WordPress Site hacked - High User ID

Regnalf · October 23, 2021, 7:22am

A WordPress site of mine was hacked twice in the last two days. I am trying to find out where the vulnerability might be.

WordPress is on version 5.8.1 and Pro is on 5.0.8.

The attackers manage to create an administrator user and add content to the home page.

What I noticed, the newly created user has a very high user ID in the database. Currently there are 347 users in the user table, but the newly created user has an ID with 9952! Also the AUTO_INCREMENT value in the database is at this high values.

To me it doesn’t look like normal WordPress functions are used here to create the user, otherwise it would have to be number 348 normally, am I right?
The site is still under development and the “under construction plugin” with the password bypass is enabled, so there is actually little attack surface for an SQL injection. I have already asked the wordpress.org support forum about this and they also think that it could be an SQL injection.

So there is only the /wp-admin login and the bypass password field. Could the password field somehow be vulnerable to SQL injection?

ruenel · October 24, 2021, 1:51am

Hello @Regnalf,

Thanks for writing in! Sorry to hear about the hacking incident on your site. Please be advised that the theme does not manipulate any of the login or user data. It may have come from a 3rd party plugin or that they must have gained access to your site’s database which then enables them to add a user account for your WordPress-powered site. You may need to contact your hosting provider as they may have more information about the incident. A worm or infected file could be residing on the server which may also be the cause why they were able to create a user account.

Best Regards.

Regnalf · October 24, 2021, 7:36am

Ok, thanks, I just want to consider all possibilities.

christian · October 24, 2021, 4:12pm

You’re welcome.

Brainfire · October 26, 2021, 7:58pm

Hi Regnalg, I recommend the plugin ithemes Security Pro. Please be sure to pay attention with the DSGVO Cookie Plugin.
Patric

marc_a · October 27, 2021, 1:56am

Hi @Brainfire,

Thanks for sharing your idea, we really appreciate it.

system · November 6, 2021, 1:56am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.