How a WordPress Site Was Hacked in 38 Seconds

Written on . Posted in Logtivity Tutorials.

Over the last two or three years, we’ve seen hacking attacks on WordPress sites become bigger, faster, and more effective. This month, we saw the impact of one of those attacks. One WordPress site was hacked while Logtivity was installed. This gave us detailed information on exactly what the hacker did.

The hack we saw seems to have been a result of the issues outlined in this post: “1.6 Million WordPress Sites Hit With 13.7 Million Attacks In 36 Hours“.

This screenshot below shows the hacker’s actions. In 38 seconds they were able to go through all the steps needed to hack this site:

  • 1 second: Create an administrator user.
  • 22 seconds: Upload a plugin file as an attachment.
  • 28 seconds: Upload another attachment.
  • 34 seconds: Activate the new plugin.
  • 38 seconds: Modify the site’s theme files.

The IP address in this incident is one that’s often used by hackers. Fortunately, Logtivity was able to keep a careful record of their activity. For example, the entry for “Theme File Edited” also records which file was changed.

Interestingly, the hacker returned two days later. They logged in using the same account as before, and then followed the similar steps:

  • 1 second: Log in using the administrator account.
  • 14 seconds: Upload a new plugin file as an attachment.
  • 15 seconds: Update the previous malicious plugin.
  • 31 seconds: Upload another attachment.
  • 40 seconds: Modify the site’s theme files.

This time the whole process took two seconds longer. In 40 seconds, the hacker logged in, uploaded the files, and modified the theme.

All of this activity lines up with the details described in the original Wordfence article. The hackers were able to access the site by changing the default user role to “Administrator”, and then creating a new account. From there, they were able to upload files and modify themes.

How can Logtivity help with these hacks?

Logtivity is not a dedicated security plugin. It won’t fully replace Wordfence, Jetpack, Malcare, or any of the other services that constantly detect and block threats. And it won’t protect against DDoS attacks as do services such as Cloudflare.

However, hackers are so fast and effective that it takes a suite of tools to protect your sites. Logtivity has two essential tools that can work alongside security and DDoS services.

  • Instant notifications: Logtivity can send you instant email and Slack notifications whenever anything suspicious happens. You can get notified when administrator users are created, plugins are installed, theme files are edited, and much more.
  • Off-site log storage: Traditional activity log plugins store their data on your site. So if hackers do access your site, it’s easy for them to remove activity log plugins and delete any evidence. With Logtivity, as soon as the hacker makes changes, the evidence is sent off-site and stored safely on our servers.