My wordpress blog hacked - again!

by 64 comments
I need urgent advice from experienced wordpress bloggers.

My (semiologic) wordpress (2.5.1) was hacked yesterday.

I don't know what it is exactely, but it is 'defaced'.

Ok, I can and will upgrade to wp 2.6.2 , but now I think
that I need additional protection from hackers, when I upgrade.

I found the simple script 'wp secure pro' that protects admin
area using IP access restriction. I don't know if it is good.

Do you know if this script is good protection from hackers?

Can you point me to maybe even better solution ?

#internet marketing #blog #hacked #wordpress
  • Profile picture of the author Eswar
    I am hearing More & more wordpress hacking stories. Its discouraging many people to build a serious content website.

  • Profile picture of the author Mark McWilliams
    Almin, Just a general question but were you allowing registrations on the blog. IE, then either had to sign up to comment or somthing similar?

    The reason I ask is that could very well be the way they hacked your blog. There was apparently some kind of flaw type thing, and it's been sorted in the latest version! (2.6.2)

    I know people don't like updating scripts, but if you want to prevent this kind of thing happening, then it has to be done!

    Anyway, I hope some of that info may be helpful to yourself!

  • Profile picture of the author violationz
    Hackers are always searching for exploits - bottom line is you're never safe when it comes to content management systems, especially the ones that are open source. Make sure you don't use v2.6.1, an admin takeover exploit was released on the 10th of this month.

    The best you can do is generate random passwords (ie: E1962A0C) and update as soon as an update is released, anything else is wasted time and effort IMO.
  • Profile picture of the author Deepak Raj
    I guess I can see only a pattern of websites hacked. Not sure anyway, what type of content do you have in your blog?
    • Profile picture of the author Alminc
      I wasn't allowing registration but they hacked it anyway.

      I am now updating to latest version, but it is only a question
      of time when it will be hacked too.

      That's why I ask about additional protection(e.g. wp secure pro).

      Any tips ?
  • Profile picture of the author violationz
    What website are we talking about? The one in your signature? The website itself looks fine - they just uploaded index.html which your domain automatically loads.

    Hacked site: H4CK3D BY ejder21

    Regular site: Resell Rights Professional - Profitable Products with Resell Rights

    Solution: step one is to delete index.html and change your hosting/FTP logins and/or passwords to random characters.

    As for Wordpress security, WP Secure Pro is useless - if they want in they'll get in, restricting access to an IP address won't stop it and will only create potential issues for you. Does your ISP provide dynamic IP address? Or if you have a static IP, what if your ISP does some upgrades and assigns you a new IP address? You'd be back to step one; you'd have to delete the plug-in or even worse, backup the database and do a fresh install - total waste of time.

    Rather than post a 10 page essay just Google SQL injection and SQL column truncation to get a basic understanding of web-based security - not exactly what you want to hear but there's nothing you can do to stop it.
  • Profile picture of the author Dave777
    Checkout the following thread...

    • Profile picture of the author Alminc

      thanks for your post. I see that there is an injected index.html file
      and it's not a big deal to delete it. But that tells me that they had ftp access to my site and I have no idea at all what they may have injected in my other files.

      To start with, I deleted my complete blog folder and I hope the outside static files are not damaged. I have to yet inspect them.

      One of my other sites was hacked ( defaced ) in a similar manner and I needed to clean each and every file from injected porn/warez links ( 100s of thousands ).


      thanks for many tips, I'll certainly apply them.

    • Profile picture of the author Eric Lorence
      Originally Posted by Dave777 View Post

      Checkout the following thread...

      Good advise there, you don't need to spend anything on the Auto-Update plugin:

      WordPress › Wordpress Automatic upgrade WordPress Plugins
  • Profile picture of the author Sean Donahoe
    There is actually a pretty cool script I recommend to my clients who use wordpress:

    Wordpress Firewall

    This protects:
    • SQL Injections
    • Coding Errors
    • Cross Site Scripting (XSS)
    • Cross-site request forgery (CSRF)
    • Password theft (IP Lock)
    • Comment Spam
    • DDoS Attacks
    • Customized wordpress ruleset (blocks all exploits)
    It is kinda pricey ($120) but it is a solid protection system for all your wordpress blogs. If you have a blog that is making you a few hundred dollars a week then protecting that asset is worth the money in my opinion.

    Hope that helps...
    • Profile picture of the author Alminc
      Thanks Sean, I'll deffinitely check that script.
    • Profile picture of the author Sean Donahoe
      Also you can add some mod_rewrite rules in your .htaccess file if you run apache on a linux box:

      Just add this as it blocks some common attacks and I use this on a lot of websites I run:

      ########## TTM - Security Mods to block common exploits
      ## If you experience problems on your site block out the operations listed below
      # Block out any script trying to base64_encode crap to send via URL
      RewriteCond %{QUERY_STRING} base64_encode.*(.*) [OR]
      # Block out any script that includes a <script> tag in URL
      RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
      # Block out any script trying to set a PHP GLOBALS variable via URL
      RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
      # Block out any script trying to modify a _REQUEST variable via URL
      RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
      # Send all blocked request to homepage with 403 Forbidden error!
      RewriteRule ^(.*)$ index.php [F,L]
      ########## End - Rewrite rules
      Joomla installs use the same rules and they were adapted from them.
  • Profile picture of the author braver55b
    Cyber crimes should be treated just as hard as violent robberies, they are robbing you of your reputation and income for every minute that your site is defaced.

    I am appalled as I did see the hacked site.

    For one thing frequently change your password, upgrade to the latest wordpress version and edit any place that would let hackers know what version you are currently using.

    How about going to or some other script to track ip addresses and pursue them wherever they are.

    This is a crying shame that people would do this for "for"

    Don't be discouraged, be determined.

    That statement has all the makings of a motto :-)
  • Profile picture of the author TorontoCarol
    This thread is scaring me to death, especially since I am a non-techie and the solutions that were mentioned are totally over my head. My 83 year old mother has a wordpress blog and when I scrolled down to the bottom of it the other day, I noticed there were all kinds of links to places she would never have approved.

    I guess her site was hacked and I thought that if she changed her theme, it would make the links all go away. Is that wishful thinking?
  • Profile picture of the author TheRichJerksNet
    WP is the worst blog software you could have and I certainly would not place my business in the hands of that software but for those that just insist on using it, this is the most effective way to secure it.

    * Go to your servers sql database and and change your login name as WP does not allow you to do this from the admin area. Change it from "admin" to something you do not use someplace else.

    For those that seriously insist on using WP..

    * Login into FTP and change the admin folder name to something else like maybe "blog_admin" but now when you do this you will also have to change any paths inside any wp files that reference the admin folder as being named "admin"

    * Also go to your config file on ftp and rename the database name and then login to your server and change your database name. If you have a pre-install like from using fantastico then wp set your database name for you and you should change it to use the name you wish.

    * Make sure every sub-folder (that is not being used as a site) contains a blank .html file and the robots.txt file which denies all.

    User-agent: *
    Disallow: *
    * If you allow comments or registration make sure you have captcha installed on these as it will block auto post. Find a coder to block SQL injection on comments and the registration form.

    * If your server allows (HostGator does) have the host install SuExec as this will help further protect your folders as you will no longer need to use permissions such as 777 which allows anyone access to those folders.

    * Install the WP Security Plug-in if you choose to do so..

    * change the passwords on the database and WP if it was set by WP install.

    What I mean is change the passwords, do not use something like 8Vfcx4FDEs - That is NOT a secure password. A Secure password is more like


    I make all my passwords just as complex because there is no way any bruteforce would ever figure it out because it mostly looks for normal passwords with letters and number such as the one above that I said is not secure.

    So make those password upper/lower case and use - & _ and make them 20 or 30 characters long.

    Now those are the best tips for security for those that really want to run WP..

    If you need security services let me know...

  • Profile picture of the author A Chandler SEO
    Wow, and double Wow!
  • Profile picture of the author Dan Grossman
    Good reason to keep all your website files on a source control repository like Subversion. Assuming you have SSH access to wherever you host the files, you can know if any file changed just by typing "svn status" and can undo those changes with a simple "svn revert" command.
    • Profile picture of the author Colin Evans
      Poor old WordPress gets unfairly bashed again...

      No website app is safe from hackers, at least the popular free ones like WordPress get patched quickly. Many of the paid apps only get patched when enough people complain!!!

      BTW - If you are using shared hosting it doesn't matter how secure your own passwords are. There are a many ways your website can be compromised when you use shared hosting.

      The attack can come from another website on another account using the same shared hosting...

      The attack can come from another customers browser session being hijacked...

      If you have your own server or use a virtual private server you can substantially reduce the risks, but you cannot eliminate them all.

      The most important security measure you can take is to make sure you regularly back up your data, especially databases.
  • Profile picture of the author Chris_Willow
    Hi Almin
    You can put this code in your admin folder htaccess:
    <Limit GET POST> 
    order deny,allow 
    deny from all 
    allow from (<- your IP of course) 
    This will allow access from your ip only, but I' m not really sure if this helps against hackers...

  • Profile picture of the author askloz
    When installing your WP on your domain, always remove the version number in the header file, WP guys ask to keep it there with a comment code, to leave for stats, but I remove mine. If you leave that stat there, hackers will know what version you're using.

    One of the reasons why PHPBB decided to rename their versions cos hackers knew what people were using as their phpbb version and attacked it. Now hacking attempts have some what subsided.
    • Profile picture of the author jmorris18
      Can someone point me in the right direction for WP Secure Pro and Login Lockdown? Are these created by fellow Warriors? Also , If I use one of these programs - would I need the other as well?

  • Profile picture of the author garyl2k
    I have only had my main site hacked in to which was around 2 years ago, don't own the site any more but it was a lesson I learnt the hard way when it comes to keeping back ups of my site.

    Sadly kids around the world learn this stuff and find it funny to ruin peoples sites for the heck of it, to them their just having fun but to us we are losing business and earnings!
  • Profile picture of the author AgileHosting
    Originally Posted by Alminc View Post

    My (semiologic) wordpress (2.5.1) was hacked yesterday.
    I am noting that this post is dated 9/20/08.

    You don't need any additional security, you simply need to stay current on updates. The minute a WP update is released, install it!! Updates are usually security patches.

    There were several known defacement-type exploits between WP 2.5.1 and the current build. These exploits have been known and were widely publicized to the WP community for several months now.

    If you had kept your site patched, it is extremely likely it wouldn't have been defaced. (However, keep in mind that plug-ins and themes can open exploits in code as well, so make sure that all of your plug-ins are up-to-date and that there isn't a hole in Semiologic.)

    Originally Posted by Alminc View Post

    Is there any really good anti-hacker protection
    for wordpress ?
    Yes: keeping the script updated.

    If you exercise good basic security, you will be fine.

  • Profile picture of the author thunderbird
    Is this thread pinned? It definitely SHOULD be!
  • Profile picture of the author TheRichJerksNet
    Ok I have got several PM's so I am putting together an eBook.. How many are interested ??

    I will teach you how to fully 100% secure your wordpress blog in easy simple to follow steps.

    • Profile picture of the author buckapple
      Interesting thread...

      On the backup procedure, does the WP Backup plugin work well? I notice you can put it on automatic pilot which would be nice.

      Other than that when you backup, are you saying use the database backup option in cpanel? I've been using that.

    • Profile picture of the author DonnaLeona
      Originally Posted by TheRichJerksNet View Post

      Ok I have got several PM's so I am putting together an eBook.. How many are interested ??

      I will teach you how to fully 100% secure your wordpress blog in easy simple to follow steps.


      I'm interested too!

  • Profile picture of the author jmorris18
    James , I am also very interested. Any chance of including step by step videos for us warriors that lack the understanding code ??

    • Profile picture of the author TheRichJerksNet
      Originally Posted by jmorris18 View Post

      James , I am also very interested. Any chance of including step by step videos for us warriors that lack the understanding code ??

      Thanks everyone.. Will get something put together soon..

      Hi Jason,
      Trust me it will be easy to follow and understand.. As for video when doing security I would rather not create videos showing databases, hosting controls and etc...

      There will be simple step by step information along with screenshots.

      I may even include one of my own personal scripts that I use for extra security but dont currently sell..

  • Profile picture of the author spicegator
    Can anyone find a hacker and rip his head off, I understand these morons even have conventions and get-togethers. They should be put in prison with a large cell mate (the only problem is most of them would enjoy that)

Next Topics on Trending Feed