Several wordpress sites were hacked, not detected by modsec

Hello, I got several wordpress sites were hacked by the same way. Hacker uploaded the same file wp-uso.php to wp-content/uploads directory, then using wp-uso.php to upload other files to other directories.

The wp-uso.php is a common FilesMan shell script. I am wondering whether modsec can block this file upload or not. Thanks for any advice.

<?php
$auth_pass = "4fdfa01285ca94522d390d7b79faa0";
$color = "#df5";
$default_action = 'FilesMan';

other code are encrypted....

Hello,

Can you make log analysis and find vulnerable script?

Sorry, I don’t know what kind of log you want to see.

Hi,

You should analyze access logs and if you install our rules on modsecurity that as well.
Please grep requests to wp-uso.php and also grep .htaccess log lines (since mostly the
file manages modifies that also)
Also it will be helpful to check for parameters that contain long strings of seemingly random characters
(i.e. base64 encoded strings).

Whenever you send relevant information we are happy to help u in this case.

Hello, I’ve decoded the hack file, it’s the same WSO web shell script but it was base64 encoded. I remember modsec was able to block the clear txt version. How can I block the encoded version? Thank you for any advice.

I also have following php disable_function:

show_source, system, shell_exec, passthru, exec, popen, proc_open