My wordpress blog hacked - again!

[Alminc]

I need urgent advice from experienced wordpress bloggers.

My (semiologic) wordpress (2.5.1) was hacked yesterday.

I don't know what it is exactely, but it is 'defaced'.

Ok, I can and will upgrade to wp 2.6.2 , but now I think
that I need additional protection from hackers, when I upgrade.

I found the simple script 'wp secure pro' that protects admin
area using IP access restriction. I don't know if it is good.

Do you know if this script is good protection from hackers?

Can you point me to maybe even better solution ?

Almin

[Eswar]

I am hearing More & more wordpress hacking stories. Its discouraging many people to build a serious content website.

Eswar

[Alminc]

Is there any really good anti-hacker protection
for wordpress ?

[Mark McWilliams]

Almin, Just a general question but were you allowing registrations on the blog. IE, then either had to sign up to comment or somthing similar?

The reason I ask is that could very well be the way they hacked your blog. There was apparently some kind of flaw type thing, and it's been sorted in the latest version! (2.6.2)

I know people don't like updating scripts, but if you want to prevent this kind of thing happening, then it has to be done!

Anyway, I hope some of that info may be helpful to yourself!

Thanks
Mark

[violationz]

Hackers are always searching for exploits - bottom line is you're never safe when it comes to content management systems, especially the ones that are open source. Make sure you don't use v2.6.1, an admin takeover exploit was released on the 10th of this month.

The best you can do is generate random passwords (ie: E1962A0C) and update as soon as an update is released, anything else is wasted time and effort IMO.

[Deepak Raj]

I guess I can see only a pattern of websites hacked. Not sure anyway, what type of content do you have in your blog?

[Alminc]

I wasn't allowing registration but they hacked it anyway.

I am now updating to latest version, but it is only a question
of time when it will be hacked too.

That's why I ask about additional protection(e.g. wp secure pro).

Any tips ?

[violationz]

What website are we talking about? The one in your signature? The website itself looks fine - they just uploaded index.html which your domain automatically loads.

Hacked site: H4CK3D BY ejder21

Regular site: Resell Rights Professional - Profitable Products with Resell Rights

Solution: step one is to delete index.html and change your hosting/FTP logins and/or passwords to random characters.

As for Wordpress security, WP Secure Pro is useless - if they want in they'll get in, restricting access to an IP address won't stop it and will only create potential issues for you. Does your ISP provide dynamic IP address? Or if you have a static IP, what if your ISP does some upgrades and assigns you a new IP address? You'd be back to step one; you'd have to delete the plug-in or even worse, backup the database and do a fresh install - total waste of time.

Rather than post a 10 page essay just Google SQL injection and SQL column truncation to get a basic understanding of web-based security - not exactly what you want to hear but there's nothing you can do to stop it.

[Scott Voss]

Almin,
First off, you are getting ready to do one of the most important things you can security wise for you wordpress site... Upgrading to the latest version. But, you also want to make sure you have the latest upgrades to your plugins. They can be a security weakpoint for you blog and many of them are regularly updated just for this reason.

Now, there are some other things you can do to help decrease the chances of getting hacked.

****PASSWORD= password****
OK, I am sure you are not doing anything like having your password be password, but if you are not using a complex hexidecimal password you are leaving yourself open to hacking. Try to make it no less than 10 characters long, made up of numbers, symbols, and letters. Also, make it as random as possible and not contain any words. The brute force hacking programs will sit there and throw a dictionary at your site until they find your password. Don't make it easy for them.

While we are on the subject of passwords, also make sure you do this for your hosting account as well. If they can get into wordpress from your wp-admin, they can also get into the files through cPanel as well.

Also, if you are using a single password for all of your online interactions, you are leaving yourself vulnerable. For instance, lets say that you sign up for a membership site that requires a password. All that person has to do is look at their database and link that password to any of your sites or email accounts and BLAMO you are toast.

****HACKER ACCESS DENIED!!****
If someone is trying to hack into your blog, chances are they will not get in on the first try. This is a statistical certainty. Use that to your advantage and block out the bad guys and gals after a certain number of attempts. Look for programs that will block the IP after a multiple attempts. There is a free plugin that will do this for you called "Login LockDown" and you can find it in the Wordpress Plugin directory.

****GOING STEALTH****
Once a vulnerability is known for a version of Wordpress or its associated plugins, the hacker community begins to share this information openly. Then the bad guys and gals start looking for sites with those versions and they can use good old Google to help them do this. Don't let them know what versions you are running.

How do you do that? Just go into your header.php file and do a little version-ectomy. There is a line of code that lets the world know the version you are running, just cut it out. The code will be:
<meta name="generator" content="WordPress <?php bloginfo('version'); ?>" />

As for the plugins, because there are so many there is no good way to explain how to hide each plugin's data. But, I can tell you how to not go out of your way and share it. There are certain plugins that will let you announce to the world what plugins you use. No matter what you do, don't share this information. If a bad dude knows that a certain plugin has a vulnerability and they come across your site you are saying, "Hey bad dude, please come muck up my site." So, just like Nancy Reagan "Just say no" to the plugins that show your plugins.

Unless you are implementing this next strategy, you are already openly sharing with the world what plugins you are using. Wordpress by default has a plugin folder that is visible to anyone who knows where to look: www.MyFakeBlogURL1234.com/wp-content/plugins

Open that directory and you are taken to a handy dandy listing of all of the plugins, a hackers paradise. Just take away their temptation and block their access to the directory. You can do this by creating a blank html file called index.html. Then upload this file into the plugins directory. Once that file is uploaded, then when www.MyFakeBlogURL1234.com/wp-content/plugins is accessed, they only get a blank screen. Do yourself a favor and don't try to get cute with this and taunt the hackers by saying "Nany nany boo boo, I blocked you" or something like that. This will just may them focus on your site out of anger. You just want to close a door.

****SECURING YOUR SECURITY****
This one is not for everyone, especially if you are a mobile blogger or use a dynamic IP. But, if you only make changes to your blog from a defined number of locations with a set IP, then this is a good option for you. You can set up .htaccess to only allow certain IP addresses to access your wp-admin folder. Since I don't want to be on the hook if you screw this one up, I am going to point you to a blog post about it from back in 2007: http://www.reubenyau.com/protecting-...-admin-folder/

I hope this helps you out and good luck with blocking out the hackers.

-Scott Voss

[Dave777]

Checkout the following thread...
Wordpress security tips

Dave

[Alminc]

Violationz,

thanks for your post. I see that there is an injected index.html file
and it's not a big deal to delete it. But that tells me that they had ftp access to my site and I have no idea at all what they may have injected in my other files.

To start with, I deleted my complete blog folder and I hope the outside static files are not damaged. I have to yet inspect them.


One of my other sites was hacked ( defaced ) in a similar manner and I needed to clean each and every file from injected porn/warez links ( 100s of thousands ).

Scott,

thanks for many tips, I'll certainly apply them.


Almin

[Sean Donahoe]

There is actually a pretty cool script I recommend to my clients who use wordpress:

Wordpress Firewall

This protects:

• SQL Injections
• Coding Errors
• Cross Site Scripting (XSS)
• Cross-site request forgery (CSRF)
• Password theft (IP Lock)
• Comment Spam
• DDoS Attacks
• Customized wordpress ruleset (blocks all exploits)

It is kinda pricey ($120) but it is a solid protection system for all your wordpress blogs. If you have a blog that is making you a few hundred dollars a week then protecting that asset is worth the money in my opinion.

Hope that helps...

[Alminc]

Thanks Sean, I'll deffinitely check that script.

[Sean Donahoe]

Also you can add some mod_rewrite rules in your .htaccess file if you run apache on a linux box:

Just add this as it blocks some common attacks and I use this on a lot of websites I run:

Code:

########## TTM - Security Mods to block common exploits
## If you experience problems on your site block out the operations listed below
#
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*(.*) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]
#
########## End - Rewrite rules

Joomla installs use the same rules and they were adapted from them.

[Alminc]

" FirewallScript is currently not accepting any more beta purchases. Please check back soon. "

[Sean Donahoe]

Damn, they must have only taken that off the market in the last week or so. Well that is the script to use when it is available again.

Here is a quick articles that may help meanwhile:

3 Must Apply Security Tips for WordPress

Also a lot of these hacks are automated using bots. Basically the bot goes to Google, looks for blogs checks for a vulnerable version and then hackss it.

They look for something like:

Code:

<meta name="generator" content="WordPress 2.5" />

To prevent this you can open functions.php in your theme folder and remove this line:

Code:

<?php remove_action( 'wp_head', 'wp_generator' ); ?>

That way you do not give the hackers a nice head start...

[Raja Sekharan]

Aminc,

First of all, you must find out how they hacked your website. This can be found out bygoing through your server's access logs. Find out which pages they accessed before the hacker page started showing up.

Raja Sekharan

[garyl2k]

Quote:

Originally Posted by Sean Donahoe

Also you can add some mod_rewrite rules in your .htaccess file if you run apache on a linux box:

Just add this as it blocks some common attacks and I use this on a lot of websites I run:

Code:

########## TTM - Security Mods to block common exploits
## If you experience problems on your site block out the operations listed below
#
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*(.*) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]
#
########## End - Rewrite rules

Joomla installs use the same rules and they were adapted from them.

Was actually looking for something like this, Thanks!

I know the same rules apply to Joomla sites which I have had hacked plenty of times before.

Remember people, always make backups, saved my behind many a times.

[Alminc]

Thank you so much guys.

I learned a lot from this thread, things
that I am going to apply immediately.

My host support guys scanned the account and deleted
some shell files they found.

I have changed the password and it is now
20 random characters.

I am installing the latest wp version and
I will apply all the tips from Sean,Scott and others.

[braver55b]

Cyber crimes should be treated just as hard as violent robberies, they are robbing you of your reputation and income for every minute that your site is defaced.

I am appalled as I did see the hacked site.

For one thing frequently change your password, upgrade to the latest wordpress version and edit any place that would let hackers know what version you are currently using.

How about going to statcounter.com or some other script to track ip addresses and pursue them wherever they are.

This is a crying shame that people would do this for "for"

Don't be discouraged, be determined.

That statement has all the makings of a motto :-)

[TorontoCarol]

This thread is scaring me to death, especially since I am a non-techie and the solutions that were mentioned are totally over my head. My 83 year old mother has a wordpress blog and when I scrolled down to the bottom of it the other day, I noticed there were all kinds of links to places she would never have approved.

I guess her site was hacked and I thought that if she changed her theme, it would make the links all go away. Is that wishful thinking?

WP is the worst blog software you could have and I certainly would not place my business in the hands of that software but for those that just insist on using it, this is the most effective way to secure it.

* Go to your servers sql database and and change your login name as WP does not allow you to do this from the admin area. Change it from "admin" to something you do not use someplace else.

For those that seriously insist on using WP..

* Login into FTP and change the admin folder name to something else like maybe "blog_admin" but now when you do this you will also have to change any paths inside any wp files that reference the admin folder as being named "admin"

* Also go to your config file on ftp and rename the database name and then login to your server and change your database name. If you have a pre-install like from using fantastico then wp set your database name for you and you should change it to use the name you wish.

* Make sure every sub-folder (that is not being used as a site) contains a blank .html file and the robots.txt file which denies all.

Code:

User-agent: *

Disallow: *

* If you allow comments or registration make sure you have captcha installed on these as it will block auto post. Find a coder to block SQL injection on comments and the registration form.

* If your server allows (HostGator does) have the host install SuExec as this will help further protect your folders as you will no longer need to use permissions such as 777 which allows anyone access to those folders.

* Install the WP Security Plug-in if you choose to do so..

* change the passwords on the database and WP if it was set by WP install.

What I mean is change the passwords, do not use something like 8Vfcx4FDEs - That is NOT a secure password. A Secure password is more like

I_had-Fun_With_tHe_NakED-Elf_inThE-Woods_Last-Night

I make all my passwords just as complex because there is no way any bruteforce would ever figure it out because it mostly looks for normal passwords with letters and number such as the one above that I said is not secure.

So make those password upper/lower case and use - & _ and make them 20 or 30 characters long.

Now those are the best tips for security for those that really want to run WP..

If you need security services let me know...

James

[A Chandler SEO]

Wow, and double Wow!

[Dan Grossman]

Good reason to keep all your website files on a source control repository like Subversion. Assuming you have SSH access to wherever you host the files, you can know if any file changed just by typing "svn status" and can undo those changes with a simple "svn revert" command.

[Colin Evans]

Poor old WordPress gets unfairly bashed again...

No website app is safe from hackers, at least the popular free ones like WordPress get patched quickly. Many of the paid apps only get patched when enough people complain!!!

BTW - If you are using shared hosting it doesn't matter how secure your own passwords are. There are a many ways your website can be compromised when you use shared hosting.

The attack can come from another website on another account using the same shared hosting...

The attack can come from another customers browser session being hijacked...

If you have your own server or use a virtual private server you can substantially reduce the risks, but you cannot eliminate them all.

The most important security measure you can take is to make sure you regularly back up your data, especially databases.

Quote:

Originally Posted by Colin Evans

No website app is safe from hackers, at least the popular free ones like WordPress get patched quickly. Many of the paid apps only get patched when enough people complain!!!

BTW - If you are using shared hosting it doesn't matter how secure your own passwords are. There are a many ways your website can be compromised when you use shared hosting.

The attack can come from another website on another account using the same shared hosting...

The attack can come from another customers browser session being hijacked...

If you have your own server or use a virtual private server you can substantially reduce the risks, but you cannot eliminate them all.

The most important security measure you can take is to make sure you regularly back up your data, especially databases.

None of my scripts get hacked and I provide 100% free for life support to all my clients. But then again all my scripts are 100% custom coded from the ground up and no free open source code is ever used.

There is a great deal more to security besides passwords. I can if I choose to make WP 100% hacker free, even if on a shared hosting account but it is a time consuming process.

James

[Colin Evans]

Quote:

None of my scripts get hacked

Well done, I hope you maintain this good record...

Quote:

I provide 100% free for life support to all my clients

That is an admirable undertaking, not many programmers will offer life support especially free life support.

Quote:

all my scripts are 100% custom coded from the ground up and no free open source code is ever used

IMO - The source of the code is not important, it's how the code is used/constructed - There are many secure open source code snippets available online.

Quote:

I can if I choose to make WP 100% hacker free, even if on a shared hosting account but it is a time consuming process.

Therein lies the problem - not many hosts are prepared to optimally secure each customer's hosting account (why should they when you only pay $5 or $10 per month, and each customer has different requirements which makes the task more difficult). They have to balance hosting requirements, scripting requirements and cost of support, so the end result is at best a compromise...

I agree with you on the password issue, but it's a lot easier to get a VPS account (or your own server) secured by virtue of the fact the added cost gets you true 24/7 technical support... By opening a VPS hosting account and letting the technical staff solve the security issues, my website and blog hacks have stopped, and I still have a PHP environment which allows my own scripts to do what I designed them to do.

[Alminc]

How can I install captcha for comments?

Is there some option in admin area or do I have
to use some plugin for it ?

[IPNHarvest]

Hi!

Try THIS...

I think that will help.

Lycka till!

[Colin Evans]

Hi Almin,

You will have to use a plugin to add captcha to your comments, I personally don't bother with captcha and just use the Askimet antispam plugin...

[Alminc]

Quote:

Originally Posted by Sean Donahoe

Also you can add some mod_rewrite rules in your .htaccess file if you run apache on a linux box:

Just add this as it blocks some common attacks and I use this on a lot of websites I run:

Code:

########## TTM - Security Mods to block common exploits
## If you experience problems on your site block out the operations listed below
#
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*(.*) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]
#
########## End - Rewrite rules
 
Joomla installs use the same rules and they were adapted from them.

Sean,

shell I add the above code in my .htaccess file placed in the subfolder where wordpress resides, or shell I have it at a top level ?

[Chris_Willow]

Hi Almin
You can put this code in your admin folder htaccess:

Code:

<Limit GET POST> 
order deny,allow 
deny from all 
allow from xxx.xxx.xxx. (<- your IP of course) 
</Limit>

This will allow access from your ip only, but I' m not really sure if this helps against hackers...

Chris

[Alminc]

Here's what I did so far:

1. Upgraded to the latest wp version

Disabled registration

Activated Akismet

2. Changed username (in phpmyadmin) and password( 20 random characters) for admin

3. Placed empty index.html files in all wp- folders/subfolders

4. Placed robot.txt containing:

User-agent: *

Disallow: *

in all wp- folders/subfolders

5. Commented out

<?php remove_action( 'wp_head', 'wp_generator' ); ?>

in functions.php

6. placed the .htaccess file in my blog folder :

## Deny access to wp-config.php
<FilesMatch ^wp-config.php$>deny from all</FilesMatch>
########## TTM - Security Mods to block common exploits
## If you experience problems on your site block out the operations listed below
#
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*(.*) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]
#
########## End - Rewrite rules

7. Installed WP Secure Pro
( now only my own IP address is allowed to login into admin )



I hope this is enough protection.



Thank you all for information.
You guys are precious.

Almin

Quote:

Originally Posted by Alminc

How can I install captcha for comments?

Is there some option in admin area or do I have
to use some plugin for it ?

The purpose of captcha (I personally use my own turing number system) is to not only block spam comments but also to block bad bots, most dont understand the full need for such protection and think it is just for blocking unwanted spam.

The full purpose is additional security, blocking those bad bots from attempting to do sql injection and other things to your system. If you have SuExec installed on your server then sql injection is not much of a concern but it is still good practice to always block anyways.

The host you are on makes a big difference too.. This has nothing to do with a shared hosting account, what it does have to do with is if the host you are on is running software other than cpanel then your site is open to attacks. This is one reason why most developers suggest and use hostgator because they are one of the very few that have up to date servers running cpanel up to date.

James

Quote:

Originally Posted by Alminc

Here's what I did so far:

1. Upgraded to the latest wp version

Disabled registration

Activated Akismet

2. Changed username (in phpmyadmin) and password( 20 random characters) for admin

3. Placed empty index.html files in all wp- folders/subfolders

4. Placed robot.txt containing:

User-agent: *

Disallow: *

in all wp- folders/subfolders

5. Commented out

<?php remove_action( 'wp_head', 'wp_generator' ); ?>

in functions.php

6. placed the .htaccess file in my blog folder :

## Deny access to wp-config.php
<FilesMatch ^wp-config.php$>deny from all</FilesMatch>
########## TTM - Security Mods to block common exploits
## If you experience problems on your site block out the operations listed below
#
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*(.*) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]
#
########## End - Rewrite rules

7. Installed WP Secure Pro
( now only my own IP address is allowed to login into admin )



I hope this is enough protection.



Thank you all for information.
You guys are precious.

Almin

If your WP install pre-set the user / pass for your database, then change those also just like you did for admin. Edit your config file for the database changes and again use those very long passwords suggestion I made.

James

[Sean Donahoe]

Quote:

Originally Posted by Alminc

Sean,

shell I add the above code in my .htaccess file placed in the subfolder where wordpress resides, or shell I have it at a top level ?

I would add it to the top so it protects all your subfolders including your blog.

Coming from a corporate network security background no script or site is 100%, ever. Though you can minimize the risks with good basic practices.

Wordpress is so common that it is an easy and popular target for hackers, same as PHPBB forums are a very popular hacking target. The more widespread, the more these scriptkiddies (I cannot even call them hackers as they only tend to use canned scripts) get their stupid defacements so widespread.

How many times has Windows been hacked or exploited? Its the same thing, Windows is so widespread that it makes it a popular target. If you use custom code then it will be much harder to attack as the code is not so widespread and available and you keep under the target radar, so to speak.

I tend to use Joomla for my websites because I have so many more security options (using JDefender, SH404sef Security with Honeypot) but I also have the advantage of running a dedicated server with many security customization applied.

Joomla was recently hit with a similar spate of attacks and defacements and part of that targeting was a meta tag stating it was a Joomla website, my sites (I have around 40+ Joomla websites) avoided all attacks.

Anyway, thats my Sunday 2c

[jmorris18]

Hey Guys , quick question - If this is added to my .httaccess will this prevent scripts I currently have on my site from working?

Also , when adding this - would I simply cut and paste this into the .httaccess and not paste / overwrite what is already there.

Thanks,
Jason


########## TTM - Security Mods to block common exploits
## If you experience problems on your site block out the operations listed below
#
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*(.*) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]
#
########## End - Rewrite rules

Joomla installs use the same rules and they were adapted from them.

[askloz]

When installing your WP on your domain, always remove the version number in the header file, WP guys ask to keep it there with a comment code, to leave for stats, but I remove mine. If you leave that stat there, hackers will know what version you're using.

One of the reasons why PHPBB decided to rename their versions cos hackers knew what people were using as their phpbb version and attacked it. Now hacking attempts have some what subsided.

[jmorris18]

Can someone point me in the right direction for WP Secure Pro and Login Lockdown? Are these created by fellow Warriors? Also , If I use one of these programs - would I need the other as well?

Thanks,
Jason

[garyl2k]

I have only had my main site hacked in to which was around 2 years ago, don't own the site any more but it was a lesson I learnt the hard way when it comes to keeping back ups of my site.

Sadly kids around the world learn this stuff and find it funny to ruin peoples sites for the heck of it, to them their just having fun but to us we are losing business and earnings!

Quote:

Originally Posted by jmorris18

Can someone point me in the right direction for WP Secure Pro and Login Lockdown? Are these created by fellow Warriors? Also , If I use one of these programs - would I need the other as well?

Thanks,
Jason

Jason,
I assume this is what you are looking for... (would not waste my $10 but that's just me)

WordPress Secure Pro

Problem here is though people run to install this plug-in and that plug-in to try and secure something. People never wonder show secure the plug-in is... They are told it helps protect you and that is good enough for them.

You should be securing your site yourself and not run after this plug-in and that plug-in which in the long run could cause you more problems. You seem to forget hackers also have access to these plug-ins also and they learn from them.

If you take care of the security yourself then there is no way any hacker will know what to do because they do not have any plug-ins to learn from as they have no idea what you did do for security.

You can make a WP install 100% secure without the need of any plug-ins or buying additional software, or using more free open source code.

I think I should write an ebook or something...

James

[jmorris18]

James , Wow I think this would be awesome - You writing an ebook on how to protect yourself from Hackers would a great resource that all Warriors would be interested in. Also, a step by step video would make it even better -

One Question - How would this benefit Warriors if Hackers also was able to get access to your ebook?

Thanks,
Jason

[AgileHosting]

Quote:

Originally Posted by Alminc

My (semiologic) wordpress (2.5.1) was hacked yesterday.

I am noting that this post is dated 9/20/08.

You don't need any additional security, you simply need to stay current on updates. The minute a WP update is released, install it!! Updates are usually security patches.

There were several known defacement-type exploits between WP 2.5.1 and the current build. These exploits have been known and were widely publicized to the WP community for several months now.

If you had kept your site patched, it is extremely likely it wouldn't have been defaced. (However, keep in mind that plug-ins and themes can open exploits in code as well, so make sure that all of your plug-ins are up-to-date and that there isn't a hole in Semiologic.)

Quote:

Originally Posted by Alminc

Is there any really good anti-hacker protection
for wordpress ?

Yes: keeping the script updated.

If you exercise good basic security, you will be fine.

Bailey

Quote:

Originally Posted by jmorris18

James , Wow I think this would be awesome - You writing an ebook on how to protect yourself from Hackers would a great resource that all Warriors would be interested in. Also, a step by step video would make it even better -

One Question - How would this benefit Warriors if Hackers also was able to get access to your ebook?

Thanks,
Jason

Because hackers would not know how you implement the things I teach you..

Most people posting seem to think all you need to do is keep up to date and install this plug-in and that plug-in but that is 100% wrong.. DEAD WRONG!!!

If you do proper security on your WP and have a properly built server from a up to date host then you will have no problems and I can 100% promise that...

This is fact no matter what anybody else claims.

You do need a Unix Server running Php 5.2.5 (or php 4 is fine), Cpanel 11, and apache compiled with SuExec installed.

If you are running anything other than the above then your sites are not secure. Again this is why so many developers suggest hostgator.

It has nothing to do with shared hosting, it has alot to do with the host you choose to use and as you already know it has alot to do with the script you choose to run.

James

[thunderbird]

Is this thread pinned? It definitely SHOULD be!

Ok I have got several PM's so I am putting together an eBook.. How many are interested ??

I will teach you how to fully 100% secure your wordpress blog in easy simple to follow steps.

James

[buckapple]

Interesting thread...

On the backup procedure, does the WP Backup plugin work well? I notice you can put it on automatic pilot which would be nice.

Other than that when you backup, are you saying use the database backup option in cpanel? I've been using that.

Thanks,
Gary

[Alminc]

I am interested. Count me in.

[precious007]

This happened to me several times, I suggest you go to Wordpress Forums for this issues, you get a lot more advice and don`t forget to visits the forums more often.

[DonnaLeona]

Quote:

Originally Posted by TheRichJerksNet

Ok I have got several PM's so I am putting together an eBook.. How many are interested ??

I will teach you how to fully 100% secure your wordpress blog in easy simple to follow steps.

James

I'm interested too!


Thanks