GoFuckYourself.com - Adult Webmaster Forum

GoFuckYourself.com - Adult Webmaster Forum (https://gfy.com/index.php)
-   Fucking Around & Business Discussion (https://gfy.com/forumdisplay.php?f=26)
-   -   Is this a new Word Press hack or what? (https://gfy.com/showthread.php?t=1384747)

Yamato 06-27-2025 11:07 AM
Is this a new Word Press hack or what?
 
So, I have this old site on WordPress, and it has all updates installed, so it’s fully patched. Out of the blue, I started getting emails about new users registering and then requesting lost passwords. All of them are coming from the usual suspects—Bangladesh, India, Indonesia, Cambodia, Brazil, etc. The emails they’re registering with look legit and mostly corporate. What’s going on?

cerulean 06-27-2025 11:25 AM
Do you have WordFence installed?

This is a pretty common tactic, to use password lists and bombard a site with login and registration attempts looking for vulnerabilities and existing accounts. If they find an active account, the tactic might change. My WordPress sites that employ WordFence have tons of logs of these things happening.

Yamato 06-27-2025 03:12 PM
Quote:
Originally Posted by cerulean (Post 23381079)
Do you have WordFence installed?

This is a pretty common tactic, to use password lists and bombard a site with login and registration attempts looking for vulnerabilities and existing accounts. If they find an active account, the tactic might change. My WordPress sites that employ WordFence have tons of logs of these things happening.
Yes, its WordFence email me these emails every few seconds. It was installed with WP and suddenly started to email be this brute force attempts earlier this week. I wonder if its new version that turned off notifications and now bombarding me because I see summary and it shows same thing happened last week.

fris 06-27-2025 05:35 PM
best to block all connections except your from wp-admini do that allow from my ip deny from all so they ant even reach the login page.

cerulean 06-27-2025 07:04 PM
Quote:
Originally Posted by Yamato (Post 23381134)
Yes, its WordFence email me these emails every few seconds. It was installed with WP and suddenly started to email be this brute force attempts earlier this week. I wonder if its new version that turned off notifications and now bombarding me because I see summary and it shows same thing happened last week.
That's possible. WordPress accounts for half the websites out there. There are a lot of vulnerabilities from years past, and a lot of malicious actors trying to break into these sites. It's very lucrative to get a crypto bot running or steal user data.

You would do well to have your web developer audit your site and have your host do a cursory anti-malware scan, just to be safe.

Shoplifter 06-27-2025 08:03 PM
Quote:
Originally Posted by fris (Post 23381151)
best to block all connections except your from wp-admini do that allow from my ip deny from all so they ant even reach the login page.
This.

Make a Cloudflare WAF custom rule to block wp-login.php.

TubesBooster 06-28-2025 03:01 AM
Check if you have updated not only WP, but also plugins and themes, because themes are very often hacked, primarily those that come pre-installed with wordpress. If you don't use them, uninstall them completely.

Okaro 06-28-2025 05:19 AM
For login i change the wp-login page with this plugin: WPS Hide Login

Light and easy.

fris 06-28-2025 07:51 AM
Quote:
Originally Posted by Okaro (Post 23381240)
For login i change the wp-login page with this plugin: WPS Hide Login

Light and easy.
still can find it easily, best to just add a rule in your webserver to block all except your ip.

blackmonsters 06-28-2025 09:13 AM
Also install Fail2ban on your sever.
It will ban IP addresses that try login too many times.

https://github.com/fail2ban/fail2ban

:2 cents:


All times are GMT -7. The time now is 10:33 PM.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2025, vBulletin Solutions, Inc.
©2000-, AI Media Network Inc123