Wordfence Alert Admin Login Bypass

  • Is there a way to improve admin login alerts detection? Right now hackers can login as admin using code snippets (I don’t want to post that here) and email alerts are not sent.

Viewing 3 replies - 1 through 3 (of 3 total)

  • So you’re saying there is some way a person can login to WordPress as an administrator without a username or password? That sounds like BS. Please explain in more detail or request that your possibly misleading post be removed from this forum. MTN

    Thread Starter wpfixes

    (@wpfixes)

    Partially correct, hackers can login as administrator (first one if there are more) without entering username or password but they are uploading a little backdoor script (not detectable by any malware scanner) before that, using some vulnerable plugin or theme. WF is not catching that admin login meaning not sending email alert, no record in live traffic.

    However, the problem I am interested in (and maybe many WF users) is if the admin login detection can be improved so these alerts are sent as usual. For now I added my custom code in theme/functions.php to fix that but would be nice to have WF catching it.

    I’m having the same problem with hackers logging in. No WordFence alerts were sent and no entries appear on the WordFence Dashboard. I checked my log files because after I logged into an “author” account, I saw that several old articles were showing as “posted” June 24, 2017. They were written several years ago. The “real” author has not used this account for months. There also appears to be numerous POST entries for CRON jobs in the logs. When I looked at wp-config.php, the line that WAS there to disable CRON jobs had been removed.

    63.245.59.20 – – [25/Jun/2017:08:20:02 -0400] “POST /wp-login.php HTTP/1.1” 200 2870 “-” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1”
    119.70.64.189 – – [25/Jun/2017:09:05:33 -0400] “POST /wp-login.php HTTP/1.1” 200 2870 “-” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1”
    118.136.91.15 – – [25/Jun/2017:09:20:53 -0400] “POST /wp-login.php HTTP/1.1” 200 2870 “-” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1”
    213.149.62.173 – – [25/Jun/2017:09:50:20 -0400] “POST /wp-login.php HTTP/1.1” 200 2870 “-” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1”

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Wordfence Alert Admin Login Bypass’ is closed to new replies.