3

I manage a Wordpress site for an event registration. The site is only active for a few months a year. The rest of the year it's idle, as in it's up, but not actively maintained.

Now the time has come to prepare it again, and I noticed that all posts and pages have been edited. At the bottom of each page/post a script tag has been added. This tag creates a link to some website, if often links to domyhomework.com, or something similar.

All these edits was made by the same user thats only a "publisher", and not an administrator. It is clear that this user did not actually do this, but it's also clear that his account was used. The edits all happened on the same date, from 11:51 to 11:54.

I have changed the password for the user, as well as "log out all other sessions". I've also installed a more solid activity logger, that will monitor the site from now on.

I'd like to know what exactly has happened here, so that I can prevent it in the future.

edit: It feels like the user has malware on his computer and when logged into the site a script runs and adds this to pages/posts, but I don't know how to prevent something like that, or if that is possible.

sch
  • 145
  • 4
  • Related: [How can I protect a WordPress installation](https://security.stackexchange.com/q/477/5405). – S.L. Barth Jan 23 '18 at 10:33
  • Regarding the edit. I suppose you have already taken away the user's editing privileges. I also suppose you don't have control over the user's computer, so all you can do there is warn the user that they *may* have a malware infection. – S.L. Barth Jan 23 '18 at 12:28
  • 1
    @S.L.Barth I have control over the users work computer, but this site is regarding activity outside the workplace, so he might have accessed the site using home-computer/mobile or what not, I have informed him about the situation, and will follow-up on his work computer – sch Jan 23 '18 at 12:51
  • 1
    Unfortunately, WordPress tends to have a lot of potential security flaws that usually have to be assertively mitigated by the administrator after installation. If you have not already gone through a process of securing this WordPress site, I suggest doing a web search for "hardening wordpress" and doing as much as you can. – Todd Wilcox Jan 23 '18 at 14:09

1 Answers1

3

Since your course of action was changing the password of the offending account, it seems that your theory of what happend is that that users account was breached (e.g. weak password was bruteforced live, reused password from a data dump, users computer infected by malware). That is one possible explanation, but it is not the only one, perhpas not even the likeliest one.

Another explanation is that there is a vulnerability in your WordPress installation, either in the core itself or in a plugin. If that is the case, changing a password is of little help. Your doors are still wide open and you are vulnerable. The compromise could be much worse than you expected - there may very well be some nasty malware running on your server right now.

You could try to figure out how bad it is by doing a forensics investigation. But it sounds like logs are scarce, and even with good logs this is still a tricky thing to do. So maybe the best course of action is to assume the worst.

I'd have a look at these two posts for further guidance:

Anders
  • 65,052
  • 24
  • 180
  • 218
  • I will look at those, thank you. And I do agree with the fact that it's probably not a password breach, but better safe than sorry. It feels like the user has malware on his computer and when logged into the site a script runs and adds this to pages/posts, but I don't know how to prevent something like that, or if that is possible. – sch Jan 23 '18 at 12:24
  • 1
    @klskl Yeah, that is also a possible scenario. But users computer infected is not your worst case - worst case is your WP being vulnerable. – Anders Jan 23 '18 at 12:25