wp_mattoo

quick update : I just installed the “Enable jQuery Migrate Helper” plugin, and it seems to have temporaly resolved the issue.

–> is that the method you used, Paul ?

thanks ??

Dear horizonit, Dear bmilligan15,

I’m experiencing the exact same problem as discribed by Paul (both blank picture although appearing on click + no access to config tab) on my website :

https://www.annerostain-weddingplanner.com/galerie-2/

Roughly I understand what Paul explains, but I’m not sure how to ” add the jQuery Helper” in the theme, would you please give more detail ?

many thanks in advance,

Matt

I know that Wordfence scan feature can help to detect abnormal/changed files

but beware when installing it, not to activate to many options that could interact with iTsec. Actually in your current situation, do the shortest :

1. install/activate wordfence with default
2. scan you site from wordfence, identify hacked files
3. deactivate wordfence (optional)
4. clean / change all passwords / enforce security
5. update wp, make sure you don’t use unmaintained pluggins

good luck…

ps : the best would of course to understand where it came from, and I’m not expert enough to give you clues. However, try to enforce the iTsec params, – it should definitely help.

Matt

• This reply was modified 8 years ago by wp_mattoo.

Dear All,

Thanks to Pronl I have good reason to think my troubles are away for a while ??

Basically, here is what I learned – for those it may help :

To protect your website against unfriendly login attempts with efficiency, you need to protect from 3 possible attack sources :

1. wp-login.php
2. xmlrpc.php
3. REST API

The first one is protected by hiding the backend
The second by changing to the recommended option in “WordPress Modification” options set
The third by ticking the corresponding box in the “system tweaks” options set

All in the iThemes Security options section, of course.

Last thing : check the “details” link in the row corresponding to an attack in your iTsec logs section to know wich of the 3 above method was used to attack your site (so that you know if you forgot to protect one of them).

A big thanks again to Pronl for his kind and very effective support !

Matt

after checking, yes, I can confirm being using 6.1.1

FYI the attacks continue ??

2017-02-26 19:41:20 178.80.234.45 stephanie
2017-02-26 17:26:15 2a02:587:5c0a:c500:79f1:1d7b:9bb7:aa5e stephanie
2017-02-26 15:19:35 188.142.192.46 stephanie

Many thanks for your kind support !!

wow… thanks a lot it’s really kind of you, I do appreciate !!

I’ll send you an email right away with a screenshot pack.

thanks !!

Thanks for your prompt answer !
I’ve been reading your guide (actually already did in the past but then I took time to re-check everything).

what I can say is that this hack consist in injecting fake files, always the same :

– ror.xml
– sitemap.xml
– news.php

an example of fake ror.xml I could find on one of my site is (it’s a HR Company, not dealing with adidas products) :

<?xml version="1.0" encoding="UTF-8"?>
<urlset xmlns="https://www.google.com/schemas/sitemap/0.9">
 <url>
<loc>https://www.alice-b-alexander.com/news.php?id=adidas-news</loc>
<lastmod>2017-02-22</lastmod>
<changefreq>daily</changefreq>
<priority>0.9</priority>
 </url>
 <url>
<loc>https://www.alice-b-alexander.com/news.php?id=adidas-nmd-2014-enfant</loc>
<lastmod>2017-02-22</lastmod>
<changefreq>daily</changefreq>
<priority>0.9</priority>
 </url>

Many thanks in advance if anyone has any advices…

Matt

Thanks for your answer !

I’ve been looking to the logs, all it says is the user name that has been tried, and at what time it was, as you can seen below. Additionally I have the IP list (that I didn’t get in the email) but it’s never the same, so there’s no efficient way to ban :

2017-02-26 07:44:02 92.53.55.142 stephanie
2017-02-26 05:29:14 187.199.79.106 stephanie
2017-02-26 03:25:09 98.143.69.104 stephanie
2017-02-26 01:04:50 88.253.180.222 stephanie
2017-02-25 20:21:42 79.180.240.53 stephanie

The strange thing is I changed the default login page (using the hide backend feature) so the login URL is not anymore one of theses :

https://www.example.com/admin/
https://www.example.com/wp-admin/
https://www.example.com/login/
https://www.example.com/wp-login.php

Therefore, how can the hackers still try to log ?

Thanks for the details, I really need help at this subject…

Matt

Hi Gerroald,

I’m experiencing the same problem (ie: Googlebots being blacklisted because of too many 404).

What do you mean by “get them fixed” ?
Which would be a good way to fix this ?

thanks a lot for your help,

Matt

Dear Dwinden,

Many thanks once again for your detailed and valuable answers.

basically :
– how can I check if (one of) my website(s) is leaking user\account names or not ?
– what is the best way to make sure it is NOT ?

Although I 100% understand and agree your point about increasing Minutes to Remember Bad Login, do you think setting 120 min could harm the site server (in terms of ressources) ?

A big thanks for all your help,

Matt

Dear Dwinden,

Thanks for your answer, I do appreciate !!

Yes, I’m using the latest version 5.2.1, I just checked before answering.

Account roland actually exist, although it never posted any message, dunno how the hacker managed to find it, but it actually exist. It happens that it is not an admin, and that its password is VERY strong, fortunately. However, it’s a good exercise to fine tune my iTSec plugin for this (and all my other sites).

The attacked Website URL is : https://www.alice-b-alexander.com/

FYI later in the afternoon (hours after this post)I got a mail this afternoon, AFTER changing to 120 min the “Minutes to Remember Bad Login (check period)” setting :

Dear Site Admin,

A host, 54.191.138.145, and a user, roland, have been locked out of the WordPress site at https://www.alice-b-alexander.com due to too many bad login attempts.

The host has been locked out permanently and the user has been locked out until 2016-02-13 18:14:24.

Checking in the Ban Hosts field of the iTSec Plugin I can confirm the IP is actually locked.

Anyhow, I would be very interested by your answer / comments / advices, especially on the fact to turn the ban to 120 min — is that ok ?

Thanks !!

hi Max,

thanks a lot for your detailled answer, I’ll take this into account.

Thanks also for the unix reminder, I’ll ssh’ it ??