Just looked through client maintenance logs, and noticed large amount of hacking attempts to one of the sites. Luckily the attempts are just attempts, without any success.
Looking into the details, I noticed two main themes;
- The attempts come from many different IP addresses across the world
- Two WordPress plugins are in the main focus
It appears the attempts are focused on known vulnerabilities on the two WordPress plugins, and clearly in the hope that the plugins have not been updated. The site in question did not have those plugins installed in the first place, so there was no chance to begin with.
Outdated plugins with vulnerability, may allow hacker to utilize Remote Code Execution (RCE), essentially taking over the site, modifying the contents, destroying the site or utilizing the resources for coin mining activities, as an example. Coin mining has become a trendy activity, along with WannaCry type of blackmailing activities, as those have direct opportunity to create real money.
The other point indicates that a botnet is in the works. Botnets utilize compromised hosts, like windows PCs, to harness their computing and networking capabilities for malicious activities. Botnets utilize the power of the volume, and can have thousands of compromised hosts under control, hence utilize those hosts for varying malicious purposes, in very large volume. One common use case for botnets is Distributed Denial of Service, DDoS, which saturates and overloads the target system so bad, that it can no longer serve the original purpose. You do not want to have your own computer to be part of such botnet.
So, to cut the chase, here’s the beef of the story, in form of short list of recommendations;
- Make sure that your computers are free from malware, and respective scanners are installed, and up to date.
- Ensure that your computer operating system and other applications are up to date.
- Keep updating your WordPress version and plugins, and keep them always to the latest.
- Deactivate and also remove (!) all plugins, which you are not using actively.
- Lastly, if everything else fails, you should have backups readily available, and also have tested that you can recover systems from those backups.