How a fishing guide's WordPress site became home to half a million fraudulent pages


Originally published at:


What, no outrageous “phishing” pun?


Eric doesn’t sell anything on his site. It consists of posts about fishing and a phone number to book trips. No hacker would bother with a site like that, right?

Wrong. There are bots trying every IP address, and when they get a web server, try every Wordpress exploit that they can. Even if you’re not running Wordpress.



An easy first step is make a custom URL for your wordpress admin log-in page


It doesn’t help if your FTP password is password.


But Weebly’s safe, right?


Unfortunately bots are aggressively using XMLRPC and more recenntly WP-REST exploits rather than brute-forcing the login screen. I recommend the WordPress Plugin WordFence (free or Pro) and asking hosting providers to configure fail2ban on their WordPress hosting servers :slight_smile:


Yeah wordfence seems to be working well for me. One of our websites ended up hosting a load of casino pages. Luckily we were retiring it anyway so it didn’t matter too much. Wordfence has kept everything else secure so far touch wood.


But “passw0rd” is still good, right?


Any site that uses a dynamic CMS like WordPress, Drupal, Joomla, etc., requires frequent maintenance by an expert. Just because it looks like a simple brochure doesn’t mean that it’s as safe as a piece of paper. If it has a dynamic underlying application, it will have vulnerabilities waiting to be found. The commonly used ones will certainly be hit. Custom built systems are more likely to have vulnerabilities, but they are less likely to be found and shared in the wild (since they only affect one site instead of millions). But of course, a maintainer familiar with the system will be rare.

These systems are sold as an ‘easier’ and ‘cheaper’ solution, allowing people to edit their own content without having to hire someone to maintain the site, to people who would often be better off with a static site anyway. Unfortunately, static site generators are still almost all geared toward techies and not site owners.


Another solution? Block access to any PHP you aren’t directly using, and use a 2FA plugin. This, auto updates, and jetpacks security plugin will virtually eliminate incursion attempts.

Ask me how I know :wink:


This topic was automatically closed after 5 days. New replies are no longer allowed.