• Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
  • Want to receive the latest contracting news and advice straight to your inbox? Sign up to the ContractorUK newsletter here. Every sign up will also be entered into a draw to WIN £100 Amazon vouchers!
Collapse

You are not logged in or you do not have permission to access this page. This could be due to one of several reasons:

  • You are not logged in. If you are already registered, fill in the form below to log in, or follow the "Sign Up" link to register a new account.
  • You may not have sufficient privileges to access this page. Are you trying to edit someone else's post, access administrative features or some other privileged system?
  • If you are trying to post, the administrator may have disabled your account, or it may be awaiting activation.

Previously on "People hacking wordpress sites"

Collapse

  • HoofHearted
    replied
    I have a few WP sites which experience this as well. I use Wordfence (free version seems adequate enough). I did wonder if there's a list somewhere (dark web?) of possible sites and usernames, because I see the same (invalid) usernames being tried. I've got Wordfence set to max security, so IPs are blocked for 2 months.

    I don't pay much attention to the IPs or their locations because I figure they're most likely being disguised anyway but I sleep better knowing that the perps don't get much of a chance to get in

    Leave a comment:


  • NickFitz
    replied
    I occasionally look at web server logs and they're always full of attempts to break in to all kinds of things, not just WordPress. Usually it's coming from some random IP address and probing numerous possibly-vulnerable URLs for a few minutes (which may or may not include /wp-admin or whatever it is, depending on what the bot is trying to achieve) after which they move on. Most servers I look at tend to get probed this way at least two or three times a day.

    So it's probably not targeted at all, there are just millions of these things literally testing every IP address on the Internet for a way in, and your plugin reports the ones that try the endpoints it recognises.

    Leave a comment:


  • Chris Bryce
    replied
    Originally posted by ladymuck View Post
    I currently use iThemes Security which does IP blocking, restricts admin connections by IP, rejects any connection where the username "admin" is used, enforces MFA on admin accounts, etc.

    Is wordfence basically the same?
    Maybe, as I dunno about iThemes. Wordfence certainly does all of that and warns about out of date/deprecated plugins and also has a real-time "bad actor" database.

    Leave a comment:


  • ladymuck
    replied
    I currently use iThemes Security which does IP blocking, restricts admin connections by IP, rejects any connection where the username "admin" is used, enforces MFA on admin accounts, etc.

    Is wordfence basically the same?

    Leave a comment:


  • hobnob
    replied
    Originally posted by ladymuck View Post
    So it's more about poking around in the hope of finding something juicy rather than have fun with the front end?
    The motivations will vary depending on the attacker.
    * Some people would be using this as a foothold to get further (as per my previous post).
    * Some people would deface the front end, e.g. to promote their political agenda or just as graffiti ("Dave woz 'ere").
    * Some people would fill the blog posts with links to their own site, hoping to improve their Google ranking.
    * Some people would use it to host dodgy content (e.g. porn or selling Viagra pills).
    * Some people would join the machine to a botnet, or even use it as a C&C (command and control) server for an existing botnet so that any traces would lead to you rather than them.

    Leave a comment:


  • courtg9000
    replied
    What you are experiencing is fairly standard.
    you would have the same level of interest in my experience with any of the other popular CMS systems.
    Install the Wordfence plugin on each site.

    Leave a comment:


  • Chris Bryce
    replied
    Originally posted by ladymuck View Post
    So it's more about poking around in the hope of finding something juicy rather than have fun with the front end?
    Depending on the level of the perp running the bot it could be either.

    Wordfence is your friend.

    Leave a comment:


  • ladymuck
    replied
    So it's more about poking around in the hope of finding something juicy rather than have fun with the front end?

    Leave a comment:


  • hobnob
    replied
    I think that Lance is right about someone running an IP scan to discover the site.

    As for why they'd bother, this could be used to gain an initial foothold. As a penetration tester, my approach might go something like this:
    a) Log into WordPress with admin credentials.
    b) Install a reverse shell.
    c) Check the config file for WordPress database credentials.
    d) Log into the (MySQL?) database using those credentials.
    e) Install a UDF function in the database to get a new shell (hopefully on a different machine).

    So, pivot from one machine to another. Meanwhile, look for any interesting files along the way (e.g. credentials that could be reused).

    Leave a comment:


  • ladymuck
    replied
    Hosting is on Mythic Beasts

    Leave a comment:


  • Lance
    replied
    Originally posted by ladymuck View Post
    I have three websites, all using wordpress. Two have no content (pending me putting some effort in) and one is mostly dormant so I guess they represent a nice target.

    My security plug in reports on attempts to access the sites and I can wake up to hundreds of reports per site of failed attempts to log in.

    One site is fairly new and attempts were being made on it within 24 hours of it going live.

    I'd love to know how a bot / human found that site so quickly! It's not like any of my domain names are linked to anything interesting or in the public eye.

    I know I can't stop it from happening but I can't help but be interested in why someone wants to hack a crappy website that only they know exists? What would they do with it if they did get in? Just fill it with nasty pr0n?

    If I used something other than wordpress, would I have less hacking interest?
    Where's it hosted?
    Could well be a simple IP scan of known WP hosters.

    Leave a comment:


  • ladymuck
    started a topic People hacking wordpress sites

    People hacking wordpress sites

    I have three websites, all using wordpress. Two have no content (pending me putting some effort in) and one is mostly dormant so I guess they represent a nice target.

    My security plug in reports on attempts to access the sites and I can wake up to hundreds of reports per site of failed attempts to log in.

    One site is fairly new and attempts were being made on it within 24 hours of it going live.

    I'd love to know how a bot / human found that site so quickly! It's not like any of my domain names are linked to anything interesting or in the public eye.

    I know I can't stop it from happening but I can't help but be interested in why someone wants to hack a crappy website that only they know exists? What would they do with it if they did get in? Just fill it with nasty pr0n?

    If I used something other than wordpress, would I have less hacking interest?

Working...
X