Hacker activity, how and what?

I manage around 60 WordPress sites, I am not new to WordPress and have been using it extensively for 3 years. I take security very seriously and have read extensive articles on the topic (and my sincere thanks to those that put them on the web, both here and in other places). I have had 2 notable hacking examples that were successful, both were defacements. I see around 100 attempts per day across all sites using brute force with the admin user name which I don’t use for that reason. While investigating the “What” they were doing, it occurred to me “how”.

With this many sites there is a strong correlation between sites that have been recently active and the frequency of attempts to get into them. So if I or someone else updates site x, then I can predict within a few hours someone from somewhere is trying to get in to site x. So, while these attempts may appear to be random it seems that they know that a site has been updated. My question to those with greater experience and knowledge than I is how do they know? (I remove the pingomatic on most sites,) so is there another mechanism the hacker community is plugged into. If I knew what it was I would try to suppress it.

Secondly, the “What”: From the most recent attempts I noted the following behaviour in terms of what they were doing. It seems to happen from outside of the WordPress installation. The login name is changed to admin (for everyone) and the password hash is overwritten in the database. This appears to be an automated mechanism as it overwrites all users in the MySql database, not just one. If you happen to be on the site at the time you are immediately bounced off. That is how I detected it. The reset mechanism seems to repeat over a fixed interval, so you can reset it back, change the passwords etc, but around 10 minutes later it has changed again. I assume that if the attack starts on the database, and it is possibly to force all users to the username “admin”, change the hash, then it is relatively simple to guess a password or enter a password to get in.

Now those people who have studied this will know this is most likely to occur by having a file or code added into an existing file in the wordpress installation. The hacker executes it by going directly to it. I have seen this too a while back following a MailPoet vulnerability.

In my case I run these; WordFence with rich reporting, Simple Firewall, and Sucuri Auditing tool. Not all are as effective as they may seem, the best guide to what is going on on your site is the Sucuri auditing tool. This tool alerted me to hacking activity on the site. Between these three, one of them scans the file structure in the installation looking for and reporting changed files. So a rogue file is unlikely. I have also taken apart an installation before and compared it with a completely clean build and they still could reset the password and user name. (Perhaps through the hosting?)

The best solution I found was to move wp-config.php out of the Public_html or www directory and place it in the root of your hosting. This has made a difference. If something is in your hosting then it can access wp-config.php if it is in the website file structure. It contains the password and username for the MySql database. That was how they were doing it. WordPress will continue to function with wp-config.php in this location.

If anyone else has some insights here I would love to hear them.