WordPress Backdoor for Hackers to try to Login

I work for an ecommerce company. We don’t sell through our website but we do have a very customized, powerful WordPress site to tell people about what we do. It was one of my first WordPress themes that I ever built with the blank boilerplate Underscores. I really haven’t touched it too much since it launched several years ago except to update it and help Marketing here and there.

Like most WP sites, we have a lot of plugins. Most are for Marketing while a couple are purely for the devs. One of the dev plugins we have installed on it is All in One WP Security & Firewall. It’s probably the most common security plugin that’s installed. After this last week, I can see why it’s so highly rated.

I was asked to fill out a questionnaire on our site. One of them was what was the biggest table in the database. Imagine my surprise when it was “failed logins” that was associated to the security plugins. Come to find out that the plugin was really never setup properly. Because of our security setup for any new user, the hackers were never able to login but holy cow they were filling up that database table fast and the only thing that was consistent was there were using the same 4 usernames that weren’t associated to any user on the site and quite a few of our users that did exist. The IPs were pretty random.

Quickly, I jumped into action. Here were the steps:

  • Immediately enabled the login lockdown if they tried and failed 3 times within 3 min. They were locked out for 60 min. This did slow them down a little bit.
  • I tried to figure out an IP commonality to blacklist any IP. There were none.
  • If they used any of the 4 users that were not actually associated to any usernames on the website, they were immediately blocked for 60.
  • Changed the login URL to something less generic.
  • Enabled Captcha and Honeypot that were both part of the plugin. This, surprisingly, didn’t do anything.
  • After a day of getting nowhere, I invoked what I thought was the ultimate solution and enabled the IP blocking for anyone not on our company’s VPN to have NO access to the login page.

You would think that that last one would have done the trick. I mean if they aren’t in our IP, they can’t login, right? Right!?

Nope.

That database table was still filling up. I was completely and utterly at the end of my rope. I created a support ticket with the plugin and asked if there was anything I could do. They responded (I was grateful just because you never know if they will or not) that in the Firewall section, there was a tab talking about XMLRPC and disabling it. I never heard about it and had to google it. Apparently it was used a LONG time ago for people to write blog posts before mobile browsing was a thing and “before WordPress became WordPress”. It’s still a thing but hackers try to hammer a site and DDoS a site with it so they recommend disabling it.

And that was it! Disabling that, the people stopped. I couldn’t believe they had a backdoor like that. Dang. My head was gonna explode.

Anywho, the All In One WP Security & Firewall is a great plugin for anyone worried about the basic WordPress security exploits. It is kind of a maze to navigate, but it gives you everything to lock down your website without having to do a bunch of SSH work.

Hopefully this helps someone out. All I know is I’m tired, but I WON!!!