Skip to main content

Newbie question: wordpress attack, but cPanel shows ALL activity from my webhost's ip address?

Comments

6 comments

  • quizknows
    Are you behind a load balancer? Regardless, you really need to open a ticket with your hosting provider; they may have a compromised machine, or your own server may be hacked and being used to try to login to your own sites. For example if another website on the server is hacked and used to attempt logins to other sites, the server will see the attempts from its own IP address. Again, open a ticket with your web host, or consult a security professional.
    0
  • wilsonca
    Thanks for the reply. I opened up a ticket yesterday, but haven't heard back. For now, I've denied access to all (via my .htaccess file) to my wordpress login php file. But who knows what else may be happening... In the meanwhile, is there anything else I should do? Change permissions on files/folders? Change my .htaccess in some other way?
    0
  • quizknows
    Assuming you have root access, I would check the process list (ps faux) for any strange processes running as "nobody" (the apache user) or your cPanel username. Sad your hosting company hasn't replied yet. I'd recommend a different one but it's probably against forum rules. I would also recommend you run a quick clamscan or maldet scan, i.e. clamscan -ir /home/*/public_html edit; also, there have been a ton of indiscriminate WP brute force attacks going on lately, it could also just be you're seeing this and nobody is targeting you specifically. Still, I'd be hounding your host to look into it since it looks like one of their IP addresses.
    0
  • cPanelMichael
    Hello :) Do you have root access to this system? If not, I recommend consulting with your web hosting provider to see what additional steps they can take to assist you with this problem. Thank you.
    0
  • SageBrian
    Wordpress and Joomla sites are getting very very big brute force attacks lately. The bots are looking to take advantage of all the users of Joomla and Wordpress that don't bother upgrading their versions.
    0
  • wilsonca
    SOLVED, sort of. I was using WordFence, and there's an option that allows me to change how WordFence is reading the IP address when behind a reverse proxy. I changed it so that it reads the IP address from the HTTP header. And lo and behold, everything seems to work now; when I check the cPanel activity logs, I'm seeing the visitors' real IP address, rather than my server's IP address. (And so now it's very easy for me to pick out and block the address that's been the source of all those login attempts.) Now, I have no idea why changing that setting in WordFence would change anything having to do with cPanel, but hey, I'm not going to worry about it...
    0

Please sign in to leave a comment.