If you like this article, go ahead and follow me on Twitter:
Here’s another hack that targets WordPress
admin users using brute force password cracking. In other words, if your WordPress administration area is accessible using
sandbox or other simple dictionary words, it is vulnerable.
The latest hack I’ve found injected an invisible plugin folder called
/wpppm/ which contained a
wpppm.php file (see source code below) and a
/.k/ folder with empty, random named files, such as
<iframe src="https://pastebin.com/embed_iframe/8TLQ6Tpi" style="border:none;width:100%;height:300px;"></iframe>
The IP address inside the plugin – 188.8.131.52 – resolved to
srv110.server.name (Germany Hausham Greatnet New Media), but I’m sure it changes for every WordPress installation. One of the security plugins reported tons of
admin login attempts originating from Ukraine.
I also learned that such security plugins still allow for code/file injection. Change your
admin user right now and user non-dictionary words, use both lowercase and uppercase letters and use digits and numbers. You’ll be a lot more safe.
Also, use Cloudflare to block access from various countries you’re not interested in. As an example, for an Ireland-based site with a 100% Irish audience, I have blocked Germany, Ukraine and Russia and spambots and spam registration attempts stopped overnight.