Should I be concerned when I see users logged in to these parts of my site?

  • Using WordPress, podcast blog set up. I have a plugin that shows whose been on the site and the last URL they visited.

    I see once in a while someone showing the last URL they visited was /browsercomfig.xml – that does not look “normal” or where a visitor should be. Is this someone trying to hack in?

    I also see one that is /wp-content/plugins/reflex-gallery/admin/scripts/FileUploader/php.php – again, should I be worried?

    If so, what security plugins should I consider and/or what steps should I take?

    Thank you

Viewing 6 replies - 1 through 6 (of 6 total)

  • Hi docdaddy,

    I would worry about the “/wp-content/plugins/reflex-gallery/admin/scripts/FileUploader/php.php” as this is a know exploit vector. See this link for more information https://www.slemanroot.net/2015/02/wp-exploit-plugin-reflex-gallery.html

    The best thing to do security wise is ensure all your plugins are up to date and have a read of this https://codex.www.ads-software.com/Hardening_WordPress

    Kind regards
    Jamie

    I see once in a while someone showing the last URL they visited was /browsercomfig.xml

    browserconfig.xml appears to be related to 404 errors and the Internet Explorer browser. It doesn’t seem to be anything to worry about.

    I also see one that is /wp-content/plugins/reflex-gallery/admin/scripts/FileUploader/php.php

    This is a legitimate file in the plugin. Again no reason to worry providing that the plugin is up to date.

    Regarding security, I recommend installing the Wordfence plugin, and working through the Hardening WordPress codex which has excellent advice.

    Thread Starter docdaddy

    (@docdaddy)

    Thanks- but I don’t have the reflex gallery plugin installed! I looked it up via Google, and there is an exploit with that plugin so I assume it is people trying it on my site.

    I installed WP All in One Security and was setting things up in it, looked great, but now I can’t get into my dashboard. Arghhh! And I am enough a dummy I have no idea what I’m doing with trying to go into FTP and deleting things. We are in a PR campaign ramp up, starting to build hits, I hate the thought of downtime, even worse having to rebuild the site while our itunes and other hits are climbing. /panic-mode on

    Hits for vulnerable plugins are quite common. Providing you don’t have the plugin installed, or if you do that it has been updated, then there is nothing to worry about.

    Regarding access to your dashboard, it sounds like you may need to disable the All in One Security plugin via FTP:

    Navigate to the plugin folder, which will be here:

    wp-content
          plugins
                 all-in-one-security

    and rename it to:

    wp-content
          plugins
                 all-in-one-security.hold

    This will deactivate the plugin.

    If you check and can now login through https://www.yoursite.com/wp-admin then you can rename the plugin:

    wp-content
          plugins
                 all-in-one-security

    This will allow you see the deactivated plugin inside your WordPress Dashboard, and either try re-activating it again, or delete it.

    Thread Starter docdaddy

    (@docdaddy)

    THANK YOU!!!! That worked. Again – Thank you!

    Happy to hear you are back up and running again ??

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Should I be concerned when I see users logged in to these parts of my site?’ is closed to new replies.