Weird thing, but nearly every time I use Fiverr to find someone to fix something on my wordpress sites, I see an immediate and massive surge of brute force attacks to my site. Co-incidence? How does this keep happening? Support staff act like they have no idea it’s going on.
Do the attacks actually succeed to do damage or is it just a lot of traffic that is suspicious?
The person must expose your site to hackers by opening ports when he works on it.
Thanks for the response. Well, I’ve had one site completely compromised and taken down, but now that I use the Cerber plugin to limit logins, I just get emails when I wake up that i have 900 attempts to login that have been successfully blocked. But it ALWAYS co-incides with using a fiver tech. i dread asking for help because I know I’m going to attract immediate attention to my site - and nobody seems to know how this is happening. I can’t be the only one that has noticed this though - or suffers from it? How does the opening ports idea you suggested work?
Does he show your site on his portfolio on fiverr?
Nope. A year has gone by… using a new guy right now for the first time since I last wrote… just got a message from my system admin that I already have 102 lockouts. This is from ZERO yesterday. This is a fiverr thing at a deep level. Every time I use a guy, any guy, from Fiverr the same thing happens… unauthorized attempts go through the roof. Here’s the email I just got. I would be very very careful.
Number of active lockouts: 102
Last lockout was added: January 23, 2018, 10:08 pm for IP 150.107.****
Reason: Attempt to log in with prohibited username: admin
It might be a coincidence. Something similar recently happened to a friend of mine (an insane number of unauthorized attempts), and he’s never been on Fiverr. Another friend advised him to install WP Cerber plugin, change the login URL, and set it so that every unauthorized attempt automatically blacklists the subdomain.
I already use Cerber… that’s how I know all of this is going on. It sends me reports. And def. not a co-incidence. I’ve been using Fiverr for many years and this happens every time I use them for a service that involves anything to do with my websites.
But you’re not using ‘Fiverr’, you’re using the services of individual sellers whom you happen to have found on Fiverr.
Fiverr itself isn’t doing anything to your websites.
That’s weird. But as long as your passwords are safe, you shouldn’t be worried. You can secure the website further by adding the “limit login attempt” plugin and also password protect your wp-admin folder
Yes, I do all of that of course. I’m worried not because anyone has succeeded yet, but because of the constancy of the attacks.
Exactly. But somehow, somewhere, the fact that my site exists is being flagged somewhere via the fiverr platform. It’s like when you you give your email address to someone… they may not know your password, but they know you have a current email, and then they have something to hack.
Not to nitpick, but in your first post you wrote “nearly every time”, here you wrote “every time”. We, as human beings, tend to see patterns everywhere, even if there are none in reality, because it´s how we are wired.
Anyhow, I agree that it´s certainly worrying and something to look into. Perhaps ask on a WordPress forum, to see if people have another idea of how this may come to pass? Perhaps it´s nothing to do with who does it but with what is being done that somehow attracts those login attempts.
Just thinking out loud, I´m no professional in that sphere but I had/have WP blogs myself. I never used Fiverr for them and they weren´t even commercial, but I had spikes in such unauthorized login activities too at times. Hackers may simply use programs that try out all blog addresses they can grab periodically etc.
You should at least know the IP address of the attacker.
If you are that you are on a VPS or a shared hosting, i.e. in a multi-tenant environment, it’s extremely easy for a neighbor of yours intercept the traffic coming to your server and see who is poking at your ports. Among these lurkers there could be a pentester.
Among the most effective tools to stop brute force attacks, at server level, there is Fail2ban.
Yes, I agree, it’s not the person on Fiverr that’s doing it. I don’t blame them. It’s not like they’re selling my info. But somehow, these gigs attract attention from hackers and I don’t know how. Somehow they see that these sites are live and they go after them. I’m just not clear how they are seeing them on the platform.
Yes all the ip addresses are logged - and blocked. It’s not like anyone is actually getting in. It’s just annoying that whenever I use Fiverr, this shit starts up again. It’s no co-incidence, I’ve been using fiverr for years and this happens with incredible regularity.
Does it also happen when you hire someone outside of Fiverr to fix your site, or when you try to fix it yourself?
Nope. Only happens when i use Fiverr. It’s a pattern I’ve noticed over the last 5 years or so. It doesn’t happen when I use Fiverr services like logo production etc., only when I use someone to fix a wordpress problem.
Presumably because having a logo designed doesn’t require access to your Wordpress sites?
Are you sure it’s not just the sellers you’ve hired accessing your websites to do the gig you’ve ordered from them? They can’t fix Wordpress problems without logging in, or attempting to login to Wordpress.
Sorry if that sounds like I’m stating the obvious BTW.
Exactly. Logo design etc. doesn’t require me to give any login credentials. Yes, I have to give these to my fiverr gig workers, but I don’t think they are the problem, because they already have the password and login, they don’t need to hack me. What I think is happening is that somehow, hackers are able to see the URLs of sites that are being worked on through fiverr, realize they are live, and ripe for picking and go after them. I just don’t know how they see them. Unless they can see the URL of your ‘live’ gigs with fiverr vendors.
And did you ask them? Depending on what they are doing for you, like working on the site´s security, the log-in attempts might just be them checking something?
Hope you´ll update your topic if and when you find out what it is. Feels a bit weird to say it´s interesting, but I hope you know how I mean it.