New Malicious User Registrations

Broody

Hi, I just noticed that a new user keeps registering on my website. I have deleted him 6 times, yet he keeps registering with the same email. The settings on my website does not permit user registration.

I have changed my login url, and password. I have also enabled 2FA. Yet the user keeps registering.

My host has done done a thorough malware check, and found no issues. However, they made the folowing recommendation:

"I checked what POST requests had been logged around the time the username was recorded as registered and this was recorded:
Since your website's traffic is filtered through Ezoic, we do not have the actual IP addresses recorded from which the requests came.

We can only recommend contacting Ezoic and asking them what IP address made the POST request I have given above and if you do not recognize the IP address they'll give you, you can block it from Site Tools >>Security >>Block Traffic section."

Lindsey_

Hi there - Lindsey here from Support. I hope you're doing well notwithstanding this issue!

That definitely doesn't sound like an ideal situation! I can absolutely check to see if we can find this information for you. As I'm not able to check this myself, at the moment, I've reached out to our security team and engineers to see if they can get this for you.

As they are unfortunately only available intermittently over the weekend, I expect to hear a response from them by tomorrow. Should we hear anything beforehand, however, we'll be sure to let you know here. Rest assured, we're on it!

Lindsey_

Hi there - thanks so much for your patience with this. I've managed to hear back from our team who have noted that since we sit in front of their server as a proxy service, your host will see our AWS IPs by default. To check the IP address for the POST request(s), your host will need to check the x-forwarded-for (XFF) header to get the real client IP.

Let us know if this helps or if your host needs any further information from us.

Broody

Thank you Lindsey. I have contacted my host. I will keep you updated as soon as they respond.

Broody

Hi Lindsey, here the response I received from my host.

"I understand your concern and the need to identify the origin IP address from the access log. However, I regret to inform you that our team is unable to assist with this specific request.

While knowing the IP address from which the account was registered might seem helpful, it's important to understand that the core issue here isn't the location from which the action was performed, but rather the method used to do so.

In light of this, I would strongly recommend seeking the expertise of a professional web developer. They would be able to thoroughly investigate any potential security flaws that may have allowed for such account registrations and make the necessary adjustments to your application to prevent such occurrences in the future.

Please note that this situation falls outside the scope of our hosting-related responsibilities. If you suspect that your website may be compromised by malware, it would be best to consult with a malware removal specialist.

I understand that this may not be the answer you were hoping for, and I truly empathize with your situation. However, I trust that you understand our limitations in this regard."

I have checked my website activity log and I have blocked some IP addresses used by the user. But he keeps registering on my website. My plugins are up-to-date, so I don't know where this problem is coming from.

Lilla

Broody Have you considered switching to using Cloudflare and integrating with Ezoic via Cloudflare? It tends to be very useful as a security system for the site, and offers more features in this department than Ezoic integration on its own. This would allow you to see the IPs of connecting users and create an IP blocklist. The steps to doing this would be as follows:

Create a Cloudflare account.
Change the nameservers at your domain registrar to Cloudflare nameservers.
Allow for approx 8 hours and navigate to your Ezoic dashboard. You should be given the option to enter your Cloudflare details to Cloudflare integrate.
Navigate to your Cloudflare dashboard and implement IP blocking rules.

That seems to be the easiest way to deal with this, if your host is unable to read the IP in the X-Forwarded-For Header and block it on their end - though it's not really clear through their response why they can't do this.