Security Alert: WordPress Multi Site Hacker

Please be aware that the IP addresses listed below are being used to hack into WordPress Multi Sites. The person or bot behind the hacks adds a user to the site’s admin then changes the network’s setting to permit site and user registrations.

One of my mostly up to date and secure WordPress MS blogs was recently hacked. I advise all WordPress MS users to update their sites and to block the following IP addresses from accessing them:

  • 173.208.43.154
  • 173.208.43.57
  • 173.234.59.245
  • 173.234.232.113

The IPs may be blocked by adding the following lines to your .htaccess file:

order allow,deny
deny from 173.208.43.154
deny from 173.208.43.57
deny from 173.234.59.245
deny from 173.234.232.113
allow from all

or ranges 173.208.0.0 to 173.208.255.255 and 173.234.0.0 to 173.234.255.255 may be blocked with

order allow,deny
deny from 173.208.
deny from 173.234.
allow from all

Be careful when blocking an IP range instead of specific IP addresses because you will likely also block harmless traffic.

It is possible that the IP addresses being used belong to hacked computers so you might want to unblock them eventually.

Further Advice

If you have been hacked and site re-installation is not an option then I suggest you install the following two plugins and perform scans of all your sites for exploits and viruses:

Remember to remove unknown admins, to delete the sites installed by the hacker(s) and to delete associated usernames.

A Few Final Details

The new admin name was johnnywhy.

The new admin’s email address was johnywhy@gmail.com

Read the table below to view subdomain sites registered by the listed users from the stated IP address.

Hacker’s Created Account Details
Username Site Name Subdomain Remote IP
joshuakinslow Fox Steep foxsteep 173.234.59.245
jamelturner Pink Tungsten pinktungsten 173.208.43.154
stevenjohnson Appropriate New Pottery appropriatenewpottery 173.234.232.113
williamcaylor Aggressive Windshield aggressivewindshield 173.208.43.57

If you have more information about the hacking method being used or the usernames, site names, subdomains and IP addresses being used then please add them to the comments or send me a private message.

If you suspect your WordPress blog has been hacked you might also want to read the WordPress FAQ My Site was Hacked.

Sharing is caring!

7
Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  Subscribe  
newest oldest most voted
Notify of

Hey thanks for being one of the first to see this WP mutli-site hack.
I will install the IP range block and then come back to see where the ranges cover.

Could this be due to wrong permissions on the wp-config ?

Cheers,
Lee Shelton

nice one..keep posting..thank you..

A well-written and organized article. I just love the way you wrote it.

This will be a excellent website, will you be involved in doing an interview about just how you developed it?

I enjoyed what you have shared. Nice job man!

how can i download it