madukdiver
Forum Replies Created
-
Thanks for confirming. I’ve sent you an email with a copy of the script so you can see why I’m using the setTimeout call.
Thanks Eli,
I’d be happy with the whitelist approach but I don’t see that option when I re-run the scan. It shows the two known injections but I do not see a button or other option to white list. How do I do that?
Forum: Plugins
In reply to: [WPS Limit Login] WPS Limit Login, no longer working@photon78500 unfortunately there’s only tumbleweed in this support forum. If you have ftp or other server access then disable the WPS Limit Login plugin by renaming it’s folder. You should then be able to login using your admin details.
In the end I abandoned WPS Limit Login and installed my own scripts using WP Code. They work much better than WPS Limit Login and I’ve never been locked out since.
Forum: Plugins
In reply to: [WPS Limit Login] adding IP6 supportShame there doesn’t seem to be anyone monitoring this so called ‘support’ forum. I think your modifications would be most welcome. There’s no guidance of how to add ranges of IPv6 addresses to the whitelist which would be very helpful as I have dynamic IP and I keep getting locked out of my own site due to relentless bot attacks.
Forum: Plugins
In reply to: [WPS Limit Login] Add support ip ranges?If the case of your example you can do this by adding the following to the whitelist
156.45.67.0/255
However, I agree the ability to use asterisks would be nice.
Hi Eli, the bad actor attempted some further harm on my site by logging in, turning off the activity logging and installing another plug-in. Fortunately the log file recorded the login. It turned out to be a compromised admin account (perhaps a weak or stolen password). I suspended that admin account until the real user performed a password reset.
Using Cloudflare Turnstile, Disable XML-RPC, and WPS Limit Login have helped to reduce the number of failed login attempts from thousands a day to tens which is a significant improvement.
However, yesterday I noticed a new admin user account had appeared in my user list. The user account was created on the same day as the initial intrusion (2nd July) but had not been visible in the user list before. It seems there is a very common and well documented method to ‘hide’ user accounts by adding code that uses the “pre_user_query” filter in WordPress. It took me a while to understand why it had not remained hidden… the most common place to conceal the ‘hide’ code is the active Theme’s functions.php file. What removed the cloak and caused the malicious user to appear was that I updated the Theme, and in doing so removed the malicious code. Unfortunately I don’t have a backup of the hacked Theme functions.php file to examine.
However, I think it would be a useful addition to your scanner to alert if the “pre_user_query” filter is active on the site. As some admins use this function for desirable and legitimate purposes no action would be required, but it would be a handy observation just to point out that there may be some ‘hidden’ users.
- This reply was modified 10 months, 3 weeks ago by madukdiver.
Unfortunately I’ve not made much progress. The easy part was letting Anti-Malware Security remove and quarantine the threat – nice! Sadly the site did not have any logging enabled, and the host doesn’t provide anything either so I’m still in the dark about how the malicious code arrived. I did note that an ‘upload’ folder was created with the same timestamp so that might have been involved. Also, immediately after it arrived WooCommerce started logging “fatal-errors” so perhaps it was after financial transaction information. I turned on logging only to find over 2,000 failed logins within a 6 hour period so it appears the site is under attack by bots. Perhaps one of those attempts was successful and that’s how it arrived. To deter the bots I’ve installed a CAPTCHA on the login page. Will monitor closely going forward and see if it comes back. For now I’m rejoicing that I installed the Anti-Malware Security plugin, and thank you for your support.
Thanks for the quick reply and support. I’ll see if I can track it down