Please be aware that the IP addresses listed below are being used to hack into WordPress Multi Sites. The person or bot behind the hacks adds a user to the site’s admin then changes the network’s setting to permit site and user registrations.
One of my mostly up to date and secure WordPress MS blogs was recently hacked. I advise all WordPress MS users to update their sites and to block the following IP addresses from accessing them:
- 173.208.43.154
- 173.208.43.57
- 173.234.59.245
- 173.234.232.113
The IPs may be blocked by adding the following lines to your .htaccess file:
order allow,deny deny from 173.208.43.154 deny from 173.208.43.57 deny from 173.234.59.245 deny from 173.234.232.113 allow from all
or ranges 173.208.0.0 to 173.208.255.255 and 173.234.0.0 to 173.234.255.255 may be blocked with
order allow,deny deny from 173.208. deny from 173.234. allow from all
Be careful when blocking an IP range instead of specific IP addresses because you will likely also block harmless traffic.
It is possible that the IP addresses being used belong to hacked computers so you might want to unblock them eventually.
Further Advice
If you have been hacked and site re-installation is not an option then I suggest you install the following two plugins and perform scans of all your sites for exploits and viruses:
Remember to remove unknown admins, to delete the sites installed by the hacker(s) and to delete associated usernames.
A Few Final Details
The new admin name was johnnywhy.
The new admin’s email address was johnywhy@gmail.com
Read the table below to view subdomain sites registered by the listed users from the stated IP address.
| Username | Site Name | Subdomain | Remote IP |
| joshuakinslow | Fox Steep | foxsteep | 173.234.59.245 |
| jamelturner | Pink Tungsten | pinktungsten | 173.208.43.154 |
| stevenjohnson | Appropriate New Pottery | appropriatenewpottery | 173.234.232.113 |
| williamcaylor | Aggressive Windshield | aggressivewindshield | 173.208.43.57 |
If you have more information about the hacking method being used or the usernames, site names, subdomains and IP addresses being used then please add them to the comments or send me a private message.
If you suspect your WordPress blog has been hacked you might also want to read the WordPress FAQ My Site was Hacked.
Want to republish this content? Read the copyright notice first.. Like this, support this.
Hey thanks for being one of the first to see this WP mutli-site hack.
I will install the IP range block and then come back to see where the ranges cover.
Could this be due to wrong permissions on the wp-config ?
Cheers,
Lee Shelton
Oops!
It’s a possibility it was through the site’s wp-config permission settings. I’d left them at 750. Have just changed it to 400. Even so, the file was protected by htaccess with
order allow,deny
deny from all
.htaccess was similarly protected.
I’d like to know how the hack was done. Thinking back, the user’s registration date wasn’t new so either it had been planned for a long time or the user’s status was elevated to Admin by the hacker/bot or the registration date was a fiction created at the same time as the user. As there are only two registered users for the site and I created them both, I suspect the latter to be true.
Thanks for your reply, Lee
nice one..keep posting..thank you..
A well-written and organized article. I just love the way you wrote it.
This will be a excellent website, will you be involved in doing an interview about just how you developed it?
I enjoyed what you have shared. Nice job man!