Please be aware that the IP addresses listed below are being used to hack into WordPress Multi Sites. The person or bot behind the hacks adds a user to the site’s admin then changes the network’s setting to permit site and user registrations.
One of my mostly up to date and secure WordPress MS blogs was recently hacked. I advise all WordPress MS users to update their sites and to block the following IP addresses from accessing them:
- 173.208.43.154
- 173.208.43.57
- 173.234.59.245
- 173.234.232.113
The IPs may be blocked by adding the following lines to your .htaccess file:
order allow,deny deny from 173.208.43.154 deny from 173.208.43.57 deny from 173.234.59.245 deny from 173.234.232.113 allow from all
or ranges 173.208.0.0 to 173.208.255.255 and 173.234.0.0 to 173.234.255.255 may be blocked with
order allow,deny deny from 173.208. deny from 173.234. allow from all
Be careful when blocking an IP range instead of specific IP addresses because you will likely also block harmless traffic.
It is possible that the IP addresses being used belong to hacked computers so you might want to unblock them eventually.
Further Advice
If you have been hacked and site re-installation is not an option then I suggest you install the following two plugins and perform scans of all your sites for exploits and viruses:
Remember to remove unknown admins, to delete the sites installed by the hacker(s) and to delete associated usernames.
A Few Final Details
The new admin name was johnnywhy.
The new admin’s email address was johnywhy@gmail.com
Read the table below to view subdomain sites registered by the listed users from the stated IP address.
Username | Site Name | Subdomain | Remote IP |
joshuakinslow | Fox Steep | foxsteep | 173.234.59.245 |
jamelturner | Pink Tungsten | pinktungsten | 173.208.43.154 |
stevenjohnson | Appropriate New Pottery | appropriatenewpottery | 173.234.232.113 |
williamcaylor | Aggressive Windshield | aggressivewindshield | 173.208.43.57 |
If you have more information about the hacking method being used or the usernames, site names, subdomains and IP addresses being used then please add them to the comments or send me a private message.
If you suspect your WordPress blog has been hacked you might also want to read the WordPress FAQ My Site was Hacked.