getButterfly Logo getButterfly code wrangling since 2005

Here’s another hack that targets WordPress “admin” users using brute force password cracking. In other words, if your WordPress administration area is accessible using “admin”, “administrator”, “user”, “sandbox” or other simple dictionary words, it is vulnerable.

The latest hack I’ve found injected an invisible plugin folder called /wpppm/ which contained a wpppm.php file (see source code below) and a /.k/ folder with empty, random named files, such as 01f4413a78986a719b275baeaf97d889, 02f4ea2da8a3c92603e4bdbd7aa11008 and 83e17edfceb7de1dae7c21c6d7f10a57.

The IP address inside the plugin – – resolved to (Germany Hausham Greatnet New Media), but I’m sure it changes for every WordPress installation. One of the security plugins reported tons of “admin” login attempts originating from Ukraine.

I also learned that such security plugins still allow for code/file injection. Change your “admin” user right now and user non-dictionary words, use both lowercase and uppercase letters and use digits and numbers. You’ll be a lot more safe.

Subscribe to getButterfly Blog

Once a week or so we send an email with our best content. We never bug you, we just send you our latest piece of content.

If you found any value in this post, agree, disagree, or have anything to add - please do. I use comments as my #1 signal for what to write about. Read our comment policy before commenting! Comments such as "Thank you!", "Awesome!", "You're the man!" are either marked as spam or stripped from URL.

Leave a reply