Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi all! We have been experiencing an issue on site where threads have been missing the latest postings. The platform host Vanilla are working on this issue. A workaround that has been used by some is to navigate back from 1 to 10+ pages to re-sync the thread and this will then show the latest posts. Thanks, Mike.
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Wordpress hacked

  • 05-01-2021 3:18pm
    #1
    Registered Users Posts: 155 ✭✭


    I know WP sites are hacked on a regular basis but this one surprised me.

    The site was just a draft for the client to take a look. It was on a brand new domain and hidden from search engines. It was up there 2 months when I logged back in I found it was hacked! I had 2 new administrator friends from Russia!

    It was Wordpress 5.5 and there were a few plugins requiring minor updates. It seems really unlucky as there are WP sites live for years and well out of date that have survived.

    My query is how I was hacked? The 2 new administrators indicates brute force on WP admin. However there were also files added to the wordpress core (wp-includes etc). This was flagged by the free version of wordfence. Is this something that is doable as a WP administrator? I suppose it is if they install a plugin to upload certain files and move them to different locations on the install? If it more likely that they got access to an FTP account or got access to the clients hosting?

    As mentioned brand new domain and hidden from search engines how was the site most likely found?

    I had a membership plugin with a sign in form on the page footer. Is that an issue, should the login be on an untracked page? You are still going to need login links dotted around the page of your site so which bots will sniff out so that's probably not an issue.

    Before putting a site live I always put a paid version of wordfence and set it up for brute force. This was just a draft for a client to see, I was a little shocked that it was hammered so quickly!

    Thoughts appreciated


Comments

  • Registered Users, Registered Users 2 Posts: 6,529 ✭✭✭daymobrew


    I've often wondered the same "how" myself.
    On one site I manage I added .htaccess rules to wp-includes and wp-content to prohibit execution of .php files. This means they must be include() by WordPress.

    On one site someone changes the wp_users table to set each username and password field to the same value. I just reset it and the passwords. The admin username is not 'admin' and the admin password is random and stored in LastPass.

    With all that it still happens every few months. I delete the wp-admin, wp-includes, root dir and upload from a local copy of WordPress. I've deleted and reinstalled each plugin and theme but it still happens.

    As only the db is accessed, I wonder if they get in via ftp and run a sql command (from another account perhaps) and leave.


  • Registered Users, Registered Users 2 Posts: 6,207 ✭✭✭Talisman


    With shared hosting you always run the risk of the web hosts system being exploited.


  • Registered Users, Registered Users 2 Posts: 6,529 ✭✭✭daymobrew


    Talisman wrote: »
    With shared hosting you always run the risk of the web hosts system being exploited.
    I thought that even shared hosting had virtualisation that kept accounts separate.


  • Registered Users, Registered Users 2 Posts: 6,207 ✭✭✭Talisman


    I haven't had need to deal with a hosting company for a few years but the last time I did my client's ftp account had access to over 40 other websites on the same server. The account couldn't be used to write files to the other webroot folders but it could certainly read the contents of them - we discovered this when an attempt to backup the website via ftp went awry.


  • Registered Users, Registered Users 2 Posts: 11,987 ✭✭✭✭Giblet


    A lot of the time it's the install files or configure files still being accessible to the public. eg: http://ip/install.php


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 1,335 ✭✭✭nullObjects


    One of the plugins could have phoned home to check for an update and revealed where it was hosted?
    I'd be surprised though, even if it wasn't a popular plugin


  • Registered Users, Registered Users 2 Posts: 6,529 ✭✭✭daymobrew


    Giblet wrote: »
    A lot of the time it's the install files or configure files still being accessible to the public. eg: http://ip/install.php
    Although WordPress install files are accessible, it is not an issue as they only run if the database is not configured.


  • Registered Users, Registered Users 2 Posts: 609 ✭✭✭jumbone


    Your brand new domain is irrelevant if the site was accessible by IP address.

    Every ipv4 ip address has its http://xxx.xxx.xxx.xxx/wp-admin.php tested multiple times a day


  • Registered Users, Registered Users 2 Posts: 249 ✭✭SixtaWalthers


    You can get the access of your WP site again via hosting panel. Go there and change the admin logins of your WP site. In my opinion, it is not easy to hack WP site especially when you change siteurl.com/wp-admin to siteurl.com/specificlongkeyword. However, I don't what exactly happened in your case.


  • Registered Users, Registered Users 2 Posts: 36,169 ✭✭✭✭ED E


    This impacted wordpress
    https://threatpost.com/rce-bug-php-scripting-framework/162773/

    And this
    This Week in WordPress we have more than 5 million WordPress sites in critical danger
    thanks to their use of the popular plug-in called “Contact Form 7.” The trouble arises from a lack
    of sufficient filename sanitization in the plug-in's file upload filter.

    Worpress is digital gonorrhea.


  • Advertisement
  • Posts: 11,614 ✭✭✭✭ [Deleted User]


    My query is how I was hacked? The 2 new administrators indicates brute force on WP admin. However there were also files added to the wordpress core (wp-includes etc). This was flagged by the free version of wordfence. Is this something that is doable as a WP administrator? I suppose it is if they install a plugin to upload certain files and move them to different locations on the install? If it more likely that they got access to an FTP account or got access to the clients hosting?

    That doesn't necessarily sound like brute force to me. Did you look at the logs? What do they show? If you need help analyzing them I'd be happy to take a look.

    There are two Crosss Site Scripting vulnerabilities(XSS) in 5.5. One of them is a stored XSS, they could have inserted code to add administrators when the code is executed by an admin.

    As for how they 'found' you, if you are on a shared platform, those systems are scanned regularly by various threat actors.


Advertisement