People hacking wordpress sites

**Lance** · 1 November 2022, 11:04

Originally posted by ladymuck View Post

I have three websites, all using wordpress. Two have no content (pending me putting some effort in) and one is mostly dormant so I guess they represent a nice target.

My security plug in reports on attempts to access the sites and I can wake up to hundreds of reports per site of failed attempts to log in.

One site is fairly new and attempts were being made on it within 24 hours of it going live.

I'd love to know how a bot / human found that site so quickly! It's not like any of my domain names are linked to anything interesting or in the public eye.

I know I can't stop it from happening but I can't help but be interested in why someone wants to hack a crappy website that only they know exists? What would they do with it if they did get in? Just fill it with nasty pr0n?

If I used something other than wordpress, would I have less hacking interest?

Where's it hosted?
Could well be a simple IP scan of known WP hosters.

**ladymuck** · 1 November 2022, 11:29

Hosting is on Mythic Beasts

**hobnob** · 1 November 2022, 12:40

I think that Lance is right about someone running an IP scan to discover the site.

As for why they'd bother, this could be used to gain an initial foothold. As a penetration tester, my approach might go something like this:
a) Log into WordPress with admin credentials.
b) Install a reverse shell.
c) Check the config file for WordPress database credentials.
d) Log into the (MySQL?) database using those credentials.
e) Install a UDF function in the database to get a new shell (hopefully on a different machine).

So, pivot from one machine to another. Meanwhile, look for any interesting files along the way (e.g. credentials that could be reused).

**ladymuck** · 1 November 2022, 14:04

So it's more about poking around in the hope of finding something juicy rather than have fun with the front end?

**Chris Bryce** · 1 November 2022, 14:26

Originally posted by ladymuck View Post

So it's more about poking around in the hope of finding something juicy rather than have fun with the front end?

Depending on the level of the perp running the bot it could be either.

Wordfence is your friend.

**courtg9000** · 1 November 2022, 14:48

What you are experiencing is fairly standard.
you would have the same level of interest in my experience with any of the other popular CMS systems.
Install the Wordfence plugin on each site.

**hobnob** · 1 November 2022, 15:01

Originally posted by ladymuck View Post

So it's more about poking around in the hope of finding something juicy rather than have fun with the front end?

The motivations will vary depending on the attacker.
* Some people would be using this as a foothold to get further (as per my previous post).
* Some people would deface the front end, e.g. to promote their political agenda or just as graffiti ("Dave woz 'ere").
* Some people would fill the blog posts with links to their own site, hoping to improve their Google ranking.
* Some people would use it to host dodgy content (e.g. porn or selling Viagra pills).
* Some people would join the machine to a botnet, or even use it as a C&C (command and control) server for an existing botnet so that any traces would lead to you rather than them.

**ladymuck** · 1 November 2022, 15:46

I currently use iThemes Security which does IP blocking, restricts admin connections by IP, rejects any connection where the username "admin" is used, enforces MFA on admin accounts, etc.

Is wordfence basically the same?

**Chris Bryce** · 1 November 2022, 16:09

Originally posted by ladymuck View Post

I currently use iThemes Security which does IP blocking, restricts admin connections by IP, rejects any connection where the username "admin" is used, enforces MFA on admin accounts, etc.

Is wordfence basically the same?

Maybe, as I dunno about iThemes. Wordfence certainly does all of that and warns about out of date/deprecated plugins and also has a real-time "bad actor" database.

People hacking wordpress sites