Blog site getting hacked again

[bob noble]

Hi,
This morning I found Wordfence found some bad files again on my Http://bobseyes.net site.. This time they got into the Wordfence plugin and messed it up. I couldin't use wordfence. I transferred some backup files from .snap, but I can't seen to get it going.
Need some help please as I can't get into my dashboard on my site.
Thanks,
Bob

[bob noble]

Using Filezilla and some backups, I was able to uninstall my Wordfence software and load a fresh copy and was able to do a scan and worked the bad stuff out, mostly replacing the Wordpress files and folders from backups.
I now have a clean scan using Wordfence and my blog site seems to be working ok for now.
I disabled my plugins as the hack seemed to get into some of them, specifically JetPack and Wordfence.. I will install new copies of them just to be sure. Of course I changed my password again.

Wordfence has a live traffic page that I can watch traffic coming to my site. It seems a lot of hits are to a file that was added, that Wordfence found and I deleted and they are all getting file not found. File.php in a text folder in the includes folder.

If traffic comes to my wp-login.php file, can I assume they are bad guys as I'm the only one sighed up as a user. Do commenters use this login? I can see a fair amount of traffic going to this file.
Thanks,
Bob

[drew.phillips]

Hi Bob,

Glad you were able to restore your site again. Not sure what's going on there but I did a quick scan and don't see any compromised files at the moment.

As far as I know, wp-login.php is *only* used for logging in, registering, and resetting passwords. Comments are handled by wp-comments-post.php. So the traffic to this is likely dictionary attacks against your password.

A couple of helpful things are to delete xmlrpc.php from your WordPress directory. This is seldom used by anyone and is heavily attacked (you'll need to delete it after each update).

Also, changing your login username from "admin" to something else. Usually they're trying to get into the "admin" account, so if you change the username for it, they'll be guessing the wrong passwords.

[bob noble]

Hi Drew,
I found an eva or eval bad stuff in a php.ini file outside the wordpress file in my main directory which might have been left over from a previous attack and I deleted it.
I've also been blocking ISP networks that go to the login.php file and/or the xml file which you said to delete which I will do.
That has slowed down the attempts to login from these guys. I've also blocked any other try's that come to anything out of the ordinary.
I'm not sure I can change the admin name as I've tried to in the past and it was stuck at that, but I'll check it out again.
I think with Wordfence, I've at least got this under control and each time I learn more, so now I think I can recover from most attacks much faster. I've learned to keep a fresh copy of the Wordpress software on my computer so I can upload fresh files fairly fast now using Filezilla.
Thanks for the help,
Bob

[Guest]

You could also enable two factor authentication. Wordfence has it if you have the premium edition. There are also other plugins available with it.

[bob noble]

Hi Drew,
I removed the xml file but my Live writer blog writer needed it to post to the site. Is there another file path I can use to post to with Live Writer or maybe that's just the file Live Writer needs to publish posts?
Anyway, I had to put it back in Wordpress to publish.

Using Wordfence I've blocked all the Networks that have tried to log in as registered users. I'm not sure how they can be registered users as they don't show up in users in my dashboard for Wordpress, but my Wordfence software lists them as registered users Maybe they just fake that? They all fail to log in now since I removed the bad stuff on my site.
So far so good. I hope they get tired and go away soon. :O)
Bob

[drew.phillips]

Ah yes that's one of the cases of when you will need xmlrpc.php (external publishing).

I tweaked the .user.ini file a bit so that the auto_prepend_file directive referenced the full path to wordfence-waf.php. The way it was before "auto_prepend_file = 'wordfence-waf.php'" could cause it not to load properly when called from paths other than "/" as it would then look for it in the wrong place. Using an absolute path to your hosting directory will make it accessible from anywhere.

As for the registered users, maybe it's just an error. Your wp_users table only has one user, admin.

Side note: I'm also the author of this plugin which can add a captcha to various forms on your WordPress site. WordFence should take care of a lot of your security, but at the very least, adding this to your login form if nothing else can prevent automated attacks against your admin login. People also try to brute force against xmlrpc.php because it lets you pass up to 100 username/password combinations at a time and tells you if any were a hit. I'd think Wordfence would mitigate against this specific attack but I don't know that for sure.

[bob noble]

Hi Drew,
It looks like Wordfence is getting the file now, but it's not showing it working in Wordfence.
Here's what I found in System configuration from Wordfence.
auto_prepend_file /opt/apache/conf/IP/33/209.204.150.33/wordfence-waf.php no value. I'm not sure what the no value means, but it's getting to the file from what I can see.
This leads me to believe it's finding the file, but it's still not showing enhanced in my dashboard.
So, I figure I better go over to the Wordfence forum and beat on their door a bit to see what they think as it looks like something on their end.

Wordfence seems to be doing a good job of blocking the unwanted logins. And yes, I can limit how many hits it gets before it blocks them out. I've also spent a good deal of time blocking networks with Wordfence and now there are a lot less hits from the bad guys. I block all login tries and anything that messes with any of the files in Wordpress that don't normally get accessed.The firewall is working, just not in the enhanced mode.

Your plugin sounds like a good idea, I'll check it out and likely install it. Thanks for that info.
If I get the enhanced part going I'll report back.
Thanks for all the help,
Bob

[bob noble]

You could also enable two factor authentication. Wordfence has it if you have the premium edition. There are also other plugins available with it.

Hi guest,
I wasn't aware of this two factor authentication. I'm using the free version of Wordfence as my site makes no money and I have to watch my dollars. :O) However this is still good stuff to know and I may use it later. Right now, Wordfence seems to be doing it's job and stopping all the bad guys. I may look into other plugins to do this if I continue to have problems.
Thanks for the info,
Bob