Fake User Registrations

  • Hi,

    I just noticed almost 500 users on our site, only 6 of which are legit. I have login protection and contact form plugins installed so I don’t think they are coming from there. Could they have come from blog post comments on the blog page on our site?

    I am not getting any advice emails that these users have signed up which is why I hadn’t noticed them until today.

    We’re running Windows 7, WordPress 6.0.2 and all plugins are up to date.

    I would sure appreciate any suggestion on how to stop these. I’ve now deleted all the fake ones. Please let me know if you need any further information.

    Thank you,
    Linda

    The page I need help with: [log in to see the link]

Viewing 4 replies - 1 through 4 (of 4 total)
  • lisa

    (@contentiskey)

    A few things to consider:
    -what is the capability level of the new (non legit) users? (admin, editor, author, subscriber, customer, member etc)
    -do you have any setting that allow new users to register?
    -did all users get added at same time?
    -are you able to see the users table in your database?
    -is there evidence of other changes to files?
    -use a security checker like: https://sitecheck.sucuri.net/

    • This reply was modified 2 years, 2 months ago by lisa.
    Thread Starter IreneLinda

    (@irenelinda)

    Thanks for getting back to me, Lisa … and so quickly. Here are some answers:
    – I think they signed up as Subscribers (I’m remembering since I deleted them all so can’t double check)
    – the Membership – Anyone can register box in WP admin Settings is not checked; Comments are enabled on our blog
    – not sure about timing but I suspect it’s been over time; I have been getting emails from WP Forms (free version) regularly that tell me about dozens of Contact Form sign ups … none of which have ever come to me as site Admin. I’m wondering if that is a clue. Can’t go to WP Forms for support it seems since we have a free version (I have tried).
    – re. database, happy to check but not totally sure how to get this information for you, sorry.
    – the good news is that I have not noticed any changes in content or functionality on the site. Does this mean I should just not worry?
    – had forgotten about that Securi scan and have not run it for quite a while. After running it, here are some of the findings: no malware, not blacklisted, medium security risk (can’t attach so I’ve copy/pasted it below my name) and the recommendation below:
    Protection Recommendations
    Directory Listing is enabled on your site. This can lead to information leakage. We recommend disabling Directory Listing, learn how.

    Does any of this give you some ideas about what I should do next? If you need that DB info, I’ll research how to access it.

    Thanks again for helping!

    Linda

    Security Headers – Not too sure what any of this means! ??

    Missing security header for ClickJacking Protection. Alternatively, you can use Content-Security-Policy: frame-ancestors ‘none’.

    Missing security header to prevent Content Type sniffing.

    Missing Strict-Transport-Security security header.

    Missing Content-Security-Policy directive. We recommend to add the following CSP directives (you can use default-src if all values are the same): script-src, object-src, base-uri, frame-src

    Leaked PHP version. Your site is displaying your PHP version in the HTTP headers. Please set expose_php = Off. Affected pages:
    https://mygoforthegreen.com/.git/HEAD
    https://mygoforthegreen.com/404javascript.js
    https://mygoforthegreen.com/404testpage4525d2fdc
    https://mygoforthegreen.com/cart/
    https://mygoforthegreen.com/feed/`

    • This reply was modified 2 years, 2 months ago by IreneLinda.
    lisa

    (@contentiskey)

    a few ideas:

    if you think it’s related to free version of WPForms – use this link for creating a support request: https://www.ads-software.com/support/plugin/wpforms-lite/
    for assistance with Sucuri report or recommendations – https://sucuri.net/company/contact-us/
    if you have already deleted the users, then there will not likely be any details left in the database. (I would be concerned if any of the users have admin, editor, or author access)
    you might not notice changes to your site content or functionality — but you should look for unusual files in your file manager area.

    Thread Starter IreneLinda

    (@irenelinda)

    Wonderful stuff, Lisa. Thank you so much. I do know none of them had admin, author or editor access, thank goodness! I like your idea to check file manager and will do so. Thank you, too, for the WP Forms link and the one for Securi advice.

    I’ll work through your suggestions over the next couple of days and post back how I do.

    I REALLY appreciate your help and ALL your ideas, as well as your time in providing them to me.

    Back to you soon,

    Linda

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Fake User Registrations’ is closed to new replies.