4 Oct
2015
4 Oct
'15
6:07 p.m.
On Sun, Oct 04, 2015 at 04:45:00PM +0000, Andy Smith wrote:
Hi Gavin,
On Sun, Oct 04, 2015 at 05:28:59PM +0100, Gavin Westwood wrote:
I'm afraid I don't know as I only have the information that the
customer gives me and I have limited grounds to insist upon
research.
wp-fail2ban can be used with IPv4, IPv6 and doesn't take into account the login
that worked ok. So, no need to the the trick described there with so many
disadvantages.
I don't have the time to update it now, but if someone tries it and want to
upgrade the wiki, it seems totally worth it IMHO.
Thanks a lot,
Rodrigo
It's
not known at this stage how the customer's Wordpress was
compromised. The site has been disabled.
Was the Wordpress install up-to-date? While it could have been a weak password or a
plugin, it's worth knowing
whether it could just be because they had an old version with a security
vulnerability, or whether there might be a currently unknown security
bug in the latest version.
Probability would always side with a known flaw or simple brute
force attack. The fact that the first thing it seems to have done is
a brute force attack lends weight to itself being caused by brute
force attack, as this is a pattern which is common also to SSH brute
force compromise: first thing they do is get it attacking other
hosts.
Incidentally there is an article here with Wordpress setup tips:
https://tools.bitfolk.com/wiki/WordPress_setup