System setting changed by system user

A detailed why or how is not going to be possible with the limited information you’ve provided. For a detailed forensic investigation we would need more than just an IP and arbitrary Username, in fact we would need everything… DB, access logs, changelogs, codebase – quite literally everything you’ve got and even then it’s not easy, and not always possible to track down the exact cause. Even if you have the correct logs, once an attacker has access to your systems – those logs can potentially be doctored or deleted.

The best I can suggest is that if you use any of these ​​

  • Kiwi Social Share
  • ​​WordPress Automatic and Pinterest Automatic
  • PublishPress Capabilities
  • various Epsilon Framework themes

That there was a massive spike in attacks recently targeting known vulnerabilities in those plugins – see 1.6 Million WordPress Sites Hit With 13.7 Million Attacks In 36 Hours. These were recently disclosed vulnerabilities and ruthlessly targeted, with the time between disclosure and these attack vectors seen in the wild “en masse” being quite small. The time needed to patch your systems is getting smaller. Having up-to-date plugins the day after an attack won’t save you.

Having said that, there are several ways you can keep on top of managing these potential threats.

Automatic updates – make sure that patch updates – IE the change in the last number X.X.(me!) are done immediately – patches don’t generally contain breaking code changes when possible. Update on your test server, quick look and check on your vitals, then push live…

Keep abreast of the threats out there – I regularly read and subscribe to several vulnerability databases. For example:

Tool up – there are some tools to use – free and paid. Mostly the security by obscurity stuff doesn’t work (you know what I mean – the hide login / wp-admin plugins – or the wp-xxxx folder rewrite plugins) but it can protect you from the brunt of some brute force “dumb” attacks. If it buys you an extra 12 hours to patch your plugins, that’s 12 hours that can save your site from compromise. They are not to be relied on as “security” merely a layer of defence that slows down potential attacks. Brute force login protection is probably one of the more useful precautions here. The number of insane admin passwords I have been given during my freelancing days make me shudder – what are you doing if your main admin login is admin and Companyname1 as the super-admin?? I would regularly find logs on my sites to see 1,300 hits a day on guessing logins – those are on small sites from different IPs.

Tidy up – don’t leave unused plugins active. If you’re not using them, deactivate it. Each line of running code is a potential entry point to your site… At time of writing, that Patchstack page mentioned above – each page contains 20 vulnerabilities. Page one only goes back 5 days and I think that’s because of the weekend…

Use your head – if you’re installing a plugin that hasn’t been updated in 2 years – please have a quick think… does that sound sensible?

Off the shelf – some tools can help you stay safer and offer a basic firewall-style protection.

Are two of the more popular choices and receive automatic firewall updates – although you will have to pay for the more advanced protections.

Infrastructure – there’s no point in doing any of the above things if your infrastructure isn’t secure. I don’t need to compromise your plugins, logins or database if you use GoDaddy don’t secure your infrastructure. Lock down SSH access – only allow server login with a secure key and please, it’s so simple… Make a #@!$ing secure password to login to your server dashboard.

There are more and countless blogs on this. Just remember, we are pretty much now at the stage of – your site will be compromised… it’s a fair amount work to make sure it isn’t. Regularly audit your site contents – in terms of information stored… PII (Personally Identifiable Information) should be kept to a minimum for both you and your users. It’s much less of a headache if or when something might happen.

I have no affiliation with any of the services mentioned above.

Related Posts:

  1. SSL Error: unable to get local issuer certificate
  2. When you use ‘badidea’ or ‘thisisunsafe’ to bypass a Chrome certificate/HSTS error, does it only apply for the current site? [closed]
  3. What is the difference between a cer, pvk, and pfx file?
  4. Where does Internet Explorer store saved passwords?
  5. Infected Files – what to do [closed]
  6. Why does WordPress need my private ssh key to update?
  7. Where to securely store API keys and passwords in WordPress?
  8. Why escape if the_content isnt?
  9. Why does WordPress have more than one salt?
  10. What is the ideal setup to address security concerns?
  11. is_email() VS sanitize_email()
  12. Can someone explain the use cases of esc_html?
  13. Close a wordpress blog – keep site as it is but prevent hacks
  14. Moving wp-config.php: Can this be done after site launch?
  15. Prevent setup-config.php page from appearing when host blocks database
  16. How to get WordPress to save upload file beyond web root [closed]
  17. WordPress and Security
  18. Is security a problem in WordPress?
  19. Moving wordpress out of the public directory
  20. Is /wp-login.php?redirect_to[] exploitable?
  21. Logout via Subdomain, non-wordpress page on a different server?
  22. brute force attack even though it is limited by IP
  23. What should I do about hacked server?
  24. How can I tell who changed the password?
  25. WordPress website Security [closed]
  26. How do I authenticate WP users from a chrome extension?
  27. Can’t reset WordPress password
  28. Website is being flooded [closed]
  29. Is the “lost password” feature truly a vulnerability?
  30. Is it possible to reduce the minimum character length for passwords?
  31. Handling email piping attachments and detecting unsupported file types
  32. Why was my blog post inserted lot’s of ad links by others?
  33. Should I Worry About SQL Injection When Using wp_insert_post?
  34. Auth cookie value security risk?
  35. Is there a way for a user to have an alias?
  36. Security – Shortcode injection attack
  37. How to prevent wp-login brute force attack from thousand of different IP? [duplicate]
  38. Registration Plugin – Recaptcha integration
  39. Security threat with `home_url`?
  40. How to combat flooding admin-ajax.php?
  41. When is wp_set_password() called or how to capture a password
  42. Moving away from MD5: Where to declare the custom global $wp_hasher?
  43. Would it be dangerous to send all the wp_options to javascript file?
  44. Frequently getting attacks on admin-ajax.php, wp-cron.php, xmlrpc.php and wp-login.php
  45. Should I disable directory listing for wp-includes?
  46. How to get WordPress to send Password Reset Link Email instead of New Password?
  47. Safety side of storing emoji into database
  48. Verifying that I have fully removed a WordPress hack?
  49. Large Session Tokens
  50. How can I safely hide the fact that my website runs on WordPress? [closed]
  51. How to change permissions of WordPress and/or apache on macOS securely?
  52. How can I display nickname instead username in links
  53. My WordPress Websites are always under attack
  54. Is there value in using a wp_nonce for POST requests?
  55. Using an Encryption class in a WordPress Plugin
  56. How to hide easy access to my website temporarily?
  57. Can I Remove xmlrpc.php completely?
  58. Config file with no Keys..?
  59. How much should I worry about these messages?
  60. Security concerns with external links
  61. Uploading .webm format on WordPress results in security guidline breach and fail
  62. fail2ban to prevent Brute Force Attacks on WordPress?
  63. Use Google authentication for pages within a website [closed]
  64. .htaccess password protection bypassed
  65. Session Cookie security questions
  66. How to give the same error message when the wrong password or wrong username is used?
  67. Storing FTP details in wp-config.php
  68. Spam injected in w3 total cache page cache [closed]
  69. How to distinguish between a hack and an encoding error?
  70. Prevent editor from adding script or form
  71. How to change location of wp-config.php to folder or 2 folders up?
  72. How might I sanitize an XML file before WP Import? (Does wordpress verify or clean text when importing from an XML document? )
  73. Finding where a snippet of code is coming from
  74. Remove hacked code – out of ideas! [closed]
  75. Secure Server after configuration
  76. After limiting the access to my wp-login.php by IP through .htaccess, all my password-protected posts stopped working. What’s the best solution now?
  77. Block JSON access over the net
  78. Can someone do something to my website if I posted a snapped image of the header and covered my logo? (On reddit, when explaining a question)
  79. The in-famous Unable to locate WordPress Content directory (wp-content) and the Direct Method
  80. Security: Critical backend outside of wordpress
  81. Advice On How to Backup WordPress
  82. How to check whether a site has been compromised without browsing into it?
  83. My site thinks it’s secure when it is fact not
  84. Is it possible to only have the admin interface bind to the local loopback?
  85. Should I change the default file and folder permissions?
  86. WordPress exploited theme is causing high io load on server
  87. How to rewrite rules for WP-security in Nginx?
  88. How to set custom validation for WordPress Passwords?
  89. Is it a bad idea to CHMOD 777 all the files on your site?
  90. How to stop repeated hack on header.php of custom theme? [closed]
  91. Default installation permissions for wp-config.php
  92. Correct setup to block file modifications from hackers
  93. Is my WP site being hacked?
  94. Move data from wp-config to another file
  95. How do you search for backdoors from the previous IT person?
  96. Heartbleed: What is it and what are options to mitigate it?
  97. OpenVPN vs. IPsec – Pros and cons, what to use?
  98. How to test if my server is vulnerable to the ShellShock bug?
  99. Is wp-cron.php vulnerable to external attacks and how to protect it?
  100. How to address security vulnerabilities: LUCKY13, BEAST, and BREACH