Someone dodgy just logged in as admin
-
Hi
I have wordfence installed.
Someone dodgy just logged into the main admin email which is a very hard password.
Wordfence emailed me to let me know.
I quickly logged on and created a new Admin user and deleted that old Admin Account … lucky I saw this happen half hour afterwards.
Anyway , now what is my strategy as I’m not trusting anything now .
Most plugins were already updated. But I’m doing it again.
I’m checking the live scan as I can see attempts in logging in to that admin account.
No-one else has access.
What else do I check within Wordfence please to secure the site better ?
Also I’ve just installed WP Activity log, so I have history of anyone logging in to view and see what is happening.
HOW would they have gotten in, no old obsolete plugins, wordpress only 1 version old so not old.
Please advise extra measures I need to take as I’m very nervous now HOW they got in, as it was a very complicated password.
Thanks
-
Hi @kristinubute, thanks for getting in touch.
It’s difficult to say an origin for certain as there can be factors outside of WordPress involved, but XML-RPC requests that you mention are one of the most common credential-stuffing methods used to attempt access to a site. Unless you’re using Jetpack or the WordPress app that require it, it can be useful to disable XML-RPC Authentication in Wordfence and possibly block that route altogether in .htaccess.
Any time we think someone’s site has been compromised, we tell them to update their passwords for their hosting control panel, FTP, other WordPress admin users, and database. Make sure to do this.
Even if you have complex unique passwords, and a non-predictable username for your admin accounts it can certainly be a helpful layer of security to have reCAPTCHA and/or 2FA enabled. Wordfence’s will work with the default WordPress and WooCommerce login/registration pages but there will be other solutions if you have custom pages, or ones created by a user management plugin.
There may be parts of .htaccess that are custom to your host or other plugins, so I can’t recommend deleting it outright as your password shouldn’t be exposed through it. Your host may reinstate it automatically if it’s missing and something there was required from their side, though. The code we typically add to .htaccess (if you’re not using .user.ini) is:
; Wordfence WAF
auto_prepend_file = '/your/path/to/wordfence-waf.php'
; END Wordfence WAFThe firewall will have been returned to “Basic Protection” if it can’t find that line though, so you could just go through the optimization wizard process again and the plugin will re-add to the files as appropriate.
As you mention removing a caching plugin, I did notice some false cache plugins were mentioned in the following article today: https://www.bleepingcomputer.com/news/security/over-6-000-wordpress-hacked-to-install-plugins-pushing-infostealers/
That may be unrelated to your case if you weren’t seeing fake Chrome errors, so don’t assume this as a diagnosis, but thought it was appropriate to mention after your comment above.
Don’t forget to remove any suspicious admin accounts if you see any, and the following documentation may help if you need to clean your site:
https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/
https://wordfence.com/learn/Many thanks,
Peter.
- You must be logged in to reply to this topic.
