I think as long as PDF upload is blocked the hack can't just be repeated as easily. Even with the source code leaked, you need to have a way to actually inject your code to the server somehow. Correct me if I'm wrong, but with the remaining file types (JPG, PNG, GIF, WEBM, MP4) there is no way to do that. The other way would be to use security holes in the server itself (operating system, whatever software they use for the web server, PHP, ...) but if they update it all there shouldn't be an obvious gaping hole there.
They might have also gone through the code in the meantime. The anons on Soyjak's /tech/ board they were already fixing the "OpenYotsuba" code for free.
The chain of this hack was essentially that some boards permitted PDF upload. This was done with an ancient (circa 2012) version of the Ghostscript library. This library was so old you could upload garbage that wasn't actually a PDF but was actually PostScript commands as arbitrary code. From there, the hacker found a binary that gave them a path to root.
Now, in terms of fixing the
exact hack that was used to own the site, identify the mods/jans, etc., yes, removing the ability to remove PDFs prevents this exact hack from being repeated. Reinstalling the OS on new servers would likely prevent the secondary issue (a binary with bad file permissions/ownership giving a path to root [administrator on *NIX operating systems]).
The problem is that the public and potentially bad actors now have access to the site source code, which is by all accounts I've read, pretty trash in quality (hardcoding of credentials being just one of many sins). If they update the backend like PHP version, MySQL version, OS version, etc. it may not matter if they forget to update another library - like whatever image library is used resizes images and generates their thumbnails. Or if all the backend software is good but there's a bad piece of coding in the site's custom Yotsuba imageboard software that allows, say, SQL injection.
People on 4chan are extremely creative for better and worse. People used to post embedded RARs/Zip archives within images, for fun/better (pirated ebooks) and worse (CSAM). Embedded sound files. I used to be annoyed I couldn't repost the same recation image if someone else had posted it, so I had a BAT file on my desktop that would just apend a garbage abcde on the end of my JPG/PNG/etc. file and the site software would then except it because it technically had a different file hash, even though the actual image data was the same (they probably patched this circa 2014/2015 to remove garbage that wasn't within the image headers.
They may also accept help from the Soyjak types to do code improvement. The risk there is both in competency (how good are your volunteers, do they miss something) and trust (do you have a bad actor either deliberately not fixing something or trying to introduce an innocuous looking change that's actually a vulnerability).
