You got an unexpected password reset request from WordPress – what’s next?
Review the password reset email you received:
Where is 59.42.123.98 located?
Use https://isc.sans.edu/tools/whereis.html to find out:
IP Address | ASN | Network | Country | ISP | RIR |
59.42.123.98 | 4134 | 59.42.0.0/16 | CN | CHINANET-BACKBONE No.31,Jin-rong Street, CN | apnic |
I wouldn’t request a password reset from China. What else is going on?
Through your web hosting, find Awstats and select the correct domain.
This is an unexpected number of visits, based on my knowledge of the website.
I want to find out which webpages are being visited. Awstats includes this under Pages-URL (Top 25).
From here, I can research why actors might be interested in these particular URLs.
XML-RPC can be exploited in several ways, including brute force access attempts and DDoS attacks on the targeted website.
https://systemweakness.com/penetration-testing-xml-rpc-uncovering-the-weaknesses-cda2acd14629
WP-login.php access attempts are often through brute force. Attempts to access your WordPress account/installation through WP-login.php can become an inadvertent DDoS attack even if the attack is unsuccessful. WordPress offers information for how to address brute force attacks:
https://developer.wordpress.org/advanced-administration/security/brute-force/
The password reset request I received was most likely due to brute force login attempts through WP-login.php (WP-login.php can also be seen in the screenshot of the original email). I would want to make sure I have a username other than admin and a strong password for logging in. I may want to research other methods to obfuscate the location/access of wp-login.php.
WP-cron.php can be used to create a DDoS attack, as a request to the website also creates a request from WordPress to wp-cron.php.
https://www.tenable.com/plugins/was/113449
A vulnerability for admin-ajax.php can allow Directory Traversal.
These 4 concerns constitute the bulk of traffic. If actors are successful in any of the attempts: website function may be impaired, data could be stolen or altered, malware may be uploaded, the website could be used to launch additional attacks, search engines and web hosts may flag the site as suspicious, reputation and trust lost with clients, etc.
The likelihood of successful attacks with these methods can be reduced with:
- Do not use admin as a user
- Change default login settings immediately
- Use current password strength policies (avoid common passwords)
- Employ (known, safe) plugins to address the concerns
- Block access/deactivate when possible (XML-RPC, for example)
- Limit login attempts, lock-out after a certain number of incorrect attempts
WordPress Developer Resources includes information on how to address Brute Force attacks: https://developer.wordpress.org/advanced-administration/security/brute-force/