a note to the PHP guide at the bottom about "If you want to increase security, try adding this.... warning, may break some app, for example for Xenforo friendly rewrites, see this guide [nginx]"

It's great that it's listed on the Nginx guide, but the guide I would have expected this to be listed on was the PHP guide: PHP PHP-FPM - Centmin Mod - Menu based Nginx installer for CentOS servers

And yeah, the people who are likely to care about this in the first place are the folks who read the guides/forums in depth. Otherwise folks just want it to work and worry about hardening stuff later when they get hacked

 

I just using wordpress,
What function do I need to disable?

 

Go with the one I listed above. I am am running WP only servers and have not seen any issue.

 

What about this list Mask, got it from managed hosting company:

Code:

pcntl_alarm
pcntl_fork
pcntl_waitpid
pcntl_wait
pcntl_wifexited
pcntl_wifstopped
pcntl_wifsignaled
pcntl_wexitstatus
pcntl_wtermsig
pcntl_wstopsig
pcntl_signal
pcntl_signal_dispatch
pcntl_get_last_error
pcntl_strerror
pcntl_sigprocmask
pcntl_sigwaitinfo
pcntl_sigtimedwait
pcntl_exec
pcntl_getpriority
pcntl_setpriority
php_uname
getmyuid getmypid
passthru
leak
listen
diskfreespace
link
ignore_user_abord
shell_exec
dl
exec
system
highlight_file
source
show_source
fpaththru
virtual
posix_ctermid
posix_getcwd
posix_getegid
posix_geteuid
posix_getgid
posix_getgrgid posix_getgrnam
posix_getgroups
posix_getlogin
posix_getpgid
posix_getpgrp
posix_getpid
posix
_getppid
posix_getpwnam
posix_getpwuid
posix_getrlimit
posix_getsid
posix_getuid
posix_isatty
posix_kill
posix_mkfifo
posix_setegid
posix_seteuid posix_setgid
posix_setpgid
posix_setsid
posix_setuid
posix_times
posix_ttyname
posix_uname
proc_open
proc_close
proc_get_status
proc_nice
proc_terminate
phpinfo

 

trxerz
My version was "minimal recommended", you can add as many as you want to. The one you posted above seems to be too strict and some plugins might end up giving issues.
For a lot more tight security that the minimal list, I would go with

Code:

disable_functions = show_source, system, shell_exec, passthru, exec, popen, proc_open, allow_url_fopen, pcntl_exec

Anything more is a bit too much. But you can add as many as you want to.