Not all users caught in incident response
-
During investigation of users, I have found more than 100 users with usernames testing-NNNN (NNNN is a number), such as testing-1506, with an @example.com e-mail address. Since this matches the pattern of the attack, it seems that the incident response script in PowerPress_PRT_incidence_response function will not catch all users, because it only looks for usernames of length 7 and after disabling testing and foo-bar, it was satisfied and did not display the notice. This was the case in two websites with this plug-in that I have found.
I deleted the users manually using the search function, but all other plug-in users should check for these accounts as well.
I suggest that searching through e-mails ending with @example.com might be a better idea, it will also be more efficient, if you have many users on the website, the PowerPress_PRT_incidence_response breaks the web anyway, as explained here.
- You must be logged in to reply to this topic.
