Wordpress hacked

[dee]

Hi All,

I just discovered this morning that one of my sites has been hacked. I only noticed when i checked the site without being logged in as admin. It seems the posts they had been putting in dont show up when logged in. I think i've caught it quickly and completely reset. Restored database from one i know is clean and re installed worpress. Got the hosts involved to scan server (20i ..... they've been fantastic ) and all clean again. One thing that came out of it that i didnt know is that vunerabilities can be used within themes that you're not even using ! So if anyone has a few themes uploaded that they arent using, then delete them.

Not sure how it happened. No FTP users set up and locked. Latest worpress and all plugins up to date etc (and not using many)

Any how..... my point. Ive checked my webmaster search console there was a spike a couple days ago in indexed urls . The amount of urls indexed suddely jumped about by about 1000 odd a few days ago. A couple of questions please for the experiencd bods.

1/ is there a way of getting a list of indexed urls from the console ?

2/ Ive started to remove the urls in console for the ones i found when doing google "site: mysite" search, but is there a bulk remove method ?

Thanks for any insight.

 

[ian]

Always a concern, just checked my stats, "14954 lockouts" since I installed the 'Limit Login Attempts' plugin. Most try accessing via the default usernames of 'admin' or 'administrator' but fortunately I don't use either, though there are quite a few attempts using the actual username I have!

Good point on the unused themes though, I'm going to remove all but my current one.

 

[dee]

Always a concern, just checked my stats, "14954 lockouts" since I installed the 'Limit Login Attempts' plugin. Most try accessing via the default usernames of 'admin' or 'administrator' but fortunately I don't use either, though there are quite a few attempts using the actual username I have!

Good point on the unused themes though, I'm going to remove all but my current one.

Yep... im finding out all kinds of stuff I didnt know. For instance. Did you know that wordpress provides an API that even makes it easy for a brute force hacker to a get a list of users who have published postes. Go to a wordpress install and use this url:

example.com/wp-json/wp/v2/users

 

[dragon]

I've found iThemes is a pretty good plugin for Wp

 

[ian]

Yep... im finding out all kinds of stuff I didnt know. For instance. Did you know that wordpress provides an API that even makes it easy for a brute force hacker to a get a list of users who have published postes. Go to a wordpress install and use this url:

example.com/wp-json/wp/v2/users

Oh wow, that is shocking, I had just changed my username (again) because it was being used as an attempt to log in, and using that url, can immediately see my new username listed. Was no point bothering lol

 

[dee]

Bloody hell the big G is fast with removing URLS. I put a list in manually 1 by 1 of about 50 2 hours ago and all gone from sIte:"my domain" listings.

Would still love to know if thes a bulk remove option.

 

[AlistairM]

Yep... im finding out all kinds of stuff I didnt know. For instance. Did you know that wordpress provides an API that even makes it easy for a brute force hacker to a get a list of users who have published postes. Go to a wordpress install and use this url:

example.com/wp-json/wp/v2/users

Wordfence plugin stops that as far as I know. Don't know whether there's other ways around it. And you can also limit login attempts etc etc. I use it on my sites. https://en-gb.wordpress.org/plugins/wordfence/

 

[dee]

Wordfence plugin stops that as far as I know. Don't know whether there's other ways around it. And you can also limit login attempts etc etc. I use it on my sites. https://en-gb.wordpress.org/plugins/wordfence/

Wordfence seems to be coming up alot. Im going to try it. It looks like theres a way to deactivate API in the hook. If i get anywhere ill post code

 

[Skinner]

that link on my site produces...

{"code":"rest_user_cannot_view","message":"Sorry, you are not allowed to list users.","data":{"status":401}}

If you try and go to wp-admin or any admin login page, they don't work, I've moved them and renamed them.

I have also locked out all ISPs apart from my mobile and my broadband ISP from loading any admin pages, so even if you find your way in, you can't load the pages (this is done with a htaccess file stored outside the webroot).

I have a bunch of measures I use, and slowly rolling them out to all of my sites. Themes, Plugins and such are all vulnerable too, gotta lose any not at use.

 

[dee]

that link on my site produces...

{"code":"rest_user_cannot_view","message":"Sorry, you are not allowed to list users.","data":{"status":401}}

If you try and go to wp-admin or any admin login page, they don't work, I've moved them and renamed them.

I have also locked out all ISPs apart from my mobile and my broadband ISP from loading any admin pages, so even if you find your way in, you can't load the pages (this is done with a htaccess file stored outside the webroot).

I have a bunch of measures I use, and slowly rolling them out to all of my sites. Themes, Plugins and such are all vulnerable too, gotta lose any not at use.

They all seem like great measures.... just the moving of admin login page seems like a game changer. Are they easy implementations ?

 

[Skinner]

There are a few plugins which I assume use htaccess trickery to move the admin files. I use one on another set, let me look what its called.

 

[Skinner]

Not been updated in a while apparently https://wordpress.org/plugins/rename-wp-login/ but will give you a starting point.

 

[dee]

There are a few plugins which I assume use htaccess trickery to move the admin files. I use one on another set, let me look what its called.

Aaaah... I see. Sorry, i thought from your text you'd hard coded into the hook or something. Thanks.

 

[Skinner]

I have hardcoded it on my site, I followed this guide and tweaked a little bit of it https://wordpress.stackexchange.com/questions/106/can-i-rename-the-wp-admin-folder.

I misread your last sentence, I thought you said are there easy implementations, not are THEY easy.

I have used that plugin on another site, not set.

 

[Adam H]

There was a post some months ago that I posted my recommended settings for wordfence, Not got time to find it at the moment but i believe the original thread was by @Murray .

 

[ian]

Wordfence plugin stops that as far as I know. Don't know whether there's other ways around it. And you can also limit login attempts etc etc. I use it on my sites. https://en-gb.wordpress.org/plugins/wordfence/

Thanks, that takes care of two plugins for me, login limits and protection. Scary how many log in attempts I'm seeing live, but my site receives up to 10k visits per day! I'm still using Akismet Anti-Spam for reducing spam comments, seems to work (unless I rarely get any!).

 

[ian]

There was a post some months ago that I posted my recommended settings for wordfence, Not got time to find it at the moment but i believe the original thread was by @Murray .

This one for those interested, https://www.acorndomains.co.uk/threads/wordpress-hacked-adsense-code-changed.146015/#post-565534

 

[Adam H]

That was it, thought I had screenshot my Wordfence settings though. Will try and post it up if i get a moment.

 

[dee]

Thanks all as always. Brilliant.

 

[lazarus]

Hi, I cant get anything when adding this to the end /wp-json/wp/v2/users

Just a 403 error ?