A while back I read an article about new WordPress blogs getting attacked as soon as a TLS certificate is requested from a certificate authority. Here is an example. This is possible because there is a public certificate transparency log that shows for which domains a new TLS certificate was registered. This public log is vitally important to detect malicious actors getting certificates for web sites they don’t own. On the other hand, bad actors also get aware in almost real time of potentially new websites which are not yet properly secured. So is this actually misused? When I recently got a certificate for a new domain name, I had a close look at the http log to see what would happen.
And indeed, after about only 1 minute of getting a TLS certificate for a newly registered domain name, which has not been used anywhere else on the web before, I immediately got incoming https requests originating from IP addresses all over the world. Not many, perhaps from a dozen places, but their requests were quite telling. Here’s one of them (some details replaced with x’s):
xxxxx x.x.x.x - - [31/Dec/2023:00:37:06 +0000] "GET //OLD/wp-admin/setup-config.php?step=1 HTTP/1.1" 503 599 "www.google.com" "Mozlila/5.0 (Linux; Android 7.0; xxxxxxx; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36"
The bots also try different sub-domains and other URLs for admin access to other popular products. It’s actually quite fun to watch in real time if you are aware of this phenomenon and are prepared. In other words: When setting up a new WordPress blog or any other product that requires a web based configuration, including admin accounts and passwords, do it in a secure environment first, for example by limiting access to your IP address only or by requiring HTTP basic authentication for the domain. Only once fully set up, release your access restrictions.
For some security by obscurity I started using wildcard certificates and hard to guess subdomains and subdirectories for non-public services. Of course, followed by authentication. So far, it’s working.
Same experience. Now I understand why my web site got constantly attacked from the moment it was online.
There are so many bots trying to use ‘admin’, ‘wpadmin’ as login. Probably the first measure is to change the default admin name.