Welcome to WebmasterWorld Guest from 54.144.107.83

Forum Moderators: rogerd & travelin cat

Message Too Old, No Replies

Attempted hack

     
4:56 pm on Feb 5, 2014 (gmt 0)

Moderator This Forum from US 

WebmasterWorld Administrator travelin_cat is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Feb 28, 2004
posts: 3114
votes: 2


Yesterday someone tried to get into a clients Wordpress install using my username, Better WP Security blocked them but they somehow had my username which I NEVER give to anyone. This particular one was 12 characters long with numerals, capital letters and lowercase letters. They got the info correct, but the last two letters were lowercase instead of uppercase.

The IP said they were in South Korea. Any idea how this could happen?
5:04 pm on Feb 5, 2014 (gmt 0)

New User

10+ Year Member

joined:Nov 1, 2005
posts: 27
votes: 0


Scary stuff.

I use the Login Page Rename plugin, so they'd need to know the name of /wp-login.php to get there.

These hackers are unbelievably amazing sometimes.
6:32 pm on Feb 5, 2014 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lorax is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Mar 31, 2002
posts:7575
votes: 0


Likely via another site on the same server but just in case - any outdated plugins or themes on the site?
8:58 pm on Feb 5, 2014 (gmt 0)

Moderator This Forum from US 

WebmasterWorld Administrator travelin_cat is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Feb 28, 2004
posts: 3114
votes: 2


Nope. Everything is up to date.
9:23 pm on Feb 5, 2014 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lorax is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Mar 31, 2002
posts:7575
votes: 0


The most likely reason is if code is out of date (how old is the theme and how much customization was done?). Other than this, if your plugins & core are up to date, then they came in another way. Not through WordPress.
10:08 pm on Feb 5, 2014 (gmt 0)

Moderator This Forum from US 

WebmasterWorld Administrator travelin_cat is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Feb 28, 2004
posts: 3114
votes: 2


The theme is new and updated regularly. I made a child theme that has a lot of css customizing, but nothing else.
12:42 am on Feb 6, 2014 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lorax is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Mar 31, 2002
posts:7575
votes: 0


Another thought. Did you access the site from a public WiFi at any point in the past month or so?
1:45 am on Feb 6, 2014 (gmt 0)

Moderator This Forum from US 

WebmasterWorld Administrator travelin_cat is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Feb 28, 2004
posts: 3114
votes: 2


Nope. I never use public wifi.
12:59 pm on Feb 6, 2014 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lorax is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Mar 31, 2002
posts:7575
votes: 0


How strong is your salt?

Passwords are hashed before being put into the database so I strongly suspect someone either had access to your passwords or got to your database through another route.

Does your client access the site via FTP? Have they given access to anyone else for any reason? Do the site have any plugins from new or sketchy authors?
4:50 pm on Feb 6, 2014 (gmt 0)

Senior Member

WebmasterWorld Senior Member 5+ Year Member

joined:June 2, 2006
posts:2112
votes: 2


Any idea how this could happen?


It happened to me in the past that my "hand picked" admin user name was used like in your case.
It turned that the picture gallery plugin would make my user name available whenever I would upload a photo into the gallery. The user name itself would not be published to be seen via a browser online, but it would be available within the HTML code.

I figured it by searching the database for the user name to see where it was actually showing up. That helped.
6:39 pm on Feb 6, 2014 (gmt 0)

Moderator This Forum from US 

WebmasterWorld Administrator travelin_cat is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Feb 28, 2004
posts: 3114
votes: 2


Lorax, I'm the only one that has FTP access and the plugins are all tried and true ones like Yoast SEO and Better WP Security (which blocked the attack).

smallcompany, there is no gallery, but I will go through all of the page's source code to see if I can find something.
6:52 pm on Feb 6, 2014 (gmt 0)

Moderator This Forum from US 

WebmasterWorld Administrator travelin_cat is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Feb 28, 2004
posts: 3114
votes: 2


I found it! This was in the initial post's source code I made for the client: <p class="meta-info"> By <a href="http://example.com/author/username/" title="Posts by company name" rel="author">

Any idea how to remove the meta info?
7:26 pm on Feb 6, 2014 (gmt 0)

Moderator This Forum from US 

WebmasterWorld Administrator travelin_cat is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Feb 28, 2004
posts: 3114
votes: 2


My theme had a setting to remove the author data, so now it's gone. Phew. What a pain in the butt.
2:31 am on Feb 7, 2014 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lorax is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Mar 31, 2002
posts:7575
votes: 0


Glad you got it sorted!
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members