User with admin name

  • Resolved mintjelly

    (@mintjelly)


    7 years, 3 months ago

    Despite enabling Wordfence to prevent users with the name ‘admin’ to set up an account, someone has done exactly that. I deleted the account, and a scan shows no problems at this stage. Firstly I’d like to know HOW someone was able to set up a user account, so I can prevent it happening again. I’m checking now with Google to see if the site has been blacklisted and whether there has been any malicious code added. What I’d like to know, as soon as possible, is how they were able to get past Wordfence’s defense? How do I prevent this happening again, and whether the pro version guarantees against this level of attack?

    The page I need help with: [log in to see the link]

Viewing 6 replies - 1 through 6 (of 6 total)

  • Hello, sorry to hear that. There are hundreds (if not thousands) of ways your WordPress site can be successfully attacked, there are not guarantees. Likely vectors are a bad plugin, compromised hosting, compromised server — or even the seemingly endless series of vulnerabilities in WordPress itself. Recent ones documented on Wordfence.com are particularly egregious, e.g., the flaw during installation that opens you up to any criminal on the planet who is paying attention.

    If you google “how to harden WordPress” you can give yourself a PHD level education on defending yourself against the criminals, but nonetheless your fallback is to have an excellent variety of website backups as sometimes it’s best just to erase your website and start over again from an older backup.

    I’d recommend immediately hiring Wordfence cleaning service, which includes Wordfence Premium version. And yes, with the correct settings in Wordfence as well as other hardening measures, you can 99.99% block criminals from making new user accounts.

    Hi mintjelly,
    Attack might happen on the database level if your cPanel/FTP login credentials were compromised, so the attacker can create this user directly form the database. Also, if you are on a shared hosting plan, if any of other websites hosted on the same server with you was hacked, that’s a really big threat for your website as well.

    I recommend going through steps mentioned in “How to Clean a Hacked WordPress Site using Wordfence“, and follow these tips in “How to Harden Your WordPress Site From Attacks“.

    Thanks.

    My 2 cents worth..
    Likely the he OP has not been hacked.

    a) There is a difference between stopping WordPress user “admin” from being registered (through WordPress registration screens) and preventing user ‘admin’ from existing in the first place. WordFence blocks the user ‘admin’ from being registered on WordPress registrations. The former. It does not run through the user-tables to throw out users named ‘admin’ that appeared by being created manually or through other methods.

    b) Just because a user has the name ‘admin’, does not mean that they have been assigned WP Roles as a site Admin or SuperAdmin.

    c) The OP’s site is (or more accurately at this particular minute WAS) running the ‘woocommerce’ plugin. Now disabled.
    Woocommerce registers “customers”/users on it’s own self.. It collects “customer” information, bypasses the normal user registration process, and uses “wp_insert_user()” to insert a new WP user into the tables directly. With a Role of ‘customer’.

    Since the user is now deleted, it might be hard to guess whether this was actually a real (or fraudulent, or robotic) customer registration through the woocommerce user registration process, but I would still guess that this is what could have happened. Looking at the user would likely have shown the “customer” Role.
    Again, just because a user is named ‘admin’ does not mean that the user actually has an ‘Admin’ type Role.

    All that said, I would suggest that WordFence in a future release hooks itself into the WordPress filter ‘illegal_user_logins’ and simply adds the ‘admin’ name to it when called.
    That will block WordPress (at the wp_insert_user() level) from creating ‘admin’ users, no matter which plugin calls wp_insert_user(). WordPress will then not allow ‘admin’ (or any other banned users you add) to be added to the user table.
    As an additional “feature”, this will also prevent any user with banned names from being added manually in edit_user(), from being registered, AND from access through the REST API.

    Caleb “banned user names from registration” is an excellent feature request. Thanks for bringing it up. Would also be nice having a checkbox in WordPRESS along the lines of “turn off all new user registrations.” Or does that already exist?

    Seems to me, with a few simple things, the WordPRESS ecosystem could make nearly all brute force registration bot attacks entirely useless. It mystifies me why there has not been more progress in this over the past couple of years.

    MTN

    Yes, turning off all user (and site) registration is already a standard WordPress feature. Have been for many years. At least in multi-site installations.
    An option under “Network Admin” => “Settings”.

    Not sure whether in single site installations that option moves into that single site’s Settings or not. I would never put up a single-site install. i never even tried it. ??

    However, that does NOT disable creating individual users as an admin from the admin screens. One can still create new users, both SuperAdmins and individual site users. It is just that no one can “register” an account, since they MUST be created by an admin (or a plugin).

    So even with that option turned on, that does NOT prevent goolish plugins wanting to create users, similar to Woocommerce. Pretty much all commerce, forum (such as bbpress), and similar plugins would frequently still create users as usual, since they typically bypass the WP registration process similar to how WooCommerce does it. Creating users into the user-tables using WP functions.

    BUT… By filtering on ‘illegal_user_logins’, that would block all banned user names through all the normal WordPress user paths used by plugins. No one can then register any names, unless an existing Admin user or a plugin does it for them. And even for Admins creating any “bad” names are blocked, since edit_user is blocked.

    The only way remaining for hackers would be to get DB access (to DB directly or through an unsafe WP plugin) and then simply stuff the user-tables manually, without bothering to go through the WP functions.

    Personally, I don’t worry too much about such things anymore (right now at least).
    My sites are so relatively hard that no one can get too close to my back-end functions (including wp-login or xmlrpc). If they are not in the right world-area (i.e. are near me) they are met with an error 418 (“I am a little TeaPot”) just to poke fun at them. ??
    Many, many times a day do we throw the TeaPot at the whole world’s IPs. ??

    Not even comment spammers get through.. Akismet is mostly on year-round vacation, yet it’s stats proudly announce that Akismet have seen the enormous count of 24 spams over the past 12 months). That’s somewhat like when a 5-year old proudly announces that they are tying their own shoe laces. ??

    Akismet? It’s indeed a joke. Deleted it years ago. I’ve had zero visible comment spam for more than a year now, just with some simple measures such as a challenge question, basic word block list using the WordPress under-featured block list feature, country blocking, Wordfence, and probably a few other things I’ve forgotten about. Used to be a huge problem, took hours every week to deal with.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘User with admin name’ is closed to new replies.