Publicly available wordpress installer may lead to site being compromised
I wanted to make you aware of the fact that recently there have been attackers that compromise a wordpress site during the few minutes in which the wordpress installer is publicly accesable.
This is caused by the fact that attackers monitor the certificate transparency log. When a Let’s Encrypt certificate is generated it shows up in the public log which is detected by an attacker.
Please find an article in the following link about a security researcher that set up a wordpress honeypot site and then watched how it was compromised. At the end he has some suggestions on how to avoid being compromised. According to smitka publishing the Let’s encrypt certificate is not specific to wordpress, this can also happen with other publicly available installers.
https://smitka.me/2022/07/01/wordpress-installer-attack-race/
Further information can also be found in this link: