New to the community? Start here

[Defender] Security Issue

I have some weird activity on my website.

The entry in the audit log (SEE IMAGE) corresponds to a post that was made on my website, without authorization.

From an “”””guest””” user. This is the post: https://www.newsd***les.com/politica/adsense-wordpress-templates-the-right-product-to-increase-profits/

I can’t delete it because when I enter the admin of my website it doesn’t appear (the entry is hidden).

Thu, 28 May 2020 6:55:22
More Defender Pro discussions
Defender Pro
  • Adam
    • Support Gorilla

    Hi Fernando

    I hope you’re well today!

    I checked the site and I admit I’m a bit “stuck” too.

    The post does exist in the database and it’s jut a plain – standard – post type (not even a custom one that would be hidden), with a content and related post meta. So the first thing is why it’s not visible on the post list.

    The post itself doesn’t seem to contain any “harmful” or “malicious” content – it just looks like a typical “seo spam” text.

    The author ID in the database is 0 which means that no existing user is the author of that post and that’s why Defender marks it as added by “Guest” but then this might also mean that the user account was simply removed (without re-assigning the content – so e.g. from DB or using some plugin) or that it was actually added by/through one of the plugins.

    I don’t see any traces of “malicious” activity in Defender, in server logs or in database. Sucuri health scan also marks the site as healthy.

    There is, however, one other thing that comes to my mind. I see you’re using RankMath plugin and apparently recently there was a vulnerability discovered that allowed unathorized access through REST API. The plugin is up to date and the current version shouldn’t be affected by it but I’m not sure when the plugin was updated.

    I wouldn’t also exclude possibility that due to some other (possibly even “not discovered yet”:wink: “glitch” there such post might have been added. Also was Defender – including its Security Tweaks and configuration of Security Headers active on site when this post was added?

    Another possibility is that some plugin that was tested, especially related to AdSense, might have added this. In the database there seem to be some traces in _options table that suggest that some of such plugins might have been tested on the site in the past (though it’s impossible to tell when and which ones exactly). Are you aware of any such plugin being tested on site recently?

    Let me know, please.

    Kind regards,
    Adam