New User Hacked Into Blog

  • webpublisher

    (@webpublisher)


    17 years ago

    This morning I noticed an email from my blog stating a new user had been created.

    This shocked me because I am the only administrator and no one else knows the password.

    This happened a couple of weeks ago and I changed the admin password but now that it has happened twice I know it is much more than a password issue.

    Can anyone shread some light on how someone else can create a new user on my installation. It is vitally important I get this fixed asap.

    This problem only started after I allowed readers to leave comments, though they have to be approved by me before they go live.

    I really don’t want to go back to asking readers to register because they never did. In fact only 1% of my readers would know what WordPress is, so to ask them to register was something they just wouldn’t do.

    I don’t know if it is related to this.

    Can this issue be related to the plugins I have installed on the site?

    I want to fix this before they start posting blogs.

    This is a real worry.

    Thank you for any help.

Viewing 12 replies - 1 through 12 (of 12 total)
  • whooami

    (@whooami)

    17 years ago

    umm,

    how do you KNOW the new user was “created” and not the result of someone registering? I JUST double checked, and the e-mail the administrator gets when a user is created manually is identical to the one thats sent when you get a new registration via the normal process.

    Additionally, you left out the most important part of the equation — WHAT version of WP are you using?

    Thread Starter webpublisher

    (@webpublisher)

    17 years ago

    Hi,

    My version is 2.1.2

    When I look to see the list of users I see the new one set up. I immediately delete the user and feel fortunate that they didn’t post anything.

    I’m not sure what you mean by new registration- what would someone register for? There isn’t anywhere on the site to register for anything.

    Thank you.

    Thread Starter webpublisher

    (@webpublisher)

    17 years ago

    I have been doing some research and came across this post:

    http://wordpress.org/support/topic/90198?replies=3

    This explains that in fact someone is registering on my site as a new user.

    I deliberately removed the wp-log.php link from my blog so as users didn’t have to register. So some how a spammer / hacker what ever you want to call them as decided to guess my url and for some reason only known to them create a new user. I know this user isn’t a fan of the site because the url in their domain is a porn site! In addition they never left a comment.

    The link I give above suggests I go into Options and tick “Users must be registered and logged in to comment” instead of “Anyone can register”.

    Well my response to this is that when I have it set to “Users must be registered and logged in to comment” no one ever leaves a comment.

    This is because if someone clicks on the comments link they are presented with a page that says:

    “Leave a Reply
    You must be logged in to post a comment.”

    If they click on the words “logged in” they are presented with a login page.

    It says Username and Password and the word Login

    So I ask myself how can anyone login if they are not registered.

    Below this it says:

    Back to my blog homepage
    Lost your password?

    Again I can not see how anyone can register .

    Then I decide to click “Anyone can register” and to my amazement this page offers away to register.

    I’m so confused why the tick boxes are labeled as they are. Why would someone have comments on their site and then be able to lead someone to a page where they have no chance of leaving a comment, even if they are willing to sign up. I just don’t get it.

    I’m going to run the site this way and see what happens. I scared I won’t get any comments to be honest with you – who really wants to sign up to a site just to leave a message.

    Any views if this is the right thing to do?

    I assume it is best to make default users subscribers and nothing more (this way they can leave comments and nothing else). I had my default set to authors – can you believe it I was allowing anyone to make posts on my blog!

    One thing is for sure with WordPress you really need to know what every little tick box and setting REALLY means otherwise you can leave yourself in hot water.

    rudolf45

    (@rudolf45)

    17 years ago

    who really wants to sign up to a site just to leave a message.

    Nobody! I agree.
    What I’d suggest, try this setting: nobody can register (i.e. the “Anybody can register” is NOT checked); no need for registration for comments – but set the moderation, i.e. an admin has to approve the comments.

    Also, if you don’t want any registration, you can even remove the wp-register.php file. On sites where “anybody can register” there is a growing number of fake registrations… although I have no idea what their goal would be.

    Edit. But even with the above settings the default registrant should never be anything higher than subscriber!

    Thread Starter webpublisher

    (@webpublisher)

    17 years ago

    Many thanks rudolf45 I will do this.

    If anyone knows why someone would want to do a fake registration please tell me – I’m intrigued

    Thanks

    whooami

    (@whooami)

    17 years ago

    its called spam. and its a far cry from being hacked.

    If I can be so bold as to suggest that you have a teeny bit more info before posting topics that read, “New User Hacked Into Blog” 🙂 It’s akin to yelling fire in a movie theater.

    wp-register.php isnt something that requires guessing – it’s a well-known file name and this forum is littered with posts that describe this very thing.

    http://wordpress.org/search/spam+registrations?forums=1

    Removing the link to wp-register.php will do nothing to avert those registrations.

    For future ref., also a spammer and a hacker arent the same thing.

    Lastly, you DO need to upgrade. 2.1.2 is not the most current version, (2.1.3 addresses several security issues).

    http://wordpress.org/development/2007/04/wordpress-213-and-2010/

    jonimueller

    (@jonimueller)

    17 years ago

    Removing the link to wp-register.php will do nothing to avert those registrations.

    But would deleting or renaming the file on one’s server avert this problem? Just curious. None of my WP blogs have anyone that ought to be registered but me so that file should be able to be ditched, correct?

    Kahil

    (@kahil)

    17 years ago

    someone commenting from a porn site would be a spammer. a spammer being sneaky and figuring out a way to become a registered user without the option readily accessible to the general user, would make said spammer a hacker. “webpublisher” was well justified to assume that the “spammer” was attempting to hack his site.

    I would suggest doing as mentioned and de-selecting the option that anyone can register and making sure that its set so that you moderate all comments. also, you may want to look at plugins like bad behavior, akismet, and captcha plugins to help make your site more secure and spammer/hacker free. just keep in mind that if someone really wants to hack your site and is determined to do so, they probably will.

    whooami

    (@whooami)

    17 years ago

    Kahil, The spam registration attempts that WP and other blog packages are seeing (b2evolution, for instance) are the result of scripts – scripts which have been written to look for particular pages, like wp-trackback.php, wp-comments-post.php and wp-register.php.

    It’s not sneaky at all.

    Calling a spammer a hacker is giving the spammer a lot more credit than they deserve. A “real” hacker, one that isn’t a script-kiddy, is much brighter than any spammer.

    @jonimueller,

    yes, deleting the file wp-register.php will solve the problem, completely.

    Thread Starter webpublisher

    (@webpublisher)

    17 years ago

    Thank you for all the help – I have learnt a lot.

    Is there a going rate for a WordPress upgrade.

    I run a small business and would be interested what I should be paying for a professional to upgrade the site.

    Thanks again.

    rudolf45

    (@rudolf45)

    17 years ago

    You won’t get answers for that here. It is forbidden to post “quotes”, prices. See the Forum Rules!

    However, you can ask in a separate thread for paid support but leave a contact address so people can contact you privately – and the topic will be closed. See again the Forum rules.

    alternatively, you can post your request to the wp-pro mailing list:
    http://lists.automattic.com/mailman/listinfo/wp-pro

    Thread Starter webpublisher

    (@webpublisher)

    17 years ago

    Thanks for the advice, I will read up on the rules.

Viewing 12 replies - 1 through 12 (of 12 total)
  • The topic ‘New User Hacked Into Blog’ is closed to new replies.