WordPress “Plugin Manager” Hack

Here’s another hack that targets WordPress admin users using brute force password cracking. In other words, if your WordPress administration area is accessible using admin, administrator, user, sandbox or other simple dictionary words, it is vulnerable.

The latest hack I’ve found injected an invisible plugin folder called /wpppm/ which contained a wpppm.php file (see source code below) and a /.k/ folder with empty, random named files, such as 01f4413a78986a719b275baeaf97d88902f4ea2da8a3c92603e4bdbd7aa11008 and 83e17edfceb7de1dae7c21c6d7f10a57.

<iframe src="https://pastebin.com/embed_iframe/8TLQ6Tpi" style="border:none;width:100%;height:300px;"></iframe>

The IP address inside the plugin – 83.133.123.174 – resolved to srv110.server.name (Germany Hausham Greatnet New Media), but I’m sure it changes for every WordPress installation. One of the security plugins reported tons of admin login attempts originating from Ukraine.

I also learned that such security plugins still allow for code/file injection. Change your admin user right now and user non-dictionary words, use both lowercase and uppercase letters and use digits and numbers. You’ll be a lot more safe.

Also, use Cloudflare to block access from various countries you’re not interested in. As an example, for an Ireland-based site with a 100% Irish audience, I have blocked Germany, Ukraine and Russia and spambots and spam registration attempts stopped overnight.

Added by Ciprian on Friday, August 28, 2020 in Blog

Unlimited Automated Page Speed Monitoring & Tracking.
Use SpeedFactor to track your website. It’s simple and reliable.
See how real people experience the speed of your website. Then find (and fix) your web performance problems.
Get Started

Related Articles

Privacy Policy