Word Press: Brute force hacks increasing with Fiverr use

[ukmarcus]

Weird thing, but nearly every time I use Fiverr to find someone to fix something on my wordpress sites, I see an immediate and massive surge of brute force attacks to my site. Co-incidence? How does this keep happening? Support staff act like they have no idea it’s going on.

[misscrystal]

Do the attacks actually succeed to do damage or is it just a lot of traffic that is suspicious?

The person must expose your site to hackers by opening ports when he works on it.

[ukmarcus]

Thanks for the response. Well, I’ve had one site completely compromised and taken down, but now that I use the Cerber plugin to limit logins, I just get emails when I wake up that i have 900 attempts to login that have been successfully blocked. But it ALWAYS co-incides with using a fiver tech. i dread asking for help because I know I’m going to attract immediate attention to my site - and nobody seems to know how this is happening. I can’t be the only one that has noticed this though - or suffers from it? How does the opening ports idea you suggested work?
Thanks again,

[misscrystal]

Does he show your site on his portfolio on fiverr?

[ukmarcus]

Nope. A year has gone by… using a new guy right now for the first time since I last wrote… just got a message from my system admin that I already have 102 lockouts. This is from ZERO yesterday. This is a fiverr thing at a deep level. Every time I use a guy, any guy, from Fiverr the same thing happens… unauthorized attempts go through the roof. Here’s the email I just got. I would be very very careful.

Number of active lockouts: 102

Last lockout was added: January 23, 2018, 10:08 pm for IP 150.107.****

Reason: Attempt to log in with prohibited username: admin

[catwriter]

Nope. A year has gone by… using a new guy right now for the first time since I last wrote… just got a message from my system admin that I already have 102 lockouts. This is from ZERO yesterday. This is a fiverr thing at a deep level. Every time I use a guy, any guy, from Fiverr the same thing happens… unauthorized attempts go through the roof. Here’s the email I just got. I would be very very careful.

Number of active lockouts: 102

Last lockout was added: January 23, 2018, 10:08 pm for IP 150.107.****

Reason: Attempt to log in with prohibited username: admin

It might be a coincidence. Something similar recently happened to a friend of mine (an insane number of unauthorized attempts), and he’s never been on Fiverr. Another friend advised him to install WP Cerber plugin, change the login URL, and set it so that every unauthorized attempt automatically blacklists the subdomain.

[ukmarcus]

It might be a coincidence. Something similar recently happened to a friend of mine (an insane number of unauthorized attempts), and he’s never been on Fiverr. Another friend advised him to install WP Cerber plugin, change the login URL, and set it so that every unauthorized attempt automatically blacklists the subdomain.

I already use Cerber… that’s how I know all of this is going on. It sends me reports. And def. not a co-incidence. I’ve been using Fiverr for many years and this happens every time I use them for a service that involves anything to do with my websites.

[Guest offlinehelpers]

I already use Cerber… that’s how I know all of this is going on. It sends me reports. And def. not a co-incidence. I’ve been using Fiverr for many years and this happens every time I use them for a service that involves anything to do with my websites.

this happens every time I use them

But you’re not using ‘Fiverr’, you’re using the services of individual sellers whom you happen to have found on Fiverr.

Fiverr itself isn’t doing anything to your websites.

[ronhi85]

That’s weird. But as long as your passwords are safe, you shouldn’t be worried. You can secure the website further by adding the “limit login attempt” plugin and also password protect your wp-admin folder

[ukmarcus]

That’s weird. But as long as your passwords are safe, you shouldn’t be worried. You can secure the website further by adding the “limit login attempt” plugin and also password protect your wp-admin folder

Yes, I do all of that of course. I’m worried not because anyone has succeeded yet, but because of the constancy of the attacks.

[ukmarcus]

this happens every time I use them

But you’re not using ‘Fiverr’, you’re using the services of individual sellers whom you happen to have found on Fiverr.

Fiverr itself isn’t doing anything to your websites.

Exactly. But somehow, somewhere, the fact that my site exists is being flagged somewhere via the fiverr platform. It’s like when you you give your email address to someone… they may not know your password, but they know you have a current email, and then they have something to hack.

[miiila]

Nope. A year has gone by… using a new guy right now for the first time since I last wrote… just got a message from my system admin that I already have 102 lockouts. This is from ZERO yesterday. This is a fiverr thing at a deep level. Every time I use a guy, any guy, from Fiverr the same thing happens… unauthorized attempts go through the roof. Here’s the email I just got. I would be very very careful.

Number of active lockouts: 102

Last lockout was added: January 23, 2018, 10:08 pm for IP 150.107.****

Reason: Attempt to log in with prohibited username: admin

Not to nitpick, but in your first post you wrote “nearly every time”, here you wrote “every time”. We, as human beings, tend to see patterns everywhere, even if there are none in reality, because it´s how we are wired.

Anyhow, I agree that it´s certainly worrying and something to look into. Perhaps ask on a WordPress forum, to see if people have another idea of how this may come to pass? Perhaps it´s nothing to do with who does it but with what is being done that somehow attracts those login attempts.

Just thinking out loud, I´m no professional in that sphere but I had/have WP blogs myself. I never used Fiverr for them and they weren´t even commercial, but I had spikes in such unauthorized login activities too at times. Hackers may simply use programs that try out all blog addresses they can grab periodically etc.

[pacquo]

You should at least know the IP address of the attacker.

If you are that you are on a VPS or a shared hosting, i.e. in a multi-tenant environment, it’s extremely easy for a neighbor of yours intercept the traffic coming to your server and see who is poking at your ports. Among these lurkers there could be a pentester.

Among the most effective tools to stop brute force attacks, at server level, there is Fail2ban.

[ukmarcus]

Not to nitpick, but in your first post you wrote “nearly every time”, here you wrote “every time”. We, as human beings, tend to see patterns everywhere, even if there are none in reality, because it´s how we are wired.

Anyhow, I agree that it´s certainly worrying and something to look into. Perhaps ask on a WordPress forum, to see if people have another idea of how this may come to pass? Perhaps it´s nothing to do with who does it but with what is being done that somehow attracts those login attempts.

Just thinking out loud, I´m no professional in that sphere but I had/have WP blogs myself. I never used Fiverr for them and they weren´t even commercial, but I had spikes in such unauthorized login activities too at times. Hackers may simply use programs that try out all blog addresses they can grab periodically etc.

Yes, I agree, it’s not the person on Fiverr that’s doing it. I don’t blame them. It’s not like they’re selling my info. But somehow, these gigs attract attention from hackers and I don’t know how. Somehow they see that these sites are live and they go after them. I’m just not clear how they are seeing them on the platform.

[ukmarcus]

You should at least know the IP address of the attacker.

If you are that you are on a VPS or a shared hosting, i.e. in a multi-tenant environment, it’s extremely easy for a neighbor of yours intercept the traffic coming to your server and see who is poking at your ports. Among these lurkers there could be a pentester.

Among the most effective tools to stop brute force attacks, at server level, there is Fail2ban.

Yes all the ip addresses are logged - and blocked. It’s not like anyone is actually getting in. It’s just annoying that whenever I use Fiverr, this shit starts up again. It’s no co-incidence, I’ve been using fiverr for years and this happens with incredible regularity.

[catwriter]

Does it also happen when you hire someone outside of Fiverr to fix your site, or when you try to fix it yourself?

[ukmarcus]

Does it also happen when you hire someone outside of Fiverr to fix your site, or when you try to fix it yourself?

Nope. Only happens when i use Fiverr. It’s a pattern I’ve noticed over the last 5 years or so. It doesn’t happen when I use Fiverr services like logo production etc., only when I use someone to fix a wordpress problem.

[Guest offlinehelpers]

Nope. Only happens when i use Fiverr. It’s a pattern I’ve noticed over the last 5 years or so. It doesn’t happen when I use Fiverr services like logo production etc., only when I use someone to fix a wordpress problem.

Presumably because having a logo designed doesn’t require access to your Wordpress sites?

Are you sure it’s not just the sellers you’ve hired accessing your websites to do the gig you’ve ordered from them? They can’t fix Wordpress problems without logging in, or attempting to login to Wordpress.

Sorry if that sounds like I’m stating the obvious BTW. ☀️

[ukmarcus]

Presumably because having a logo designed doesn’t require access to your Wordpress sites?

Are you sure it’s not just the sellers you’ve hired accessing your websites to do the gig you’ve ordered from them? They can’t fix Wordpress problems without logging in, or attempting to login to Wordpress.

Sorry if that sounds like I’m stating the obvious BTW. ☀️

Exactly. Logo design etc. doesn’t require me to give any login credentials. Yes, I have to give these to my fiverr gig workers, but I don’t think they are the problem, because they already have the password and login, they don’t need to hack me. What I think is happening is that somehow, hackers are able to see the URLs of sites that are being worked on through fiverr, realize they are live, and ripe for picking and go after them. I just don’t know how they see them. Unless they can see the URL of your ‘live’ gigs with fiverr vendors.

[miiila]

Exactly. Logo design etc. doesn’t require me to give any login credentials. Yes, I have to give these to my fiverr gig workers, but I don’t think they are the problem, because they already have the password and login, they don’t need to hack me. What I think is happening is that somehow, hackers are able to see the URLs of sites that are being worked on through fiverr, realize they are live, and ripe for picking and go after them. I just don’t know how they see them. Unless they can see the URL of your ‘live’ gigs with fiverr vendors.

but I don’t think they are the problem

And did you ask them? Depending on what they are doing for you, like working on the site´s security, the log-in attempts might just be them checking something?

Hope you´ll update your topic if and when you find out what it is. Feels a bit weird to say it´s interesting, but I hope you know how I mean it. 🙂

[ukmarcus]

but I don’t think they are the problem

And did you ask them? Depending on what they are doing for you, like working on the site´s security, the log-in attempts might just be them checking something?

Hope you´ll update your topic if and when you find out what it is. Feels a bit weird to say it´s interesting, but I hope you know how I mean it. 🙂

They wouldn’t be checking 200 times… lol… I can see from the IP addresses that most of the attacks come from Russia or Bulgaria, usually not the country associated with the fiverr guy I’m using. These are hacking attempts. Happens to most of you every day, but unless you have a plugin that tells you about it, you’re probably blissfully unaware - unless someone succeeds in getting in!~

Tip: Use the Cerber security plugin - and never use ‘admin’ as your user name, nor the name of your website.

[miiila]

They wouldn’t be checking 200 times… lol… I can see from the IP addresses that most of the attacks come from Russia or Bulgaria, usually not the country associated with the fiverr guy I’m using. These are hacking attempts. Happens to most of you every day, but unless you have a plugin that tells you about it, you’re probably blissfully unaware - unless someone succeeds in getting in!~

Tip: Use the Cerber security plugin - and never use ‘admin’ as your user name, nor the name of your website.

They wouldn’t be checking 200 times… lol

Don´t be so sure lol when I work on clients´ stuff, there are things I do check and do a lot, even when I´m sure it should be okay - you wouldn´t, for instance, believe how many copies of some longer files I end up with until done just because Office programs like to crash and I like to make sure I won´t end up with an unusable file. And all the more if your checking is done by programs, you don´t really need time if you have a brute force program, you just click once and it does the rest.

No worries, I don´t use “admin”, either “123456” as password 😉 even if I hadn´t known that already back in school, I translate a lot of computer-related texts since years.

Well, you didn´t say you know the IP addresses are all from the same places before, neither what exactly they (Fiverr guys) are doing for you, so it´s a bit hard to guess. I was just wondering why you just are thinking they are not “the problem” - if they indeed were checking as part of their job they´d not be the problem actually, but there would be no problem, so it wouldn´t be weird to bluntly ask them if they know what´s up with your problem - instead of simply asking them, perhaps there´s an easy answer and they outsource their testing to Russia or Bulgaria? 😉

Anyhow, I´ll go back to translating my clients´ WP articles about data security now and hope to soon read that you got this sorted out! 🍀

[uxreview]

The buyers request page is not indexed so it’s not like your request is searchable.
(rel=“noindex, nofollow”)

However, it might be interesting to test if it happens with other sites. If I get bored I might give it a try and post a job with my address 🙂

If you include address in the buyers request then remove that. Send it only over a message once you’ve found a seller you like.

[Guest offlinehelpers]

The buyers request page is not indexed so it’s not like your request is searchable.

(rel=“noindex, nofollow”)

However, it might be interesting to test if it happens with other sites. If I get bored I might give it a try and post a job with my address 🙂

If you include address in the buyers request then remove that. Send it only over a message once you’ve found a seller you like.

If you include address in the buyers request then remove that.

Now that would explain a lot - hadn’t thought of that! ☀️

[ukmarcus]

The buyers request page is not indexed so it’s not like your request is searchable.

(rel=“noindex, nofollow”)

However, it might be interesting to test if it happens with other sites. If I get bored I might give it a try and post a job with my address 🙂

If you include address in the buyers request then remove that. Send it only over a message once you’ve found a seller you like.

Yes, I only give my login details to the guys I actually work with. 🙂