Subscriber passwords hacked

  • I run a members site created in wordpress. Members who join are assigned subscriber status which allows them to view those posts not visible to casual visitors. It doesn’t qualify them for any access to admin, they cannot even leave comments because that is disabled. I don’t force them to use strong passwords and generally they choose medium weak ones. Somehow recently on two occasions a member’s username and password have been hacked resulting in simultaneous logins from distant parts of the globe. I was able to respond quickly to change the pw and notify the member. However it’s embarrassing.

    The site is NSFW so I won’t post the url. And as you might expect with such a site it receives a fair amount of malicious traffic, but usually directed to finding a vulnerability and gain access to the admin. I have taken every precaution that I am aware of to prevent that. I cannot see in the logs any brute force attempt to login as a subscriber. However I had overlooked the vulnerability inherent in the xmlrpc.php file. I have now blocked that in the .htpaccess.

    So my question is could the hackers have used the xmlrpc.php to discover the user name and pw of a subscriber?

Viewing 2 replies - 1 through 2 (of 2 total)
  • Moderator Steven Stern (sterndata)

    (@sterndata)

    Volunteer Forum Moderator

    I don’t force them to use strong passwords and. Somehow recently on two occasions a member’s username and password have been hacked

    Well, there you go. Force users to use strong passwords. XMLPC will not leak passwords.

    Thread Starter bill7473

    (@bill7473)

    OK. That makes sense. I don’t really like to be proscriptive in case I put anyone off. They tend to choose names of people,places or football teams and append a couple of digits. Probably what most people who don’t know better would do.
    Thanks again

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Subscriber passwords hacked’ is closed to new replies.