wordfence.php removed during website attack?

  • A few days ago I logged in to a WordPress site I’m managing due to issues reported by the site owner. All logged in, I was met by a message saying something along the lines of WordFence being inactive because of wordfence.php missing. So, I checked my installed plugins, and WordFence was not even visible there.

    Having a feeling something was very wrong, I looked around the admin area only to find two new admin accounts, with random names, being registered. I reinstalled WordFence, by first having to manually remove the WordFence folder from wp-content/plugins because of WordPress complaining about the folder already existing upon installing, to run a scan. Running the scan, it found a bunch of possibly malicious files and themes and the two new admin accounts, and manually I found unknown plugin folders in the plugin directory.

    In a panicky rush to un-compromise the site I deleted all the suspicious files and the two admin accounts, and a plugin whose name showed in the file paths of a lot of the suspicious files.

    Having sort of afterwards trying to find traces of the intrusion, regretting I was so fast to delete the files, I can see in the WordFence login log database table that one of the aforementioned admin accounts had a successful login the same day all the suspicious files were created.

    Now to my wonders. Is it actually possible to deactivate the WordFence firewall by deleting wordfence.php through a vulnerability in a plugin or theme? I checked with the hosting provider, and they could not see any SFTP logins to the server in their log a few days prior to and after the attack. How can such an attack have happened? The scan stated that the two new admin accounts had been created outside WordPress. What does that mean?

    Installed plugins and themes during attack:

    • Akismet (deactivated)
    • Hello Dolly (deactivated)
    • SVG Support
    • Polylang
    • WordFence (status unknown)
    • Custom Theme* (active)
    • Twenty Twenty-One

    * Very basic; no input — no comment sections or search capabilities.

    I’m no website security expert, so I’m trying to learn how this attack could have happened so that I can protect my websites better going forward. Any help appreciated.

    Note: Wondering why WordFence did not alert me through email during the attack I’ve discovered afterwards that the mail sending capabilities of the WordPress installation was not set up properly. Also, 2FA was not in use during the attack.

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Support wfpeter

    (@wfpeter)

    Hi @joaka2316, sorry to see you had a problem like this.

    It’s probably more common to have seen a removal of Wordfence or some of its files in a case like this where somebody actually created an admin account to log into your site. In that sort of case rather than an automated attack or external probe for plugin vulnerabilities, Wordfence could be seen as an inconvenience for achieving whatever they wanted to do on your site as it may block certain actions etc.

    Having said this, admin accounts could have been created in a number of ways beginning with an outdated plugin with a known vulnerability. Also, insecure/exposed hosting/cPanel credentials (as these often provide access to the database or a file manager), database admin accounts, or the password of a WordPress administrator becoming known without 2FA enabled could be possibilities, but I can only speculate.

    As a rule, any time I think someone’s site has been compromised I also tell them to update their passwords for their hosting control panel, FTP,  WordPress admin users, and database. Make sure to do this.

    I can’t suggest that any now resolved vulnerabilities with other plugins (or one plugin in particular) were responsible for what happened here, but if you did have any unupdated version numbers installed, we do have records of historical vulnerabilities for your installed plugins if you search Wordfence Intelligence for the plugin name(s).

    I will provide our site cleaning instructions for you below even though you’ve already gone some way to dealing with this, just in case any steps you haven’t tried can still assist you: https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/

    XML-RPC requests are one of the most common brute force/credential stuffing attack methods so we always recommend using long unique passwords along with 2FA for all of your administrative accounts.

    Additionally you might find the WordPress Malware Removal section in our free Learning Center helpful.  

    If you are unable to fully clean this on your own there are paid services that will do it for you. Wordfence offers one and there are others. Regardless, if you choose to clean it yourself or let someone else do so, we recommend that you make a full backup of the site beforehand.

    Thanks and I hope that helps you out,
    Peter.

    Thread Starter joaka2316

    (@joaka2316)

    Thank you for your response. I understand it’s possible for you to only speculate about how an attack could have been carried out.

    What I don’t understand though, is how the single file wordfence.php could be removed without accessing the server itself. If an admin account was created somehow and managed to log in, wouldn’t it have been possible to just deactivate the plugin itself through the admin area?

    So that’s my core concern and question I guess. If wordfence.php can be deleted through a vulnerability somewhere, resulting in the firewall being deactivated, how can I ever rely on the firewall protecting the site? Could it actually be that the file was deleted through a plugin or theme, or am I missing something that I should really inquire my hosting provider about?

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘wordfence.php removed during website attack?’ is closed to new replies.