Unauthorized access to my wordpress site, what should I do now?

Basing on mail log within 23 seconds someone managed to create new user account, change admin email address, create another user account and change its password (second account was with admin privileges). I still have no idea how he managed to create account with admin rights.

Basing on very quick attack (23 seconds) is there a chance that it was a bot?

I have managed to change email back and delete this user account, but I have no idea if within this 20 minutes time frame of me being unaware of attack this hacker managed to do any harm. I cannot see any obvious changes, but is there a way to be sure that he didn’t do any changes?

During the attack WP was in version 6.1, now updated to 6.2. All plugins updated.What could I do to secure my website for future similar attacks?

3 Comments
  1. Delete all erroneous accounts.
    Change all passwords on all accounts.
    Update all plugins.
    Install Word fence and run a malware scan.

    If all that is done and the scan shows nothing dangerous, your likely fine, (it will likely shows some mild issues that aren’t of concern like cookies or something.)

  2. Assuming that all the plugins were up-to-date prior to the attack and there isn’t vulnerable custom code, there could be a variety of avenues that the breach could have occurred. And changing the password may prevent some attacks but not all.

    * Zero day exploit
    * Credential stuffing
    * Brute force
    * Phishing

    Depending on the level and type of logging you have available or access to, it may provide additional insight into the approach the attacker took. If it’s a zero day exploit, it’ll need further investigation as a patch is unlikely to be available yet but there could be workarounds.

    If a compromise has occurred with an administrative account and unless you trawled through all events and logs to rule out secondary compromises, assume it’ll happen again as the attacker may have installed backdoors. In that case, you’ll need to consider reinstating a pristine backup.

  3. I have managed to find through server logs that the problem was with elementor-pro plugin.
    Bots are scanning for changelog file to check if plugin is installed and then are trying to proceed with process I described in the first post.
    Fortunately according to logs bot did not manage to do anything else besides creating new account with admin rights.
    I have already updated plugin and deleted changelog file from its folder just to be safe.

 

This site will teach you how to build a WordPress website for beginners. We will cover everything from installing WordPress to adding pages, posts, and images to your site. You will learn how to customize your site with themes and plugins, as well as how to market your site online.

Buy WordPress Transfer