I don't pay much attention to the IPs or their locations because I figure they're most likely being disguised anyway but I sleep better knowing that the perps don't get much of a chance to get in
-
I have a few WP sites which experience this as well. I use Wordfence (free version seems adequate enough). I did wonder if there's a list somewhere (dark web?) of possible sites and usernames, because I see the same (invalid) usernames being tried. I've got Wordfence set to max security, so IPs are blocked for 2 months.
I don't pay much attention to the IPs or their locations because I figure they're most likely being disguised anyway but I sleep better knowing that the perps don't get much of a chance to get in
-
I occasionally look at web server logs and they're always full of attempts to break in to all kinds of things, not just WordPress. Usually it's coming from some random IP address and probing numerous possibly-vulnerable URLs for a few minutes (which may or may not include /wp-admin or whatever it is, depending on what the bot is trying to achieve) after which they move on. Most servers I look at tend to get probed this way at least two or three times a day.
So it's probably not targeted at all, there are just millions of these things literally testing every IP address on the Internet for a way in, and your plugin reports the ones that try the endpoints it recognises.Leave a comment:
-
Maybe, as I dunno about iThemes. Wordfence certainly does all of that and warns about out of date/deprecated plugins and also has a real-time "bad actor" database.Originally posted by ladymuck View PostLeave a comment:
-
I currently use iThemes Security which does IP blocking, restricts admin connections by IP, rejects any connection where the username "admin" is used, enforces MFA on admin accounts, etc.
Is wordfence basically the same?Leave a comment:
-
The motivations will vary depending on the attacker.Originally posted by ladymuck View Post
* Some people would be using this as a foothold to get further (as per my previous post).
* Some people would deface the front end, e.g. to promote their political agenda or just as graffiti ("Dave woz 'ere").
* Some people would fill the blog posts with links to their own site, hoping to improve their Google ranking.
* Some people would use it to host dodgy content (e.g. porn or selling Viagra pills).
* Some people would join the machine to a botnet, or even use it as a C&C (command and control) server for an existing botnet so that any traces would lead to you rather than them.Leave a comment:
-
What you are experiencing is fairly standard.
you would have the same level of interest in my experience with any of the other popular CMS systems.
Install the Wordfence plugin on each site.Leave a comment:
-
Depending on the level of the perp running the bot it could be either.Originally posted by ladymuck View Post
Wordfence is your friend.
Leave a comment:
-
So it's more about poking around in the hope of finding something juicy rather than have fun with the front end?Leave a comment:
-
I think that Lance is right about someone running an IP scan to discover the site.
As for why they'd bother, this could be used to gain an initial foothold. As a penetration tester, my approach might go something like this:
a) Log into WordPress with admin credentials.
b) Install a reverse shell.
c) Check the config file for WordPress database credentials.
d) Log into the (MySQL?) database using those credentials.
e) Install a UDF function in the database to get a new shell (hopefully on a different machine).
So, pivot from one machine to another. Meanwhile, look for any interesting files along the way (e.g. credentials that could be reused).Leave a comment:
-
People hacking wordpress sites
I have three websites, all using wordpress. Two have no content (pending me putting some effort in) and one is mostly dormant so I guess they represent a nice target.
My security plug in reports on attempts to access the sites and I can wake up to hundreds of reports per site of failed attempts to log in.
One site is fairly new and attempts were being made on it within 24 hours of it going live.
I'd love to know how a bot / human found that site so quickly! It's not like any of my domain names are linked to anything interesting or in the public eye.
I know I can't stop it from happening but I can't help but be interested in why someone wants to hack a crappy website that only they know exists? What would they do with it if they did get in? Just fill it with nasty pr0n?
If I used something other than wordpress, would I have less hacking interest?
Leave a comment: