Hacker slipping past Wordfence

  • Resolved jeffersonpowers

    (@jeffersonpowers)


    8 months, 1 week ago

    I’ve recently had security breaches on two different websites. Both instances followed this same pattern:

    First, I receive an alert from wordfence@ [website url] with the subject “Login Verification Required” that asks me to please verify a login attempt, and to change my password immediately if I did not attempt to log in. I’m uncertain whether this alert is coming from WordPress core or from Wordfence. (obviously I don’t click the “verify” link).

    When I log in to the website normally, I find that all of the Wordfence email alerts under “All Options” have been unchecked, and scan scheduling has been disabled. When I run a scan it does indeed find an unknown, suspicious file, which I delete. Looking at the live traffic logs under registered users, I can see an unsuccessful login using my username, from somewhere in Europe (not my location). I should note that I do have 2FA enabled.

    Additionally, when I look at my user profile under “Users,” the “log out everywhere else” button is active, meaning my account is logged in from another location (which it shouldn’t be).

    I delete the malware file and change all passwords: all WordPress user accounts (there are only two), database, FTP, and hosting account control panel). I keep a close eye on it for the next couple of days, but then…

    The exact same thing happens six days later. Login verification email, Wordfence settings changed, my account showing as logged in from a different location, malware file present. This time, they’ve added the malware file to the exclusion list, so the scan doesn’t catch it until I notice that change. Also, once I do detect it, there is something going on with the permissions where I can’t delete the file, either via Wordfence, direct FTP, or the files section on the hosting account control panel. I have to call the hosting company and have them manually delete the file, although they say they can’t see any reason why I shouldn’t be able to delete it from my end.

    I redo the same cleaning steps listed above. Not two hours after doing that, I get another “Login Verification Required” email. At this point I’m way out of my depth, so I just delete the entire website and database, then do a fresh WordPress install and restore the website using a backup from January, before all of this started. That was yesterday, and so far, so good…

    My questions are (I don’t know a lot about this so please forgive me if these questions seem obvious):

    First of all, has anyone else seen anything like this before? I’ve been managing multiple WordPress websites for over 10 years and this is a new one on me.

    How did the hacker gain access to my WordPress admin in the first place? The “verification required” email implies that someone is trying to log in using my username and password, but presumably failing because they’re not able to click the verify link in the email. Also, Wordfence live traffic logs show a failed login attempt but no successful ones other than those I know are actually me.

    Why did I not get a “admin login” alert from Wordfence when they did get in? It seems like there should be some space between when they successfully logged in and when they turned off the Wordfence email alerts.

    Most importantly, what can I do to harden my websites against this type of attack? As far as I know I’m following best practices for WordPress security: strong passwords, 2FA, Wordfence installed, core software and plugins kept up to date. I did some reading this morning that suggests that XML-RPC could be how they’re bypassing Wordfence, so I’ve checked “disable XML-RPC authentication” in the Wordfence login security options, and also added the “deny from all” code to the .htaccess file for one of the two affected sites. Is it redundant to do both of these steps? Is XML-RPC relevant at all?

    I would greatly appreciate any insight or advice from the Wordfence devs and also from the community at large. Thank you very much for your time.

Viewing 3 replies - 1 through 3 (of 3 total)

  • Hi @jeffersonpowers,

    So sorry about your situation. Obviously, Team Wordfence will be able to guide you better on this, but you could have a virus that replicates itself after deleting the suspicious file. In other words, your site may have been hacked.

    We’ve had this happen before and the solution for us was to request our host to perform a virus check on our site and provide instructions for removing the virus. Worked for us. You may want to to do the same.

    Also, did you follow these Wordfence instructions for cleaning a hacked site?

    Last, sharing the suspicious file name in this forum may help shed more light on your situation.

    Cheers.

    Thread Starter jeffersonpowers

    (@jeffersonpowers)

    Hi, thanks for replying. I just deleted the entire website, then reinstalled a fresh WordPress install, then restored the site using an UpDraft Plus backup (Updraft Plus doesn’t back up WP core files, only wp-content and the database). I used a backup from January, well before this all started, so I’m fairly hopeful that any malicious files that were there are gone now. But in looking at the cleaning steps I have in fact done all of that too (since it was a backup from a few months ago I had to update the theme and all the plugins anyway). I will mention the virus scan to the hosting company.

    When you say “we’ve had this happen before,” was what happened to you identical (or at least very close) to what I described? My main concern is how they’re getting into the WordPress back end in the first place.

    I’m afraid I don’t remember the file name, but I will make a note of it if it happens again. Wordfence definitely identified and flagged it once I took it off the exclusion list and ran a scan.

    Thanks again for your insights!

    Plugin Support wfpeter

    (@wfpeter)

    Hi @jeffersonpowers, thanks for your detailed account.

    This sounds like there could either be unidentified malware that allows logging in, or a login-related plugin that doesn’t follow the normal WordPress login flow. Either of these could trigger Wordfence’s login verification email, but still finish the login process incorrectly.

    As you changed all passwords, the malware or plugin could be allowing logins without a password. Another possibility is that there is a hidden user that wasn’t removed, and the attacker still has that password. Check the users table manually in the database to see if there are extra users, and check if any other plugins have login-related features. Even if they’re up to date, it’s possible some are no longer maintained. I’d be especially wary of plugins that aren’t from www.remarpro.com, since Wordfence can’t tell if the developer has stopped working on them, or if there are updates that would need to be installed manually.

    Disabling XML-RPC is good if it’s not being used, although it’s a bit concerning that the attacker created files you can’t delete, and the hosting company doesn’t know why your user can’t delete them. The hosting company should be able to see if the owner is different or if there are permission differences. There’s an outside chance that the compromize is at the server. If it happens again, I’d ask the hosting company to investigate how the file was created, which user was the owner, and what the permissions are.

    Access logs would be useful to see what the attacker did. Looking at the time of the verification email should make it fairly easy to match timestamps with actions the attacker did. It may show whether they used wp-login.php or another method provided by another plugin (or theme), or possibly the name of an additional malware file.

    Let us know if you find out any more!
    Peter.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Hacker slipping past Wordfence’ is closed to new replies.