Wordfence’s backend vulnerability?

Resolved ogrish2011
(@ogrish2011)

11 months, 2 weeks ago

Is there a vulnerability in your backend please? An attacker can always get into my database through the https://xxxxxxxx.com/wp-admin/admin.php?page=Wordfence
page and I can only delete him through phpMyAdmin and nothing else, but he will happen again after a while.

The page I need help with: [log in to see the link]

Viewing 1 replies (of 1 total)

Plugin Support wfpeter
(@wfpeter)

11 months, 2 weeks ago

Hi @ogrish2011, thanks for getting in touch.

In a fresh browser with no caching, I just hit a server 403 for that URL meaning the path is correctly forbidden by your server settings rather than relying on Wordfence to block access to your admin area. What server log information is suggesting there’s a link between that page being hit and an attacker gaining access to your database?

If you’re seeing that page hit on the Live Traffic page by an IP other than yourself, is it accompanied with a red “blocked” icon, or are you not seeing it in Live Traffic and just in the server logs?

Databases, hosting control panels, and FTP could be accessed outside of your site as they often have their own login pages/methods. I’m unaware at this point whether WordPress and its plugins were fully up-to-date behind an admin account with a complex password using 2 factor authentication. If Wordfence had been flagging any vulnerable plugin versions as critical warnings in recent scans, they may have allowed your site to be exploitable if not updated.

As a rule, any time I think someone’s site has been compromised, I also advise them to update their passwords for their hosting control panel, FTP, WordPress admin users, and database. Make sure to do all of these!

I will provide our site cleaning instructions for you below, which may be useful to ensure there aren’t any points of access still exposed:
https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/

Over half of all login attempts that are made on WordPress sites are made via xmlrpc.php. Our Wordfence Login Security and Wordfence plugins offer the option to block XML-RPC or at least require 2FA with authentication requests using XML-RPC on the Login Security > Settings page. Make sure to delete any suspicious users with administrative access from WordPress’ Users page.

Additionally you might find the WordPress Malware Removal section in our free Learning Center helpful. Wordfence and other providers offer paid services to clean your site if you’re still having trouble. Regardless of the option you choose, we recommend that you make a full backup of the site beforehand.

Many thanks,
Peter.

Viewing 1 replies (of 1 total)

The topic ‘Wordfence’s backend vulnerability?’ is closed to new replies.