Wingers574
Forum Replies Created
-
Many thanks for this explanation Paul, yes it makes complete sense. It also explains why WordFence also failed to prevent a site from being hacked sometime ago, probably for the same reasons.
I am not totally convinced my hosting company really know what has happened, or whether it really swamped the server. I have seen much higher levels of DDoS attacks than the one that caused this to happen. However it does seem that we all get a warm feeling with these various security plugins that may not be completely justified irrespective of where they come from. It is a fact of life that this happens.
Yes, the hosting company recommended Cloud Flare as well, so I will take a look at it. Thanks for taking the time to reply, I appreciate it, and despite this particular event, I will continue to use your plugin.
I have this problem too. I have checked the memory allocated through PHP and set it to 128MB, turned off any security plugins which could be getting in the way. Possibly related, if I go into the settings (send With) and check to see if MailPoet can send a message to me. It comes up with a error message which starts with the text: Request Error not JSON:<!DOCTYPE html>….. basically a web page. This freezes everything. If I close it I can regain control. The test email is never sent. So whatever is causing this is also related to the sending function. This does not work either with a third party email account now either. It used to.
I have reset the plugin completely. The problem remains. The odd thing is I use this plugin on a number of sites, it was working prior to the upgrade to 4.3. It is not working now. Any clues would be helpful before I take this site down completely and rebuild it somewhere else. I have not seen this problem on my other sites, but each is a little different.I have reported this too in another thread, and some other related issues. I cannot locate any references in the database either. On some of my sites they are cloned and then redeveloped for another client. As well as seeing “admin” either as an existing user, or non existing user, I have also seen user names I am familiar with, but not for that specific site. Is there any chance that the user names are coming from somewhere else that is tied to the same API key. Without knowing how WordFence works, if it is collecting information based on the API key and storing it off hosting, then this might explain why people have not been able to locate these ghost users? Can the API key be reset if the site is duplicated? Is it a relevant factor? – Just a thought.
Tim to be very clear here, there are several observations, and they may all be linked to the same root cause (you may have other observations from other people too).
What I am expecting the solution to be is your plugin reports “admin” attempts to log in to the site (probably bots) or other user names that fail to get into the site.
If admin is not a valid user name (confirmed by checking the database) then it is not reported as a valid user. Conversely if it is, then it is reported as such. (It would be useful to confirm how you are making this decision).
We also have this third case where a site which had been under attack for over 12 hours using admin and several other guessed names was not being reported at all by the dashboard, however WordFence was still sending out emails about it. So here there was a disconnect too.I appreciate all you are doing, but felt it was worth raising this to the top of the list again, as I am very concerned that you have identified “admin” as a valid user on systems where I know “admin” does not exist. So there was always the possibility that you knew more about my sites than I did and had identified a potential compromise.
I may have misunderstood your problem, if I have I apologise.
I have had several situations where I could not reload WordFence into a site. It is probably because the directory for WordFence exists in the Plugin folder but is largely empty. I have seen several cases of this. As long as a legacy folder exists for any plugin you will not be able to reinstall it. The best solution I have found is to go in through cPanel File manager or equivalent, (You could do it using FTP as well using Filezilla) locate the directory and delete it. Once you do that, go back into WordPress and install it normally.
What I never found out in each instance this has occurred to me, is how the WordFence directory contents were erased in the first place. But it did solve the problem.
Is there any progress on this? I see that many others have highlighted this but there is no further information. While many here are not paying customers, we are helping to promote the popularity of your plugin and get the bugs out. It would be good if you can tell us if the entries which say admin is an existing user, vs admin is not an existing user is relevant.
The implications being that admin = an existing user, where none of us believe admin exists on our sites may mean it is compromised. As authors of a security plugin, I would have hoped that by now you could tell us one way or the other even if a patch is not available yet.
Sorry typo in my last message to Tim:
3). A site under a distributed attack with the name “user” being used for 4hrs and reported by WordFence that it is happening, has no reference to the username “admin” in the dashboard.
should have read:
3). A site under a distributed attack with the name “admin” being used for 4hrs and reported by WordFence that it is happening, has no reference to the username “admin” in the dashboard.
Replying to Tim
I do not believe I have ever used the user name “admin” because I always overwrite it with something else. It is a very well documented hacker target. Even if it was used, I could not locate any reference to it in the MySQL database, but am happy to help you to get to the bottom of this.Bottom line is I have seen three reports for websites where the username “admin” does not exist on the users page:
1). admin is an Existing User
2). admin is not an Existing User
3). A site under a distributed attack with the name “user” being used for 4hrs and reported by WordFence that it is happening, has no reference to the username “admin” in the dashboard.So something is wrong here somewhere. I am particularly concerned about the dashboard report that tells me admin is an existing user, as this indicates that someone/thing has logged in as admin.
I know that some hackers try to access sites as User “0” which by default if it is not changed when the site is installed also carries the username “admin”. Any chance someone has coded it wrong?
Are you sure they are real users? Are they on the Users page of WordPress? In my case they are all admin. But admin does not exist as a user on any of my sites. On a couple I have checked they are not in the MySQL database either. I suspect this might be a bug. If it isn’t then I hope they let us know asap!
A further comment on this, I have just looked at another site I have which also uses WordFence, in this case it has been under attack for over 4 hours with a distributed brute force attempt to login with the username “admin”. As with the other cases above, this site does not use “admin” as a username. What is really odd given my earlier comments is that in this case there is no reference to the attempted logins in your dashboard panel, even though it is WordFence reporting them! So in this case, I know for sure that admin is being attempted on this site, but your dashboard panel does not list them at all, either as Existing Users or not.
So now I am more confused than ever. Has this feature (which in principle is a good one), been tested at all?Forum: Fixing WordPress
In reply to: Hacker activity, how and what?Thank you for your replies. The situation is not really resolved as it keeps happening. I was hoping to get some insight into the communications from WordPress when it installs. Something is triggering these attacks. That was what I was trying to find out.
The symptoms and behaviour suggests that it is happening within the hosting, even on a clean installation. It may be a hosting related vulnerability.
Forum: Plugins
In reply to: [Titan Anti-spam & Security] incompatibility with MailPoet version 2.6.14Many thanks to the author response and the response from Mike.s
It looks like something was introduced from 3.4 onwards. I will not make any changes, all I need to remember is turn it off before I create a newsletter.
I automatically update the plugins and code on all sites as a matter of policy, (I have around 50 sites) so going back to an older version will not work for me.As I said earlier, the plugin is great, I only need to turn it off to see the volume of automated spam comments it is detecting, so I do wish to continue using it.
Many thanks for the help provided here and helping to establish where the issue is.
Forum: Fixing WordPress
In reply to: Hacker activity, how and what?Many thanks for this Poddys, I will take a look. Are there any forums around that discuss methods and how to combat them? Today in particular I have now had around 300 attempts to log into around 5 sites using Brute Force just in the past 4 hours. I get reports back from all of the sites when someone is trying to do something. So yes I agree these plugins open up a world that you do not normally see.
Forum: Fixing WordPress
In reply to: Hacker activity, how and what?Thanks Andrew, yes I have seen that article. I have not been hacked recently, my thread is about the correlation between updating something and then finding dozens of hackers trying to get into the most recently updated sites. They must be finding out somehow, it is too much of a co-incidence.
Forum: Themes and Templates
In reply to: [Twenty Fourteen] Z-index value for menu – where is it?Many thanks for the explanation and the solution.
– Mark
