Title: Possible Security Breach Last modified: August 21, 2016 --- # Possible Security Breach * Resolved [CSNAssistant](https://wordpress.org/support/users/csnassistant/) * (@csnassistant) * [12 years ago](https://wordpress.org/support/topic/possible-security-breach/) * Hello. I am experiencing a problem that may be due to a possible security breach. * I noticed that when I went on to my site [here](http://www.stemcellrevolution.com/), a new button was created linking me to a site hosted in France. My site deals with medical information while the unauthorized site was linking to a french, bridal gown store. This was not an ad, but was rather integrated into the site and possibly the code. * I immediately reset the passwords, notified the users, and downloaded Simple History. * The next day (today) I see on Simple History, that someone tried to log in to the admin account on 141 occasions within the past day. * My questions: * 1) Is Simple History showing this as a bug or is this an actual person or program? * 2) How can I stop this person/program from doing this and what measures can I take in the United States? * 3) I only saw one thing changed, but how can I run a diagnostic on my site (I have little knowledge on code, but I am a fast learner) * 4) Do you have any suggestions as to what I can do to proceed? * Thank you to everyone who is reading this. Viewing 11 replies - 1 through 11 (of 11 total) * [esmi](https://wordpress.org/support/users/esmi/) * (@esmi) * [12 years ago](https://wordpress.org/support/topic/possible-security-breach/#post-4900188) * A scan of your site shows no signs of a hack. Have you tried: * – deactivating **all** plugins to see if this resolves the problem. If this works, re-activate the plugins one by one until you find the problematic plugin(s). * – switching to the default theme to rule out any theme-specific problems. * – [resetting the plugins folder](http://codex.wordpress.org/FAQ_Troubleshooting#How_to_deactivate_all_plugins_when_not_able_to_access_the_administrative_menus.3F) by FTP or PhpMyAdmin. Sometimes, an apparently inactive plugin can still cause problems. * Thread Starter [CSNAssistant](https://wordpress.org/support/users/csnassistant/) * (@csnassistant) * [12 years ago](https://wordpress.org/support/topic/possible-security-breach/#post-4900190) * I have tried to switch themes, but have had no success. I will check the plugins now to see if they are the issue. I do have several plugins that are inactive, so I will delete those as well. Until then, should any other precaution or scan be taken on my part? * [esmi](https://wordpress.org/support/users/esmi/) * (@esmi) * [12 years ago](https://wordpress.org/support/topic/possible-security-breach/#post-4900191) * I did scan your site using [http://sitecheck.sucuri.net/scanner/](http://sitecheck.sucuri.net/scanner/) which is usually pretty good but you could also try [http://www.unmaskparasites.com/](http://www.unmaskparasites.com/) * Have you gone through your site’s list of Users to ensure that everyone on there is known and trusted by you? * Thread Starter [CSNAssistant](https://wordpress.org/support/users/csnassistant/) * (@csnassistant) * [12 years ago](https://wordpress.org/support/topic/possible-security-breach/#post-4900195) * We have a 3 users on our site, which are made of people that I work in close contact with every day, so I do trust them. The Admin account is not normally used anymore, so it is just an account that we have in case we need it, which happens to also be the account that someone/something is constantly trying to access according to Simple History. * User admin failed to log in because they entered the wrong password 1 hour ago by Details + 141 occasions * And under Details it says: * HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/23.0.1271.17 Safari/537.11 HTTP_REFERER: REMOTE_ADDR: 193.0.146.118 * Thread Starter [CSNAssistant](https://wordpress.org/support/users/csnassistant/) * (@csnassistant) * [12 years ago](https://wordpress.org/support/topic/possible-security-breach/#post-4900201) * I would like to thank you for taking the time to help me out by the way. There has been no change when I checked the plugins and theme * [esmi](https://wordpress.org/support/users/esmi/) * (@esmi) * [12 years ago](https://wordpress.org/support/topic/possible-security-breach/#post-4900204) * > User admin failed to log in because they entered the wrong password > 1 hour > ago by Details + 141 occasions * Does your main Admin user have the username “admin” by any chance? If so, changing it might ward off many of these potential attacks. See [http://wordpress.org/extend/plugins/admin-renamer-extended/](http://wordpress.org/extend/plugins/admin-renamer-extended/) * You can also install a plugin that will limit these login attempts and block the offending ip address after x attempts for 24 hours. Just be careful that you don’t lock yourself out. If you are still concerned, it wouldn’t hurt to review these resources: [http://codex.wordpress.org/FAQ_My_site_was_hacked](http://codex.wordpress.org/FAQ_My_site_was_hacked) [http://wordpress.org/support/topic/268083#post-1065779](http://wordpress.org/support/topic/268083#post-1065779) [http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/](http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/) [http://ottopress.com/2009/hacked-wordpress-backdoors/](http://ottopress.com/2009/hacked-wordpress-backdoors/) * > I would like to thank you for taking the time to help me out by the way. * No problem. That’s what we are all here for. 🙂 * Thread Starter [CSNAssistant](https://wordpress.org/support/users/csnassistant/) * (@csnassistant) * [12 years ago](https://wordpress.org/support/topic/possible-security-breach/#post-4900208) * Thank you. I will take the time to review the material. If I no longer get attempted login messages by tomorrow, then I will close this thread. * One more quick question: when Simple History says: * REMOTE_ADDR: 193.0.146.118 * Is that the IP Address? * [esmi](https://wordpress.org/support/users/esmi/) * (@esmi) * [12 years ago](https://wordpress.org/support/topic/possible-security-breach/#post-4900210) * I think so, yes. * Thread Starter [CSNAssistant](https://wordpress.org/support/users/csnassistant/) * (@csnassistant) * [12 years ago](https://wordpress.org/support/topic/possible-security-breach/#post-4900211) * Ok. Then based on a quick look through, I found three distinct IP addresses. Perhaps they will be useful to you in any other future troubleshooting. * 204.152.255.23 67.18.3.37 193.0.146.118 EDIT: 97.79.239.135 * Thank you very much and I will reply with an update as soon as I can. If anyone else has any other suggestions or pieces of advice, then I would be appreciative. * Thread Starter [CSNAssistant](https://wordpress.org/support/users/csnassistant/) * (@csnassistant) * [12 years ago](https://wordpress.org/support/topic/possible-security-breach/#post-4900404) * Update: It worked. I haven’t gotten any more attempts. Thanks a million! * To those who are reading this sometime in the future, if you have a similar problem with possible hackers, this is what I suggest, based on my own experience and this thread. * 1) Scan your site using [http://sitecheck.sucuri.net/scanner/](http://sitecheck.sucuri.net/scanner/) or [http://www.unmaskparasites.com/](http://www.unmaskparasites.com/) * 2) Download Simple History, which can show you if there are anymore changes or failed login attempts. * 3) Check your themes and plugins to verify that it is not the issue. * 4) Finally (This was my problem) Check the admin account. If that is the problem then delete or rename it. * Thank you esmi for helping me. * [esmi](https://wordpress.org/support/users/esmi/) * (@esmi) * [12 years ago](https://wordpress.org/support/topic/possible-security-breach/#post-4900405) * No problem 🙂 Viewing 11 replies - 1 through 11 (of 11 total) The topic ‘Possible Security Breach’ is closed to new replies. ## Tags * [breach](https://wordpress.org/support/topic-tag/breach/) * [code](https://wordpress.org/support/topic-tag/code/) * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) * 11 replies * 2 participants * Last reply from: [esmi](https://wordpress.org/support/users/esmi/) * Last activity: [12 years ago](https://wordpress.org/support/topic/possible-security-breach/#post-4900405) * Status: resolved ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics