WordPress is the most popular open-source CMS in the world, which makes it a massive target. For bad actors it makes sense to invest in understanding the platform, especially its weaknesses and features. This article builds on research we’re doing via honeypots to quantify the tactics, techniques, and procedures (TTPs) used by bad actors in 2022.
This also builds on earlier analysis of a hacked web server (part 1 and part 2) and our article on XML-RPC & WP-JSON.
Updated: 2022-08-24 — Series index:
- Part 1: How WordPress Gets Hacked in 2022 - Initial Reconnaissance
- Part 2: What Hackers Do with WordPress in 2022 - Post Hack Analysis
- Part 3: Analyzing 17,000 Spam Links on a Hacked WordPress Site
- Part 4: Hijacking a Website’s SERP Results with SEO SPAM
- Part 5: Navigating 81 Layers of Encoding to Reveal the C&C
Creating a Control Environment
The key to any research is a solid control environment: one we can monitor closely, but that presents no danger to production. Here’s what we configured:
| Name | Description |
|---|---|
| Date Created | 07/22/2022 |
| Time Created | 14:24 |
| Time Zone | UTC |
| Host | Cloud Provided VPS (Not GCE, AWS) |
| Tech Stack | Linux, Apache, MariaDB, PHP |
| Application Stack | WordPress |
| Application Security | Let’s Encrypt SSL only |
| Server Security | None |
| Logging | Trunc |
| Other Scripts | Custom script to intercept all requests and record POST payloads. |
Two things to note: 1) logs are shipped to a third-party for integrity/availability; 2) we record POST bodies so we know exactly what was sent.
Time to First Contact
The server was created July 22 (14:24 UTC). ~11 hours later the first “bad actor” hits:
2022-07-23 03:28:25 - 199.15.251.34 [] /wp-login.php ... 2022-07-23 03:28:26 - 199.15.251.34 [] /?author=1 ... 2022-07-23 03:28:27 - 199.15.251.34 [] /author/administrator/ ... 2022-07-23 03:28:29 - 199.15.251.34 [] /wp-json/wp/v2/users/ ... 2022-07-23 03:28:30 - 199.15.251.34 [] /?author=2 ...
They’re enumerating users via ?author= and /wp-json/wp/v2/users/.
[{"id":1,"name":"administrator",...,"slug":"administrator",...}]
Between July 22–27 we saw 16 requests to /wp-json/wp/v2/users/ from 10 IPs (Azure, Hetzner, Oracle, etc.). Brute forcing began soon after via XML-RPC and then wp-login.php, with common password patterns (“admin”, “password”, variations like “pa55w0rd”, etc.).
What Initial Recon Tells Us
Access remains the top vector. Compared to 2014–2016 shotgun vuln scans, we saw heavier focus on credentials. At minimum, consider blocking the JSON API and XML-RPC by default (allowlisting where needed):
<Files xmlrpc.php>
order deny,allow
deny from all
allow from xxx.xxx.xxx.xxx
</Files>
# Block requests to /wp-json/wp/
RewriteCond %{REQUEST_METHOD} ^(GET|POST|PUT|PATCH|DELETE) [NC]
RewriteCond %{REQUEST_URI} ^.*wp-json/wp/ [NC]
RewriteRule ^(.*)$ - [F]
Trunc — SIEM & Log Management
Centralize logs, search in real time, and ship alerts that matter. Simple, fast, and affordable.
Get Started