Wordpress hacked

dahayeser · 05-01-2021 3:18pm #1

I know WP sites are hacked on a regular basis but this one surprised me.

The site was just a draft for the client to take a look. It was on a brand new domain and hidden from search engines. It was up there 2 months when I logged back in I found it was hacked! I had 2 new administrator friends from Russia!

It was Wordpress 5.5 and there were a few plugins requiring minor updates. It seems really unlucky as there are WP sites live for years and well out of date that have survived.

My query is how I was hacked? The 2 new administrators indicates brute force on WP admin. However there were also files added to the wordpress core (wp-includes etc). This was flagged by the free version of wordfence. Is this something that is doable as a WP administrator? I suppose it is if they install a plugin to upload certain files and move them to different locations on the install? If it more likely that they got access to an FTP account or got access to the clients hosting?

As mentioned brand new domain and hidden from search engines how was the site most likely found?

I had a membership plugin with a sign in form on the page footer. Is that an issue, should the login be on an untracked page? You are still going to need login links dotted around the page of your site so which bots will sniff out so that's probably not an issue.

Before putting a site live I always put a paid version of wordfence and set it up for brute force. This was just a draft for a client to see, I was a little shocked that it was hammered so quickly!

Thoughts appreciated

daymobrew · 06-01-2021 4:49pm

I've often wondered the same "how" myself.
On one site I manage I added .htaccess rules to wp-includes and wp-content to prohibit execution of .php files. This means they must be include() by WordPress.

On one site someone changes the wp_users table to set each username and password field to the same value. I just reset it and the passwords. The admin username is not 'admin' and the admin password is random and stored in LastPass.

With all that it still happens every few months. I delete the wp-admin, wp-includes, root dir and upload from a local copy of WordPress. I've deleted and reinstalled each plugin and theme but it still happens.

As only the db is accessed, I wonder if they get in via ftp and run a sql command (from another account perhaps) and leave.

Talisman · 06-01-2021 9:43pm

With shared hosting you always run the risk of the web hosts system being exploited.

daymobrew · 06-01-2021 10:29pm

Talisman wrote: »

With shared hosting you always run the risk of the web hosts system being exploited.

I thought that even shared hosting had virtualisation that kept accounts separate.

Talisman · 07-01-2021 4:05pm

I haven't had need to deal with a hosting company for a few years but the last time I did my client's ftp account had access to over 40 other websites on the same server. The account couldn't be used to write files to the other webroot folders but it could certainly read the contents of them - we discovered this when an attempt to backup the website via ftp went awry.

Giblet · 11-01-2021 10:56am

A lot of the time it's the install files or configure files still being accessible to the public. eg: http://ip/install.php

nullObjects · 11-01-2021 11:00am

One of the plugins could have phoned home to check for an update and revealed where it was hosted?
I'd be surprised though, even if it wasn't a popular plugin

daymobrew · 12-01-2021 9:38am

Giblet wrote: »

A lot of the time it's the install files or configure files still being accessible to the public. eg: http://ip/install.php

Although WordPress install files are accessible, it is not an issue as they only run if the database is not configured.

jumbone · 20-01-2021 9:03pm

Your brand new domain is irrelevant if the site was accessible by IP address.

Every ipv4 ip address has its http://xxx.xxx.xxx.xxx/wp-admin.php tested multiple times a day

SixtaWalthers · 26-01-2021 1:08pm

You can get the access of your WP site again via hosting panel. Go there and change the admin logins of your WP site. In my opinion, it is not easy to hack WP site especially when you change siteurl.com/wp-admin to siteurl.com/specificlongkeyword. However, I don't what exactly happened in your case.

ED E · 26-01-2021 1:16pm

This impacted wordpress
https://threatpost.com/rce-bug-php-scripting-framework/162773/

And this

This Week in WordPress we have more than 5 million WordPress sites in critical danger
thanks to their use of the popular plug-in called “Contact Form 7.” The trouble arises from a lack
of sufficient filename sanitization in the plug-in's file upload filter.

Worpress is digital gonorrhea.

26-01-2021 1:32pm

My query is how I was hacked? The 2 new administrators indicates brute force on WP admin. However there were also files added to the wordpress core (wp-includes etc). This was flagged by the free version of wordfence. Is this something that is doable as a WP administrator? I suppose it is if they install a plugin to upload certain files and move them to different locations on the install? If it more likely that they got access to an FTP account or got access to the clients hosting?

That doesn't necessarily sound like brute force to me. Did you look at the logs? What do they show? If you need help analyzing them I'd be happy to take a look.

There are two Crosss Site Scripting vulnerabilities(XSS) in 5.5. One of them is a stored XSS, they could have inserted code to add administrators when the code is executed by an admin.

As for how they 'found' you, if you are on a shared platform, those systems are scanned regularly by various threat actors.

Wordpress hacked

Comments