[BUG] Users can register even with registration turned off

  • I run a subscription site and we import users to gain access. It looks like this morning someone registered (spam bot) even though we have registration turned off. I tried using the URL’s that I see in the access log but they don’t seem to work unless I’m logged in. I then look at the time the user was registered and see this access log according

    117.194.102.3 - - [07/Oct/2011:10:45:10 -0500] "POST /newrrpc/wp-admin/user-new.php HTTP/1.1" 302 - "https://mysite.com/newrrpc/wp-admin/user-new.php" "Mozilla/5.0 (Windows NT 5.1; rv:6.0.2) Gecko/20100101 Firefox/6.0.2"

    It looks to me like they used POST params to bypass the security and allow themsevles to register. All other requests from them are GET except for a few of them where they try to use wp-admin/user-new.php

Viewing 6 replies - 1 through 6 (of 6 total)
  • Moderator Ipstenu (Mika Epstein)

    (@ipstenu)

    ?????? Advisor and Activist

    That shouldn’t be possible. That’s got checks to make sure you’re logged in first.

    Thread Starter jostster

    (@jostster)

    Well it has to be possible. I have users_can_register set to 0. Maybe they used another page or something to do it?

    Thread Starter jostster

    (@jostster)

    I will filter the logs by this IP and post them here

    Moderator Samuel Wood (Otto)

    (@otto42)

    www.ads-software.com Admin

    The user-new.php is an administrative add-user panel. It’s not where new users register, it’s where admins can add new users directly. The users_can_register setting would be irrelevant in that case.

    If somebody hijacked your admin cookies, then they could create a new user directly via that panel.

    You can invalidate all previous cookies by changing the secret keys in the wp-config.php file. You can get some new randomized keys from here:
    https://api.www.ads-software.com/secret-key/1.1/salt/

    Also check your site’s files to be sure you haven’t been hacked in some other manner.

    Moderator Samuel Wood (Otto)

    (@otto42)

    www.ads-software.com Admin

    Also, instead of posting this information here, please forward any info you have/find to [email protected].

    Thread Starter jostster

    (@jostster)

    ok i found some interesting info… I will email it to the email address.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘[BUG] Users can register even with registration turned off’ is closed to new replies.