password protection [sic] bypassed;-(

  • Have already suffered an actual ’email injection’ breach because I was unaware that WP-ContactForm v1.1 needed to be updated to v1.4.3 (for WP2.0.1). Bad Behavior v1.2.4 is now also active, it’s currently 412’ing the continuing email injection attempts. MySQL is filling up.

    Hoping to quash the current takeover activities have implemented the password protection [sic] feature on the contact form’s static page. Another static page called ‘password’ shows a simple cryptic clue to the password – ie it’ll stop robots/scripts but not people.

    The logs show nice people going through the password area and on to the contact form.

    The logs show nasty scripts completely ignoring ie bypassing the password area and implementing the POST directly.

    How is this allowed!? More importantly what may I do to defend my WordPress sites?

Viewing 76 replies (of 76 total)
  • Thread Starter churchtown

    (@churchtown)

    Have re-thought the gist of the .htaccess and will see what happens overnight.
    Also left the Bad Behaviour plugin on-line to derive some further intelligence. Looks initially like the same old same old… It’s late so g’night.
    —-best wishes, Robert

Viewing 76 replies (of 76 total)
  • The topic ‘password protection [sic] bypassed;-(’ is closed to new replies.