Replies: 1
I run a members site created in wordpress. Members who join are assigned subscriber status which allows them to view those posts not visible to casual visitors. It doesn’t qualify them for any access to admin, they cannot even leave comments because that is disabled. I don’t force them to use strong passwords and generally they choose medium weak ones. Somehow recently on two occasions a member’s username and password have been hacked resulting in simultaneous logins from distant parts of the globe. I was able to respond quickly to change the pw and notify the member. However it’s embarrassing.
The site is NSFW so I won’t post the url. And as you might expect with such a site it receives a fair amount of malicious traffic, but usually directed to finding a vulnerability and gain access to the admin. I have taken every precaution that I am aware of to prevent that. I cannot see in the logs any brute force attempt to login as a subscriber. However I had overlooked the vulnerability inherent in the xmlrpc.php file. I have now blocked that in the .htpaccess.
So my question is could the hackers have used the xmlrpc.php to discover the user name and pw of a subscriber?