My wordpress blog hacked - again! | Warrior Forum - The #1 Digital Marketing Forum & Marketplace

16 years ago

I am hearing More & more wordpress hacking stories. Its discouraging many people to build a serious content website.

Eswar

Thanks
1 reply

Signature

>> Make Money in 30 Minutes. Act Now..! <<

{{ DiscussionBoard.errors[118237].message }}

Alminc 16 years ago

Is there any really good anti-hacker protection
for wordpress ?
- Thanks
- 1 reply
Signature

No links :)
{{ DiscussionBoard.errors[118294].message }}
- Scott Voss 16 years ago
  
  Almin,
  First off, you are getting ready to do one of the most important things you can security wise for you wordpress site... Upgrading to the latest version. But, you also want to make sure you have the latest upgrades to your plugins. They can be a security weakpoint for you blog and many of them are regularly updated just for this reason.
  
  Now, there are some other things you can do to help decrease the chances of getting hacked.
  
  ****PASSWORD= password****
  OK, I am sure you are not doing anything like having your password be password, but if you are not using a complex hexidecimal password you are leaving yourself open to hacking. Try to make it no less than 10 characters long, made up of numbers, symbols, and letters. Also, make it as random as possible and not contain any words. The brute force hacking programs will sit there and throw a dictionary at your site until they find your password. Don't make it easy for them.
  
  While we are on the subject of passwords, also make sure you do this for your hosting account as well. If they can get into wordpress from your wp-admin, they can also get into the files through cPanel as well.
  
  Also, if you are using a single password for all of your online interactions, you are leaving yourself vulnerable. For instance, lets say that you sign up for a membership site that requires a password. All that person has to do is look at their database and link that password to any of your sites or email accounts and BLAMO you are toast.
  
  ****HACKER ACCESS DENIED!!****
  If someone is trying to hack into your blog, chances are they will not get in on the first try. This is a statistical certainty. Use that to your advantage and block out the bad guys and gals after a certain number of attempts. Look for programs that will block the IP after a multiple attempts. There is a free plugin that will do this for you called "Login LockDown" and you can find it in the Wordpress Plugin directory.
  
  ****GOING STEALTH****
  Once a vulnerability is known for a version of Wordpress or its associated plugins, the hacker community begins to share this information openly. Then the bad guys and gals start looking for sites with those versions and they can use good old Google to help them do this. Don't let them know what versions you are running.
  
  How do you do that? Just go into your header.php file and do a little version-ectomy. There is a line of code that lets the world know the version you are running, just cut it out. The code will be:
  <meta name="generator" content="WordPress <?php bloginfo('version'); ?>" />
  
  As for the plugins, because there are so many there is no good way to explain how to hide each plugin's data. But, I can tell you how to not go out of your way and share it. There are certain plugins that will let you announce to the world what plugins you use. No matter what you do, don't share this information. If a bad dude knows that a certain plugin has a vulnerability and they come across your site you are saying, "Hey bad dude, please come muck up my site." So, just like Nancy Reagan "Just say no" to the plugins that show your plugins.
  
  Unless you are implementing this next strategy, you are already openly sharing with the world what plugins you are using. Wordpress by default has a plugin folder that is visible to anyone who knows where to look: www.MyFakeBlogURL1234.com/wp-content/plugins
  
  Open that directory and you are taken to a handy dandy listing of all of the plugins, a hackers paradise. Just take away their temptation and block their access to the directory. You can do this by creating a blank html file called index.html. Then upload this file into the plugins directory. Once that file is uploaded, then when www.MyFakeBlogURL1234.com/wp-content/plugins is accessed, they only get a blank screen. Do yourself a favor and don't try to get cute with this and taunt the hackers by saying "Nany nany boo boo, I blocked you" or something like that. This will just may them focus on your site out of anger. You just want to close a door.
  
  ****SECURING YOUR SECURITY****
  This one is not for everyone, especially if you are a mobile blogger or use a dynamic IP. But, if you only make changes to your blog from a defined number of locations with a set IP, then this is a good option for you. You can set up .htaccess to only allow certain IP addresses to access your wp-admin folder. Since I don't want to be on the hook if you screw this one up, I am going to point you to a blog post about it from back in 2007: http://www.reubenyau.com/protecting-...-admin-folder/
  
  I hope this helps you out and good luck with blocking out the hackers.
  
  -Scott Voss
  
  [ 1 ] Thanks
  
  {{ DiscussionBoard.errors[118377].message }}

Mark McWilliams

16 years ago

Almin, Just a general question but were you allowing registrations on the blog. IE, then either had to sign up to comment or somthing similar?

The reason I ask is that could very well be the way they hacked your blog. There was apparently some kind of flaw type thing, and it's been sorted in the latest version! (2.6.2)

I know people don't like updating scripts, but if you want to prevent this kind of thing happening, then it has to be done!

Anyway, I hope some of that info may be helpful to yourself!

Thanks
Mark

Thanks

Signature

On mark.mcwilliams.me or @markmcwilliams you'll find me!

{{ DiscussionBoard.errors[118310].message }}

violationz

16 years ago

Hackers are always searching for exploits - bottom line is you're never safe when it comes to content management systems, especially the ones that are open source. Make sure you don't use v2.6.1, an admin takeover exploit was released on the 10th of this month.

The best you can do is generate random passwords (ie: E1962A0C) and update as soon as an update is released, anything else is wasted time and effort IMO.

Thanks

{{ DiscussionBoard.errors[118318].message }}

Deepak Raj

16 years ago

I guess I can see only a pattern of websites hacked. Not sure anyway, what type of content do you have in your blog?

Thanks
1 reply

{{ DiscussionBoard.errors[118327].message }}

Alminc 16 years ago

I wasn't allowing registration but they hacked it anyway.

I am now updating to latest version, but it is only a question
of time when it will be hacked too.

That's why I ask about additional protection(e.g. wp secure pro).

Any tips ?
- Thanks
Signature

No links :)
{{ DiscussionBoard.errors[118344].message }}

violationz

16 years ago

What website are we talking about? The one in your signature? The website itself looks fine - they just uploaded index.html which your domain automatically loads.

Hacked site: H4CK3D BY ejder21

Regular site: Resell Rights Professional - Profitable Products with Resell Rights

Solution: step one is to delete index.html and change your hosting/FTP logins and/or passwords to random characters.

As for Wordpress security, WP Secure Pro is useless - if they want in they'll get in, restricting access to an IP address won't stop it and will only create potential issues for you. Does your ISP provide dynamic IP address? Or if you have a static IP, what if your ISP does some upgrades and assigns you a new IP address? You'd be back to step one; you'd have to delete the plug-in or even worse, backup the database and do a fresh install - total waste of time.

Rather than post a 10 page essay just Google SQL injection and SQL column truncation to get a basic understanding of web-based security - not exactly what you want to hear but there's nothing you can do to stop it.

Thanks

{{ DiscussionBoard.errors[118373].message }}

Dave777

16 years ago

Checkout the following thread...
http://www.warriorforum.com/main-int...rity-tips.html

Dave

Thanks
2 replies

{{ DiscussionBoard.errors[118399].message }}

Alminc 16 years ago

Violationz,

thanks for your post. I see that there is an injected index.html file
and it's not a big deal to delete it. But that tells me that they had ftp access to my site and I have no idea at all what they may have injected in my other files.

To start with, I deleted my complete blog folder and I hope the outside static files are not damaged. I have to yet inspect them.

One of my other sites was hacked ( defaced ) in a similar manner and I needed to clean each and every file from injected porn/warez links ( 100s of thousands ).

Scott,

thanks for many tips, I'll certainly apply them.

Almin
- Thanks
Signature

No links :)
{{ DiscussionBoard.errors[118576].message }}

Eric Lorence

16 years ago

Originally Posted by Dave777

Checkout the following thread...
http://www.warriorforum.com/main-int...rity-tips.html

Dave

Good advise there, you don't need to spend anything on the Auto-Update plugin:

WordPress › Wordpress Automatic upgrade WordPress Plugins

Thanks
1 reply

{{ DiscussionBoard.errors[139606].message }}

TheRichJerksNet

16 years ago

Originally Posted by eslorence

Good advise there, you don't need to spend anything on the Auto-Update plugin:

WordPress › Wordpress Automatic upgrade WordPress Plugins

Problem is as some have already found out, that does not fully block hackers and your security is still not very effective.

Just keepng the software up-to-date will not stop hackers because hackers also get those updates. You want to block hackers and stay safe then you have to do more then just install this plug-in and that plug-in..

James

Thanks
1 reply

{{ DiscussionBoard.errors[139623].message }}

Eric Lorence

16 years ago

Originally Posted by TheRichJerksNet

Problem is as some have already found out, that does not fully block hackers and your security is still not very effective.

Just keepng the software up-to-date will not stop hackers because hackers also get those updates. You want to block hackers and stay safe then you have to do more then just install this plug-in and that plug-in..

James

Of course, and you'll never stop a determined hacker, or dDOS, or email hack or...

Ultimately, you will need a combination of security and good habits, updating is a good habit, as is backing up your site.

Best!

Thanks
1 reply

{{ DiscussionBoard.errors[139819].message }}

fthomas137 16 years ago

BE CAREFUL if you use the auto update plugin with wordpress. I tried it and had moucho problems with it. I am running a pretty standard wp blog, and it really broke it. Make sure you backup everything before hand!

Frank
- Thanks
Signature
Finally Stream Live Events With Ease and Get All The Ranking Goodness From Google, in Under 5 Minutes...
{{ DiscussionBoard.errors[191171].message }}

Sean Donahoe

16 years ago

There is actually a pretty cool script I recommend to my clients who use wordpress:

Wordpress Firewall

This protects:

SQL Injections
Coding Errors
Cross Site Scripting (XSS)
Cross-site request forgery (CSRF)
Password theft (IP Lock)
Comment Spam
DDoS Attacks
Customized wordpress ruleset (blocks all exploits)

It is kinda pricey ($120) but it is a solid protection system for all your wordpress blogs. If you have a blog that is making you a few hundred dollars a week then protecting that asset is worth the money in my opinion.

Hope that helps...

Thanks
2 replies

{{ DiscussionBoard.errors[118595].message }}

Alminc 16 years ago

Thanks Sean, I'll deffinitely check that script.
- Thanks
- 1 reply
Signature

No links :)
{{ DiscussionBoard.errors[118601].message }}
- Alminc 16 years ago
  
  " FirewallScript is currently not accepting any more beta purchases. Please check back soon. "
  
  Thanks
  
  1 reply
  
  Signature
  
  No links :)
  
  {{ DiscussionBoard.errors[118626].message }}
  
  Sean Donahoe 16 years ago
  
  Damn, they must have only taken that off the market in the last week or so. Well that is the script to use when it is available again.
  
  Here is a quick articles that may help meanwhile:
  
  3 Must Apply Security Tips for WordPress
  
  Also a lot of these hacks are automated using bots. Basically the bot goes to Google, looks for blogs checks for a vulnerable version and then hackss it.
  
  They look for something like:
  
  Code:
  
  <meta name="generator" content="WordPress 2.5" />
  
  To prevent this you can open functions.php in your theme folder and remove this line:
  
  Code:
  
  <?php remove_action( 'wp_head', 'wp_generator' ); ?>
  
  That way you do not give the hackers a nice head start...
  
  Thanks
  
  1 reply
  
  {{ DiscussionBoard.errors[118645].message }}
  
  Raja Sekharan 16 years ago
  
  Aminc,
  
  First of all, you must find out how they hacked your website. This can be found out bygoing through your server's access logs. Find out which pages they accessed before the hacker page started showing up.
  
  Raja Sekharan
  
  Thanks
  
  {{ DiscussionBoard.errors[118658].message }}

Sean Donahoe

16 years ago

Also you can add some mod_rewrite rules in your .htaccess file if you run apache on a linux box:

Just add this as it blocks some common attacks and I use this on a lot of websites I run:

Code:

########## TTM - Security Mods to block common exploits
## If you experience problems on your site block out the operations listed below
#
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*(.*) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]
#
########## End - Rewrite rules

Joomla installs use the same rules and they were adapted from them.

Thanks
2 replies

{{ DiscussionBoard.errors[118602].message }}

garyl2k

16 years ago

Originally Posted by Sean Donahoe

Also you can add some mod_rewrite rules in your .htaccess file if you run apache on a linux box:

Just add this as it blocks some common attacks and I use this on a lot of websites I run:

Code:

########## TTM - Security Mods to block common exploits
## If you experience problems on your site block out the operations listed below
#
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*(.*) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]
#
########## End - Rewrite rules

Joomla installs use the same rules and they were adapted from them.

Was actually looking for something like this, Thanks!

I know the same rules apply to Joomla sites which I have had hacked plenty of times before.

Remember people, always make backups, saved my behind many a times.

Thanks
1 reply

Signature

Ever Wanted To Get Into Affiliate Marketing? Learn The Basics of The #1 Internet Marketing Method Today... For FREE!

{{ DiscussionBoard.errors[118660].message }}

Alminc 16 years ago

Thank you so much guys.

I learned a lot from this thread, things
that I am going to apply immediately.

My host support guys scanned the account and deleted
some shell files they found.

I have changed the password and it is now
20 random characters.

I am installing the latest wp version and
I will apply all the tips from Sean,Scott and others.
- Thanks
Signature

No links :)
{{ DiscussionBoard.errors[118794].message }}

Alminc

16 years ago

Originally Posted by Sean Donahoe

Also you can add some mod_rewrite rules in your .htaccess file if you run apache on a linux box:

Just add this as it blocks some common attacks and I use this on a lot of websites I run:

Code:

########## TTM - Security Mods to block common exploits
## If you experience problems on your site block out the operations listed below
#
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*(.*) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]
#
########## End - Rewrite rules
 
Joomla installs use the same rules and they were adapted from them.

Sean,

shell I add the above code in my .htaccess file placed in the subfolder where wordpress resides, or shell I have it at a top level ?

Thanks
2 replies

Signature

No links :)

{{ DiscussionBoard.errors[120057].message }}

Alminc

16 years ago

Here's what I did so far:

1. Upgraded to the latest wp version

Disabled registration

Activated Akismet

2. Changed username (in phpmyadmin) and password( 20 random characters) for admin

3. Placed empty index.html files in all wp- folders/subfolders

4. Placed robot.txt containing:

User-agent: *

Disallow: *

in all wp- folders/subfolders

5. Commented out

<?php remove_action( 'wp_head', 'wp_generator' ); ?>

in functions.php

6. placed the .htaccess file in my blog folder :

## Deny access to wp-config.php
<FilesMatch ^wp-config.php$>deny from all</FilesMatch>
########## TTM - Security Mods to block common exploits
## If you experience problems on your site block out the operations listed below
#
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*(.*) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]
#
########## End - Rewrite rules

7. Installed WP Secure Pro
( now only my own IP address is allowed to login into admin )

I hope this is enough protection.

Thank you all for information.
You guys are precious.

Almin

Thanks
1 reply

Signature

No links :)

{{ DiscussionBoard.errors[120078].message }}

TheRichJerksNet

16 years ago

Originally Posted by Alminc

Here's what I did so far:

1. Upgraded to the latest wp version

Disabled registration

Activated Akismet

2. Changed username (in phpmyadmin) and password( 20 random characters) for admin

3. Placed empty index.html files in all wp- folders/subfolders

4. Placed robot.txt containing:

User-agent: *

Disallow: *

in all wp- folders/subfolders

5. Commented out

<?php remove_action( 'wp_head', 'wp_generator' ); ?>

in functions.php

6. placed the .htaccess file in my blog folder :

## Deny access to wp-config.php
<FilesMatch ^wp-config.php$>deny from all</FilesMatch>
########## TTM - Security Mods to block common exploits
## If you experience problems on your site block out the operations listed below
#
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*(.*) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]
#
########## End - Rewrite rules

7. Installed WP Secure Pro
( now only my own IP address is allowed to login into admin )

I hope this is enough protection.

Thank you all for information.
You guys are precious.

Almin

If your WP install pre-set the user / pass for your database, then change those also just like you did for admin. Edit your config file for the database changes and again use those very long passwords suggestion I made.

James

Thanks

{{ DiscussionBoard.errors[120324].message }}

Sean Donahoe 16 years ago

Originally Posted by Alminc

Sean,

shell I add the above code in my .htaccess file placed in the subfolder where wordpress resides, or shell I have it at a top level ?

I would add it to the top so it protects all your subfolders including your blog.

Coming from a corporate network security background no script or site is 100%, ever. Though you can minimize the risks with good basic practices.

Wordpress is so common that it is an easy and popular target for hackers, same as PHPBB forums are a very popular hacking target. The more widespread, the more these scriptkiddies (I cannot even call them hackers as they only tend to use canned scripts) get their stupid defacements so widespread.

How many times has Windows been hacked or exploited? Its the same thing, Windows is so widespread that it makes it a popular target. If you use custom code then it will be much harder to attack as the code is not so widespread and available and you keep under the target radar, so to speak.

I tend to use Joomla for my websites because I have so many more security options (using JDefender, SH404sef Security with Honeypot) but I also have the advantage of running a dedicated server with many security customization applied.

Joomla was recently hit with a similar spate of attacks and defacements and part of that targeting was a meta tag stating it was a Joomla website, my sites (I have around 40+ Joomla websites) avoided all attacks.

Anyway, thats my Sunday 2c
- Thanks
- 1 reply
{{ DiscussionBoard.errors[120544].message }}
- jmorris18 16 years ago
  
  Hey Guys , quick question - If this is added to my .httaccess will this prevent scripts I currently have on my site from working?
  
  Also , when adding this - would I simply cut and paste this into the .httaccess and not paste / overwrite what is already there.
  
  Thanks,
  Jason
  
  ########## TTM - Security Mods to block common exploits
  ## If you experience problems on your site block out the operations listed below
  #
  # Block out any script trying to base64_encode crap to send via URL
  RewriteCond %{QUERY_STRING} base64_encode.*(.*) [OR]
  # Block out any script that includes a <script> tag in URL
  RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
  # Block out any script trying to set a PHP GLOBALS variable via URL
  RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
  # Block out any script trying to modify a _REQUEST variable via URL
  RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
  # Send all blocked request to homepage with 403 Forbidden error!
  RewriteRule ^(.*)$ index.php [F,L]
  #
  ########## End - Rewrite rules
  
  Joomla installs use the same rules and they were adapted from them.
  
  Thanks
  
  Signature
  
  Jason Morris
  
  {{ DiscussionBoard.errors[120731].message }}

braver55b

16 years ago

Cyber crimes should be treated just as hard as violent robberies, they are robbing you of your reputation and income for every minute that your site is defaced.

I am appalled as I did see the hacked site.

For one thing frequently change your password, upgrade to the latest wordpress version and edit any place that would let hackers know what version you are currently using.

How about going to statcounter.com or some other script to track ip addresses and pursue them wherever they are.

This is a crying shame that people would do this for "for"

Don't be discouraged, be determined.

That statement has all the makings of a motto :-)

Thanks

{{ DiscussionBoard.errors[119001].message }}

TorontoCarol

16 years ago

This thread is scaring me to death, especially since I am a non-techie and the solutions that were mentioned are totally over my head. My 83 year old mother has a wordpress blog and when I scrolled down to the bottom of it the other day, I noticed there were all kinds of links to places she would never have approved.

I guess her site was hacked and I thought that if she changed her theme, it would make the links all go away. Is that wishful thinking?

Thanks

{{ DiscussionBoard.errors[119593].message }}

TheRichJerksNet

16 years ago

WP is the worst blog software you could have and I certainly would not place my business in the hands of that software but for those that just insist on using it, this is the most effective way to secure it.

* Go to your servers sql database and and change your login name as WP does not allow you to do this from the admin area. Change it from "admin" to something you do not use someplace else.

For those that seriously insist on using WP..

* Login into FTP and change the admin folder name to something else like maybe "blog_admin" but now when you do this you will also have to change any paths inside any wp files that reference the admin folder as being named "admin"

* Also go to your config file on ftp and rename the database name and then login to your server and change your database name. If you have a pre-install like from using fantastico then wp set your database name for you and you should change it to use the name you wish.

* Make sure every sub-folder (that is not being used as a site) contains a blank .html file and the robots.txt file which denies all.

Code:

User-agent: *

Disallow: *

* If you allow comments or registration make sure you have captcha installed on these as it will block auto post. Find a coder to block SQL injection on comments and the registration form.

* If your server allows (HostGator does) have the host install SuExec as this will help further protect your folders as you will no longer need to use permissions such as 777 which allows anyone access to those folders.

* Install the WP Security Plug-in if you choose to do so..

* change the passwords on the database and WP if it was set by WP install.

What I mean is change the passwords, do not use something like 8Vfcx4FDEs - That is NOT a secure password. A Secure password is more like

I_had-Fun_With_tHe_NakED-Elf_inThE-Woods_Last-Night

I make all my passwords just as complex because there is no way any bruteforce would ever figure it out because it mostly looks for normal passwords with letters and number such as the one above that I said is not secure.

So make those password upper/lower case and use - & _ and make them 20 or 30 characters long.

Now those are the best tips for security for those that really want to run WP..

If you need security services let me know...

James

[ 1 ] Thanks

{{ DiscussionBoard.errors[119696].message }}

A Chandler SEO

16 years ago

Wow, and double Wow!

Thanks

Signature

Phoenix SEO
Local SEO
Tucson Search Engine Optimization

{{ DiscussionBoard.errors[119751].message }}

Dan Grossman

16 years ago

Good reason to keep all your website files on a source control repository like Subversion. Assuming you have SSH access to wherever you host the files, you can know if any file changed just by typing "svn status" and can undo those changes with a simple "svn revert" command.

Thanks
1 reply

Signature

Improvely: Built to track, test and optimize your marketing.

{{ DiscussionBoard.errors[119754].message }}

Colin Evans

16 years ago

Poor old WordPress gets unfairly bashed again...

No website app is safe from hackers, at least the popular free ones like WordPress get patched quickly. Many of the paid apps only get patched when enough people complain!!!

BTW - If you are using shared hosting it doesn't matter how secure your own passwords are. There are a many ways your website can be compromised when you use shared hosting.

The attack can come from another website on another account using the same shared hosting...

The attack can come from another customers browser session being hijacked...

If you have your own server or use a virtual private server you can substantially reduce the risks, but you cannot eliminate them all.

The most important security measure you can take is to make sure you regularly back up your data, especially databases.

Thanks
1 reply

{{ DiscussionBoard.errors[119817].message }}

TheRichJerksNet

16 years ago

Originally Posted by Colin Evans

No website app is safe from hackers, at least the popular free ones like WordPress get patched quickly. Many of the paid apps only get patched when enough people complain!!!

BTW - If you are using shared hosting it doesn't matter how secure your own passwords are. There are a many ways your website can be compromised when you use shared hosting.

The attack can come from another website on another account using the same shared hosting...

The attack can come from another customers browser session being hijacked...

If you have your own server or use a virtual private server you can substantially reduce the risks, but you cannot eliminate them all.

The most important security measure you can take is to make sure you regularly back up your data, especially databases.

None of my scripts get hacked and I provide 100% free for life support to all my clients. But then again all my scripts are 100% custom coded from the ground up and no free open source code is ever used.

There is a great deal more to security besides passwords. I can if I choose to make WP 100% hacker free, even if on a shared hosting account but it is a time consuming process.

James

Thanks
1 reply

{{ DiscussionBoard.errors[119839].message }}

Colin Evans 16 years ago

None of my scripts get hacked

Well done, I hope you maintain this good record...

I provide 100% free for life support to all my clients

That is an admirable undertaking, not many programmers will offer life support especially free life support.

all my scripts are 100% custom coded from the ground up and no free open source code is ever used

IMO - The source of the code is not important, it's how the code is used/constructed - There are many secure open source code snippets available online.

I can if I choose to make WP 100% hacker free, even if on a shared hosting account but it is a time consuming process.

Therein lies the problem - not many hosts are prepared to optimally secure each customer's hosting account (why should they when you only pay $5 or $10 per month, and each customer has different requirements which makes the task more difficult). They have to balance hosting requirements, scripting requirements and cost of support, so the end result is at best a compromise...

I agree with you on the password issue, but it's a lot easier to get a VPS account (or your own server) secured by virtue of the fact the added cost gets you true 24/7 technical support... By opening a VPS hosting account and letting the technical staff solve the security issues, my website and blog hacks have stopped, and I still have a PHP environment which allows my own scripts to do what I designed them to do.
- Thanks
- 1 reply
{{ DiscussionBoard.errors[119885].message }}
- Alminc 16 years ago
  
  How can I install captcha for comments?
  
  Is there some option in admin area or do I have
  to use some plugin for it ?
  
  Thanks
  
  3 replies
  
  Signature
  
  No links :)
  
  {{ DiscussionBoard.errors[119984].message }}
  
  IPNHarvest 16 years ago
  
  Hi!
  
  Try THIS...
  
  I think that will help.
  
  Lycka till!
  
  Thanks
  
  {{ DiscussionBoard.errors[120013].message }}
  
  Colin Evans 16 years ago
  
  Hi Almin,
  
  You will have to use a plugin to add captcha to your comments, I personally don't bother with captcha and just use the Askimet antispam plugin...
  
  Thanks
  
  {{ DiscussionBoard.errors[120049].message }}
  
  TheRichJerksNet 16 years ago
  
  Originally Posted by Alminc
  
  How can I install captcha for comments?
  
  Is there some option in admin area or do I have
  to use some plugin for it ?
  
  The purpose of captcha (I personally use my own turing number system) is to not only block spam comments but also to block bad bots, most dont understand the full need for such protection and think it is just for blocking unwanted spam.
  
  The full purpose is additional security, blocking those bad bots from attempting to do sql injection and other things to your system. If you have SuExec installed on your server then sql injection is not much of a concern but it is still good practice to always block anyways.
  
  The host you are on makes a big difference too.. This has nothing to do with a shared hosting account, what it does have to do with is if the host you are on is running software other than cpanel then your site is open to attacks. This is one reason why most developers suggest and use hostgator because they are one of the very few that have up to date servers running cpanel up to date.
  
  James
  
  Thanks
  
  {{ DiscussionBoard.errors[120321].message }}

Chris_Willow

16 years ago

Hi Almin
You can put this code in your admin folder htaccess:

Code:

<Limit GET POST> 
order deny,allow 
deny from all 
allow from xxx.xxx.xxx. (<- your IP of course) 
</Limit>

This will allow access from your ip only, but I' m not really sure if this helps against hackers...

Chris

Thanks

Signature

THE ORIGINAL
Killer Sales Video

{{ DiscussionBoard.errors[120073].message }}

askloz

16 years ago

When installing your WP on your domain, always remove the version number in the header file, WP guys ask to keep it there with a comment code, to leave for stats, but I remove mine. If you leave that stat there, hackers will know what version you're using.

One of the reasons why PHPBB decided to rename their versions cos hackers knew what people were using as their phpbb version and attacked it. Now hacking attempts have some what subsided.

Thanks
1 reply

Signature

HEADS UP - EVEN NEWER -->> 27 Dollar FX Systems - Ultimate Golden Cross - FX Signal Book

{{ DiscussionBoard.errors[120744].message }}

jmorris18

16 years ago

Can someone point me in the right direction for WP Secure Pro and Login Lockdown? Are these created by fellow Warriors? Also , If I use one of these programs - would I need the other as well?

Thanks,
Jason

Thanks
1 reply

Signature

Jason Morris

{{ DiscussionBoard.errors[120758].message }}

TheRichJerksNet

16 years ago

Originally Posted by jmorris18

Can someone point me in the right direction for WP Secure Pro and Login Lockdown? Are these created by fellow Warriors? Also , If I use one of these programs - would I need the other as well?

Thanks,
Jason

Jason,
I assume this is what you are looking for... (would not waste my $10 but that's just me)

WordPress Secure Pro

Problem here is though people run to install this plug-in and that plug-in to try and secure something. People never wonder show secure the plug-in is... They are told it helps protect you and that is good enough for them.

You should be securing your site yourself and not run after this plug-in and that plug-in which in the long run could cause you more problems. You seem to forget hackers also have access to these plug-ins also and they learn from them.

If you take care of the security yourself then there is no way any hacker will know what to do because they do not have any plug-ins to learn from as they have no idea what you did do for security.

You can make a WP install 100% secure without the need of any plug-ins or buying additional software, or using more free open source code.

I think I should write an ebook or something...

James

Thanks
1 reply

{{ DiscussionBoard.errors[120804].message }}

jmorris18

16 years ago

James , Wow I think this would be awesome - You writing an ebook on how to protect yourself from Hackers would a great resource that all Warriors would be interested in. Also, a step by step video would make it even better -

One Question - How would this benefit Warriors if Hackers also was able to get access to your ebook?

Thanks,
Jason

Thanks
1 reply

Signature

Jason Morris

{{ DiscussionBoard.errors[120872].message }}

TheRichJerksNet

16 years ago

Originally Posted by jmorris18

James , Wow I think this would be awesome - You writing an ebook on how to protect yourself from Hackers would a great resource that all Warriors would be interested in. Also, a step by step video would make it even better -

One Question - How would this benefit Warriors if Hackers also was able to get access to your ebook?

Thanks,
Jason

Because hackers would not know how you implement the things I teach you..

Most people posting seem to think all you need to do is keep up to date and install this plug-in and that plug-in but that is 100% wrong.. DEAD WRONG!!!

If you do proper security on your WP and have a properly built server from a up to date host then you will have no problems and I can 100% promise that...

This is fact no matter what anybody else claims.

You do need a Unix Server running Php 5.2.5 (or php 4 is fine), Cpanel 11, and apache compiled with SuExec installed.

If you are running anything other than the above then your sites are not secure. Again this is why so many developers suggest hostgator.

It has nothing to do with shared hosting, it has alot to do with the host you choose to use and as you already know it has alot to do with the script you choose to run.

James

Thanks

{{ DiscussionBoard.errors[120962].message }}

garyl2k

16 years ago

I have only had my main site hacked in to which was around 2 years ago, don't own the site any more but it was a lesson I learnt the hard way when it comes to keeping back ups of my site.

Sadly kids around the world learn this stuff and find it funny to ruin peoples sites for the heck of it, to them their just having fun but to us we are losing business and earnings!

Thanks

Signature

Ever Wanted To Get Into Affiliate Marketing? Learn The Basics of The #1 Internet Marketing Method Today... For FREE!

{{ DiscussionBoard.errors[120774].message }}

AgileHosting

16 years ago

Originally Posted by Alminc

My (semiologic) wordpress (2.5.1) was hacked yesterday.

I am noting that this post is dated 9/20/08.

You don't need any additional security, you simply need to stay current on updates. The minute a WP update is released, install it!! Updates are usually security patches.

There were several known defacement-type exploits between WP 2.5.1 and the current build. These exploits have been known and were widely publicized to the WP community for several months now.

If you had kept your site patched, it is extremely likely it wouldn't have been defaced. (However, keep in mind that plug-ins and themes can open exploits in code as well, so make sure that all of your plug-ins are up-to-date and that there isn't a hole in Semiologic.)

Originally Posted by Alminc

Is there any really good anti-hacker protection
for wordpress ?

Yes: keeping the script updated.

If you exercise good basic security, you will be fine.

Bailey

Thanks

{{ DiscussionBoard.errors[120904].message }}

thunderbird

16 years ago

Is this thread pinned? It definitely SHOULD be!

Thanks

Signature

Project HERE.

{{ DiscussionBoard.errors[121860].message }}

TheRichJerksNet

16 years ago

Ok I have got several PM's so I am putting together an eBook.. How many are interested ??

I will teach you how to fully 100% secure your wordpress blog in easy simple to follow steps.

James

Thanks
2 replies

{{ DiscussionBoard.errors[128643].message }}

buckapple 16 years ago

Interesting thread...

On the backup procedure, does the WP Backup plugin work well? I notice you can put it on automatic pilot which would be nice.

Other than that when you backup, are you saying use the database backup option in cpanel? I've been using that.

Thanks,
Gary
- Thanks
- 1 reply
Signature
~Build your list with PLR Gluten-Free Videos ~
{{ DiscussionBoard.errors[128966].message }}
- Alminc 16 years ago
  
  I am interested. Count me in.
  
  Thanks
  
  Signature
  
  No links :)
  
  {{ DiscussionBoard.errors[129220].message }}

DonnaLeona

16 years ago

Originally Posted by TheRichJerksNet

Ok I have got several PM's so I am putting together an eBook.. How many are interested ??

I will teach you how to fully 100% secure your wordpress blog in easy simple to follow steps.

James

I'm interested too!

Thanks

Thanks
1 reply

{{ DiscussionBoard.errors[129453].message }}

sylviad

16 years ago

This thread is very lengthy and contains tons of excellent advice. I didn't get through it all, but wanted to post a few quick comments.

How much is Wordpress hacking related to the software being hosted on a server that does not have very good security? Someone mentioned "shared server" (I think it was) as being partially responsible. How secure are they? Would we be better off paying the bucks to get a dedicated server?

Passwords...

An excellent tool to create random keywords is Roboform. Well worth the measly price for it's convenience (saving passwords, auto-login, generating random keywords, etc.

Re the Warrior who stated her 85-year-old mother's blog has undesirable links at the bottom...

If this is a blog hosted on the Wordpress site, it's possible the links are randomly inserted by Wordpress as part of their money-making schemes. Check to see if the links are Adsense. And I'd check with Wordpress and ask them about those ads. If they are objectionable, you have a good argument to ask them to restrict the types of ads they show on your blog.

Sylvia

Thanks
1 reply

Signature

:: Got a dog? Visit my blog. Dog Talk Weekly
:: Writing, Audio Transcription Services? - Award-winning Journalist is taking new projects. Warrior Discounts!

{{ DiscussionBoard.errors[130104].message }}

TheRichJerksNet

16 years ago

Originally Posted by sylviad

This thread is very lengthy and contains tons of excellent advice. I didn't get through it all, but wanted to post a few quick comments.

How much is Wordpress hacking related to the software being hosted on a server that does not have very good security? Someone mentioned "shared server" (I think it was) as being partially responsible. How secure are they? Would we be better off paying the bucks to get a dedicated server?

Passwords...

An excellent tool to create random keywords is Roboform. Well worth the measly price for it's convenience (saving passwords, auto-login, generating random keywords, etc.

Re the Warrior who stated her 85-year-old mother's blog has undesirable links at the bottom...

If this is a blog hosted on the Wordpress site, it's possible the links are randomly inserted by Wordpress as part of their money-making schemes. Check to see if the links are Adsense. And I'd check with Wordpress and ask them about those ads. If they are objectionable, you have a good argument to ask them to restrict the types of ads they show on your blog.

Sylvia

Sylvia,
Whoever stated you needed to stay away from shared hosting is wrong.. Shared hosting has nothing to do with it.. Even a dedicated server has more than your site attached to it.. It does matter who you host with, and that goes for any site not just wordpress..

It is the software that is at fault because wordpress will not code security into the scripts and because it is so mass distributed hackers know the loops to get around.

My eBook though will put a stop 100% to hackers....

James

Thanks

{{ DiscussionBoard.errors[130523].message }}

jmorris18

16 years ago

James , I am also very interested. Any chance of including step by step videos for us warriors that lack the understanding code ??

Thanks,

Thanks
1 reply

Signature

Jason Morris

{{ DiscussionBoard.errors[129495].message }}

TheRichJerksNet 16 years ago

Originally Posted by jmorris18

James , I am also very interested. Any chance of including step by step videos for us warriors that lack the understanding code ??

Thanks,

Thanks everyone.. Will get something put together soon..

Hi Jason,
Trust me it will be easy to follow and understand.. As for video when doing security I would rather not create videos showing databases, hosting controls and etc...

There will be simple step by step information along with screenshots.

I may even include one of my own personal scripts that I use for extra security but dont currently sell..

James
- Thanks
- 1 reply
{{ DiscussionBoard.errors[129876].message }}
- TejasKid 16 years ago
  
  Count me in for that e-book too!!
  
  Thanks
  
  {{ DiscussionBoard.errors[130048].message }}

spicegator

16 years ago

Can anyone find a hacker and rip his head off, I understand these morons even have conventions and get-togethers. They should be put in prison with a large cell mate (the only problem is most of them would enjoy that)

Thanks

{{ DiscussionBoard.errors[129649].message }}

TheRichJerksNet

16 years ago

Ok everyone posted a poll on cost of eBook..

Feedback very welcome

http://www.warriorforum.com/main-int...d-you-pay.html

James

Thanks

{{ DiscussionBoard.errors[139593].message }}

TheRichJerksNet

16 years ago

I agree you should never use that auto update plug-in.. I created a solution to make word press secured.. Those that have used it are very thankful for my solution.

James

Thanks

{{ DiscussionBoard.errors[191235].message }}

TheNightOwl

15 years ago

It's a good solution. I bought the WSO.

I recommend you at least check it out.

Thanks
1 reply

Signature

Who is Gatchaman?

{{ DiscussionBoard.errors[192811].message }}

TheRichJerksNet 15 years ago

Originally Posted by TheNightOwl

It's a good solution. I bought the WSO.

I recommend you at least check it out.

Thanks Night Owl ...

James
- Thanks
- 1 reply
{{ DiscussionBoard.errors[192857].message }}
- DJL 15 years ago
  
  Originally Posted by TheRichJerksNet
  
  Thanks Night Owl ...
  
  James
  
  The WordPress Security link in your signature requires a username and password. Please advise.
  
  Thanks
  
  Signature
  
  None are more hopelessly enslaved than those who falsely believe they are free.
  --Johann Wolfgang von Goethe, Elective Affinities (1809)
  
  {{ DiscussionBoard.errors[265877].message }}

My wordpress blog hacked - again!

Trending Topics

Clickbank low cost recurring

How much does the rebranding affect CR ?

Boat and Jet Ski Rentals...... Door Hangers Effective?

Are billboards still effective in driving customers?

A Very Strange Internet Problem