Please be aware that the IP addresses listed below are being used to hack into WordPress Multi Sites. The person or bot behind the hacks adds a user to the site’s admin then changes the network’s setting to permit site and user registrations.
One of my mostly up to date and secure WordPress MS blogs was recently hacked. I advise all WordPress MS users to update their sites and to block the following IP addresses from accessing them:
The IPs may be blocked by adding the following lines to your .htaccess file:
order allow,deny deny from 220.127.116.11 deny from 18.104.22.168 deny from 22.214.171.124 deny from 126.96.36.199 allow from all
or ranges 188.8.131.52 to 184.108.40.206 and 220.127.116.11 to 18.104.22.168 may be blocked with
order allow,deny deny from 173.208. deny from 173.234. allow from all
Be careful when blocking an IP range instead of specific IP addresses because you will likely also block harmless traffic.
It is possible that the IP addresses being used belong to hacked computers so you might want to unblock them eventually.
If you have been hacked and site re-installation is not an option then I suggest you install the following two plugins and perform scans of all your sites for exploits and viruses:
Remember to remove unknown admins, to delete the sites installed by the hacker(s) and to delete associated usernames.
A Few Final Details
The new admin name was johnnywhy.
The new admin’s email address was firstname.lastname@example.org
Read the table below to view subdomain sites registered by the listed users from the stated IP address.
|Username||Site Name||Subdomain||Remote IP|
|stevenjohnson||Appropriate New Pottery||appropriatenewpottery||22.214.171.124|
If you have more information about the hacking method being used or the usernames, site names, subdomains and IP addresses being used then please add them to the comments or send me a private message.
If you suspect your WordPress blog has been hacked you might also want to read the WordPress FAQ My Site was Hacked.