Hi, I just want to share my story here to warn you guys & let you secure your infrastructure (if you didn't notice this problem already). On 12 September one of my client's wordpress was hacked through the 0 day of wp-file(fail)-manager (CVE-2020-25213). Attacker was able to upload a .php file & take control of the website. The worst part is on 21 September when the attacker was able to read other wp-config.php. Reason of this was because by default APS set wordpress wp-config.php to 744 instead of 440 attacker was able to read it & inject backdoor in all my wordpress website thought hacked websites directly to the database. I had noticed that the attacker use one shell user to launch 2 commands (find & pwd) Unfortunately i didn't have enough backup retention to come back before the hack, so all wordpress are infected (even i remove backdoor) & potentially hackable. 350 000 users of wp-file-manager are potentially exposed and worst if they are using ispconfig with a wordpress installed through aps installer. I have warned the support & I'm going to make a check with schaal it. Stay safe!