we found more sites, which was hacked very fastly after LE generated.
Our clients start installation after LE was green, but in meantime (max 15 minutes after LE) robot from 185.59.221.* come and use WP installation files to prepare hack. Days after - on all domain call malware script and start DDOS to IP from France. I think that it is because crt.sh is scanned.
More likely they are directly polling the CT log servers, as the delay to detect new domains is much shorter. But yes, what you describe has been happening for a few years now. I see requests to paths like /.git/index within seconds of issuing new certificates!
Out of interest, which malware protecting plugins do you have installed in WordPress?
WordPress is often vulnerable as soon as you install plugins (like gallery modules, forms etc) especially if you are self-hosting and especially if plugins are not updated regularly/automatically.
Again. It is fresh uploaded wordpress, which is not installed yet (so installation wizard is there). After create LE, in minutes bot access to site and use installation files to hack.
I see, you should raise this as a security vulnerability with the wordpress developers, they could randomise the install URL and present it only to you in the console, or require a one-time token.
Re-opening as this link is in a security newsletter that came out this week.
An easy fix for Web Hosting Providers and End Users is to password protect the directory (via htaccess or server configuration) when the domain is first created or wordpress (or another app) is installed. This would prevent attackers from accessing wordpress. The "/.well-known" directory can be made public if LetsEncrypt has not yet obtained a certificate. Once the application is locked down, the domain can be made public again.
