WordPress “Plugin Manager” Hack

on in Blog, WordPress
Last modified on

Here’s another hack that targets WordPress admin users using brute force password cracking. In other words, if your WordPress administration area is accessible using admin, administrator, user, sandbox or other simple dictionary words, it is vulnerable.

The latest hack I’ve found injected an invisible plugin folder called /wpppm/ which contained a wpppm.php file (see source code below) and a /.k/ folder with empty, random named files, such as 01f4413a78986a719b275baeaf97d889, 02f4ea2da8a3c92603e4bdbd7aa11008 and 83e17edfceb7de1dae7c21c6d7f10a57.

The IP address inside the plugin – 83.133.123.174 – resolved to srv110.server.name (Germany Hausham Greatnet New Media), but I’m sure it changes for every WordPress installation. One of the security plugins reported tons of admin login attempts originating from Ukraine.

I also learned that such security plugins still allow for code/file injection. Change your admin user right now and user non-dictionary words, use both lowercase and uppercase letters and use digits and numbers. You’ll be a lot more safe.

Also, use Cloudflare to block access from various countries you’re not interested in. As an example, for an Ireland-based site with a 100% Irish audience, I have blocked Germany, Ukraine and Russia and spambots and spam registration attempts stopped overnight.

Related posts