I have some wordpress websites running on IIS. Last year 1 website was hacked. Somehow they managed to put php files in the content/uploads folder. Then the spammed my mailserver until it crashed.
I`ve since then prohibited php files in the content/upload folder of wordpress.
This morning I received a message that a website which was in google webmaster tools got a new owner. I then inspected the website and found that some files were added by someone. Don`t know how till now. I`ve run the restore on that website, so it`s working again. However i`m unable to find out what it was.
My security is troubling think. The website contains the usual wordpress files. The rights which I set are probably wrong, but I don`t know how to set them without breaking updating wordpress, themes, plugins, etc.
I just put iusr rights on the whole website. The right are : read write execute.
I`ve looked into application identities, but i`m not sure if that prevents modification of the files within wordpress.
What I would like to have is internet users viewing the site via iusr (with only read rights) . But the wordpress admin working via a alternative user which has allmost all right because otherwise i`m unable to update theme,s plugins or wordpress itself.
Is it possibel to do that ?