I just found a sysadmin administrator account set up with an e-mail address of firstname.lastname@example.org in a new client’s WordPress site. This is happening more often recently and some people appear to think that WordPress is creating these accounts. WordPress is not creating these accounts. If you just found this account, the chances are pretty good that your site has been hacked.
So how are they getting in? There could be a bug in WordPress that is allowing the accounts to be set up with a password designated by a hacker. However, based upon the huge increase that we have seen with comment spam from Chinese hackers in hundreds of different IP locations, it appears that a sophisticated bot network is placing the spam comments as well as attempting to crack admin passwords.
With accounts that still use the ‘admin’ account user name, a hacker or bot already has half of what they need to break into a site. A bot can repeatedly attempt to break a password thousands of times until it finally discovers the correct combination. Thus far, all the hacked accounts I have seen use the ‘admin’ administrator.
Why Do We Think It Is a Bot?
It appears to be an automated system (a bot) simply because it is creating a new user account that stands out to anyone who logs into their site on a regular basis. A sophisticated hacker would not need to set up another administrator account once they cracked the admin administrator’s password. Real hackers tend to be stealthy, not obvious. I also suspect that the origin is China simply because the number of hack attempts coming from China has grown exponentially in the past year.
If I am correct, the solution is fairly simple.
- Delete the sysadmin account.
- Install the Limit Login Attempts plugin. This plugin locks out any user or bot attempting to break into the admin area after a per-determined number of failed login attempts. The default setting is 4.
- Visually scan your site for any changed content or new links embedded in the content. Most hackers who break ingot admin areas simply want to embed links to their sites.
- If your site uses the default ‘admin’ account, change the login to something different. Either set up a new administrator account using a more complicated username and delete the old admin account, or you can make the changes to the wp_user table in the database.
- Make sure you are using the most current version of WordPress. A lot of security bugs have been found and patched over the past few years.
There is an thread addressing the issue of admin accounts being created in the WordPress Plugins and Hacks forum. Several of the posts mention online tools that can be used to scan web pages to see if they have been hacked. Check it out.