This is my first WordPress website. Created it literally this week. hosted on NearlyFreeSpeech.net, and known by absolutely nobody... except for my registrar and Google because I added it to the search console. To my utter surprise, someone is knocking at my wp-login.php door, and at xmlrpc.php, which honestly I wouldn't even have noticed if it wasn't for the fact that the website burned through 10 whole cents of a dollar in a day (440 RAUs in NFSN terms) even though I'm the only one who knows about it.
Those two PHP scripts were being spammed every second. I don't know a lot about WordPress internals, I wanted my own website to post on it and I chose WordPress because it felt like the safest choice—everyone uses WordPress, right?—but I'm pretty sure there's no legitimate reason for all this spamming. According to the Apache logs, that IP ain't mine, so whose is it? Where did it came from? Why is it doing all this? What is it trying to gain?
The answer is probably bots.
I have no idea how it works exactly, I can only imagine. Probably, what happens is that someone out there has a bot set up to check when a new domain name is registered. This information is probably public, although I have never checked. So let's say it just keeps checking until a new website appears.
Then, it tries to hack WordPress. Why hack WordPress, specifically? Because everyone uses WordPress. I heard a statistic that around 40% of the web runs on WordPress. So even if you try all domain names randomly, 40% of the time, almost once every two times, you will find a WordPress website. Well, probably not, but you would find one pretty often.
In a WordPress installation, all script files are in the public directory in well-known names. This means anyone can try a random username and password at the wp-login.php script, or force the execution of any other WordPress script, including those in wp-admin.
Naturally, WordPress knows this, so most scripts don't have any side-effects: simply executing the script will do nothing, and only index.php does something, but having the PHP interpreter load the script still consumes resources and it's still worrying that these can be executed at all, to be honest. I wish they put it into a private folder, but I guess that would complicate the installation process which is WordPress' strongest point.
Will the bot be able to brute force my password? I'd be amazed if it could, because I don't know my password myself. It was randomly generated. It's probably just trying common passwords like admin and password, or 123456, or abcdef.
In other words, the bot can't hack a WordPress installation that has the bare minimum of security behind it, but there's such a vast number of insecure WordPress installations out there that make malicious bots like this profitable to create by hackers.
On top of that, although WordPress itself may be well-made, the same can't be said about plugins, themes, or custom modifications made by the site owner. If a plugin has a vulnerability a hacker can exploit, and there's a list of all WordPress websites, bots can just try to exploit that plugin in every WordPress website they know, and even if they can't exploit all of them, they'll be able to exploit some of them. For someone with a WordPress website, that means I'll have to keep dealing with bots trying to exploit plugins and vulnerabilities that I don't even have, which kind of a huge inconvenience.
I had heard stories that WordPress websites often get hacked with this sort of spray and pray approach, but I didn't think it would be so bad that I'd have to start worrying about it after I made only a handful of posts and didn't even figure out how to make my own WordPress theme yet.
For what it's worth, I followed NearlyFreeSpeech.net advice on how to install WordPress securely. Hopefully, that's all I need to do and it keeps me and my site safe. But it still was a nasty welcome surprise to have.
Leave a Reply