Hacking via Registered Users?

  • prayersnapples

    (@prayersnapples)


    13 years, 3 months ago

    I’ve only had my blog a few months (so I’m sure this is normal) but I’ve gotten multiple users that have registered with suspicious names (just a random combination of letters and numbers) and emails – within a day of one of the registrations, I was somehow locked out of my own site/nothing would load (eventually I was able to login, but there were still some things that seemed off)… I deleted that user (a support forum on a different site suggested that maybe users could ‘get into’ my site and cause some damage that way) but now every couple days (for the past few weeks) the user keeps registering again!

    1) Is it possible for registered users to hack into my blog (easier than non-registered users) and do damager?

    2) If so, is there anyway to stop them/any safegaurds I should use?

    and 3) Is there anyway to permanently block a user?

    Thanks!

Viewing 8 replies - 1 through 8 (of 8 total)
  • esmi

    (@esmi)

    13 years, 3 months ago

    1) Not via WordPress core as far as we are aware.

    2) You could turn off registering via Settings ->General.

    Thread Starter prayersnapples

    (@prayersnapples)

    13 years, 3 months ago

    I’m confused about the difference between these subscribers and the people who subscribe to receive email updates on new posts (through jetpack), wordpress subscribers and then this random list of people with suspicious emails I see under “Users” – there’s 56 of them and all of their names are random letters and numbers; none of their emails are at recognizable domains. If I turn off registering under settings, is that going to prohibit wordpress users from following my site or other people who type their email addresses in the jetpack box to get updates? (You can see what I mean on the right hand side of my page, under ‘subscribe’).

    Thanks for your help!

    ThorHammer

    (@thorhammer)

    13 years, 3 months ago

    You really should consider to manualle evaluate each user before accepting them. You don’t need any non-human user, do you?
    It might be a possibility that these “users” are doing this in order to follow your website and watch if/when you have an outdated WP, plugin or theme with security flaws. And then tehy will attack you.
    It is always smart to be paranoid.

    ThorHammer

    (@thorhammer)

    13 years, 3 months ago

    I forgot to mention: these “useres” will most likely use your site to post their spam.

    leejosepho

    (@leejosepho)

    13 years, 3 months ago

    If I turn off registering under settings, is that going to prohibit wordpress users from following my site or other people who type their email addresses in the jetpack box to get updates?

    No, it should not. A registered user is someone who might be subscribed automatically, but I think that is about the only difference. And unless you have some specific reason for allowing people to actually register a user account at your site, such as to post and edit content, you might be best off having none at all other than yourself.

    Thread Starter prayersnapples

    (@prayersnapples)

    13 years, 3 months ago

    @thorhammer: that’s one of the things that first caught my attention – I’ve been manually reviewing them, but every other day I delete the same account and one day later they register again! This has been going on for about a month (it’s just a random bunch of letters/numbers).

    I’m going to try restricting subscription like @leejosepho suggested. The only thing I was worried about was my email subscribers, but if it doesn’t interfere with them, I’m going to do it.

    ThorHammer

    (@thorhammer)

    13 years, 3 months ago

    I am almost sure that those “users” are created by robots just in order to use you as a base to publish spam. I had a similar experience with an old site of mine, I actually emptied the database in order to let the site die, there was nothing visible at all, but still, I got emails tellign me that some ghosts indeed were registering at the site …

    leejosepho

    (@leejosepho)

    13 years, 3 months ago

    I’m going to try restricting subscription like @leejosepho suggested. The only thing I was worried about was my email subscribers, but if it doesn’t interfere with them, I’m going to do it.

    Think of registering and subscribing separately, then use another e-mail address of your own to put your site through its paces. By doing that, I refined things so people can only do what they actually *need* to do while having my chosen options available.

Viewing 8 replies - 1 through 8 (of 8 total)

The topic ‘Hacking via Registered Users?’ is closed to new replies.