Your freshly installed, brand new WP is discovered faster than you imagine. Amazingly, even before you are informed. Find out how in this post. New WordPress installs are the main focus for smart hackers. The race to take over a fresh WP reached new epic heights. We live in a truly connected world! The snitch is your SSL for your domain. Your hosting provider is the information facilitator. Yeah ... deal with it. 😀
This is how it happens, step by step.
You order from your hosting company a new hosting account for your future WordPress. You also receive a free SSL or pay for a premium certificate for your domain. When payment is confirmed, and your order is complete, the automation kicks in. Your new account is created, the SSL certificate is issued and installed, additional packages are installed and configured. Finally, you receive an email, that everything is ready and you can log in for the first time.
Everything as expected until now, isn't it? Yeah....your secret is already leaked, everybody knows you have a new website! As soon as the certificate is issued, it is also reported towards the Certificate Transparency infrastructure. Quoting Wikipedia about this: Certificate Transparency (CT) is an experimental IETF open standard and open source framework for monitoring and auditing digital certificates. Through a system of certificate logs, monitors, and auditors, certificate transparency allows website users and domain owners to identify mistakenly or maliciously issued certificates and to identify certificate authorities (CAs) that have gone rogue.
Anyone using the certificate transparency data can discover new SSL certificates that have been issued. The certificate data also includes the website domain name. Security research done by Hanno Böck, showed that between 30~60 minutes of a new SSL certificate being issued, attackers can see it in the certificate transparency report. This provides attackers a reliable method to discover new websites to attack.
Then, the attackers start monitoring your new domain. When they see the WordPress setup script, they run it, install a back door and then reset the WP site to the state it was, so the owner won’t notice. By the time you read the update email from your hosting provider, everything is already compromised, even before your 1st login.
To avoid this type of attacks, request from your hosting company to modify during the setup process the .htaccess file, limiting access to your IP and setting up basic authentication. Your window of opportunity to prevent anything drastic is extremely limited. If you are not sure, just delete everything (files and DB) and start from scratch. Better safe, than hacked!