How Do I Plug Wordpress wordpress 3.0.1. Vulnerability?

thunderbird · 09-05-2010, 11:48 AM

I have wordpress 3 sites that have been hacked, while sites pre-wordpress 3 wp sites are untouched. I gather that his has been happening to others as well. Does anyone here know how fix up whatever is making wordpress 3.1 less vulnerable to malicious hacks? Some kind of patch? Thanks.

phpbbxpert · 09-05-2010, 03:26 PM

I have not seen any kind of vulnerabilities in 3.1

You need to change your usernames and passwords for the installs and FTP accounts.

It is possible that you have a plug-in with a vulnerability or that your files do not have the correct permissions on the server and are writable.

dvduval · 09-05-2010, 03:54 PM

Wordpress is known for lots of vulnerabilities. Secunia lists 184 Wordpress vulnerabilities that have been found.

phpbbxpert · 09-05-2010, 04:06 PM

From what I see those are all plug-ins vulnerabilities.
Not WordPress.

Also, look at the dates, 184 is the history, NOT current.

thunderbird · 09-05-2010, 05:20 PM

Quote:

Originally Posted by phpbbxpert

From what I see those are all plug-ins vulnerabilities.
Not WordPress.

Also, look at the dates, 184 is the history, NOT current.

Maybe not, but something is current because sites -- specifically wordpress 3.0.1 -- are getting hacked.

Abledragon · 09-05-2010, 05:37 PM

Protecting WordPress sites from being hacked is not just about WordPress - there are lots of ways people can access and hack your site.

This article describes what happened when one of my clients' WordPress sites was hacked and how we fixed it:

http://www.wealthydragon.com/blog/20...ity-wordpress/

Cheers,

Martin.

Unfair Contract · 09-05-2010, 09:43 PM

Have you recently shared ID and passwords with any developers? Try making them a lot more complicated. Bless

1babywarrior · 09-05-2010, 11:30 PM

a lot depends on your host too, many do not provide the necessary encryptions, shells, protocols, file permissions, etc, plus the amount of bad bots out there that specifically target wp installations, mostly so because the users do not take the simple precautions to change the database table prefixes, change the admin log in name, hide the wp version, put a .htaccess in the admin directory, and remove the default log in meta.

A few simple plugins can greatly reduce your risk factor too, search for
BBQ,
wp secure,
wp security,
login lockdown,
askimet,
bullet proof security,
admin ssl,
wp mal-watch,

And check out Perishablepress.com for very helpful preventative maintenance (its a cool wordpress blog).

SteveJohnson · 09-06-2010, 08:45 AM

Quote:

Originally Posted by thunderbird

Maybe not, but something is current because sites -- specifically wordpress 3.0.1 -- are getting hacked.

Can you point to any current information about this? There's nothing in the WordPress trac, and none of the major developers of WP that I have spoken with have heard anything about a specific security problem.

FWIW, the WP core team has always been incredibly fast about fixing known vulnerabilities and takes security VERY seriously.

mihir · 09-07-2010, 06:30 AM

never user "admin" as wordpress admin username. it makes burst force attack much easier for attacker

mihir · 09-07-2010, 06:41 AM

also, find some plugin which can limit login attempts like wait for 10 minutes after 5 incorrect login attempts

nava28 · 10-31-2010, 01:47 AM

my site also got hacked by deface method. im using wp 3.0.1

09-05-2010, 11:48 AM	#1
thunderbird Advanced Warrior War Room Member Join Date: Jun 2007 Location: Vancouver, BC, Canada. Posts: 797 Thanks: 349 Thanked 496 Times in 374 Posts Social Networking	How Do I Plug Wordpress wordpress 3.0.1. Vulnerability? I have wordpress 3 sites that have been hacked, while sites pre-wordpress 3 wp sites are untouched. I gather that his has been happening to others as well. Does anyone here know how fix up whatever is making wordpress 3.1 less vulnerable to malicious hacks? Some kind of patch? Thanks.

09-05-2010, 03:26 PM	#2
phpbbxpert Web Developer Join Date: Aug 2010 Location: Wisconsin Posts: 324 Thanks: 2 Thanked 79 Times in 72 Posts Social Networking	Re: How Do I Plug Wordpress wordpress 3.0.1. Vulnerability? I have not seen any kind of vulnerabilities in 3.1 You need to change your usernames and passwords for the installs and FTP accounts. It is possible that you have a plug-in with a vulnerability or that your files do not have the correct permissions on the server and are writable.
	Web Developer - phpBB & WordPress - PHP, MySQL, HTML, CSS, XML, REST, RSS, jQuery phpBB3 Spam Killer - Auto Ban Mod

09-05-2010, 03:54 PM	#3
dvduval phpLD master War Room Member Join Date: Dec 2006 Location: Silicon Valley Posts: 2,962 Blog Entries: 3 Thanks: 44 Thanked 307 Times in 259 Posts Social Networking	Re: How Do I Plug Wordpress wordpress 3.0.1. Vulnerability? Wordpress is known for lots of vulnerabilities. Secunia lists 184 Wordpress vulnerabilities that have been found.
	PHP Link Directory Script - a great addition to ANY website and much more than just a directory. templates for phpLD - phpLD Templates (hundreds!) Article Directory Script - Video Directory Script Get our Product Free - Through this exclusive WSO!!!

09-05-2010, 04:06 PM	#4
phpbbxpert Web Developer Join Date: Aug 2010 Location: Wisconsin Posts: 324 Thanks: 2 Thanked 79 Times in 72 Posts Social Networking	Re: How Do I Plug Wordpress wordpress 3.0.1. Vulnerability? From what I see those are all plug-ins vulnerabilities. Not WordPress. Also, look at the dates, 184 is the history, NOT current.
	Web Developer - phpBB & WordPress - PHP, MySQL, HTML, CSS, XML, REST, RSS, jQuery phpBB3 Spam Killer - Auto Ban Mod

09-05-2010, 05:37 PM	#6
Abledragon Advanced Warrior Join Date: May 2007 Location: Hong Kong. Posts: 961 Thanks: 3 Thanked 173 Times in 153 Posts Social Networking Contact Info	Re: How Do I Plug Wordpress wordpress 3.0.1. Vulnerability? Protecting WordPress sites from being hacked is not just about WordPress - there are lots of ways people can access and hack your site. This article describes what happened when one of my clients' WordPress sites was hacked and how we fixed it: http://www.wealthydragon.com/blog/20...ity-wordpress/ Cheers, Martin.
	Free eBook: How to Start a Business Online

09-05-2010, 09:43 PM	#7
Unfair Contract King of Claims Join Date: Jun 2010 Location: UK Posts: 29 Thanks: 0 Thanked 1 Time in 1 Post Contact Info	Re: How Do I Plug Wordpress wordpress 3.0.1. Vulnerability? Have you recently shared ID and passwords with any developers? Try making them a lot more complicated. Bless
	Need Introducers in the following areas: Mis sold PPI Claims Mis sold Mortgage Negative Equity Property

09-05-2010, 11:30 PM	#8
1babywarrior Developer likes skittles Join Date: Sep 2010 Location: On an CentOS Apache Server Posts: 31 Thanks: 0 Thanked 4 Times in 2 Posts Contact Info	Re: How Do I Plug Wordpress wordpress 3.0.1. Vulnerability? a lot depends on your host too, many do not provide the necessary encryptions, shells, protocols, file permissions, etc, plus the amount of bad bots out there that specifically target wp installations, mostly so because the users do not take the simple precautions to change the database table prefixes, change the admin log in name, hide the wp version, put a .htaccess in the admin directory, and remove the default log in meta. A few simple plugins can greatly reduce your risk factor too, search for BBQ, wp secure, wp security, login lockdown, askimet, bullet proof security, admin ssl, wp mal-watch, And check out Perishablepress.com for very helpful preventative maintenance (its a cool wordpress blog).

09-07-2010, 06:30 AM	#10
mihir Active Warrior Join Date: Jun 2010 Posts: 62 Thanks: 2 Thanked 6 Times in 5 Posts	Re: How Do I Plug Wordpress wordpress 3.0.1. Vulnerability? never user "admin" as wordpress admin username. it makes burst force attack much easier for attacker
	HostCP - cPanel iPhone app to manage your cPanel accounts using cPanel's official API WordpressInstaller.net - Automatically install & configure Wordpress Blog, Theme, Plugins and Posts. Wordpress Installer will DO IT ALL for you in just a FEW SECONDS AND best of all, it's FREE Mihir.info - A developer's blog

09-07-2010, 06:41 AM	#11
mihir Active Warrior Join Date: Jun 2010 Posts: 62 Thanks: 2 Thanked 6 Times in 5 Posts	Re: How Do I Plug Wordpress wordpress 3.0.1. Vulnerability? also, find some plugin which can limit login attempts like wait for 10 minutes after 5 incorrect login attempts
	HostCP - cPanel iPhone app to manage your cPanel accounts using cPanel's official API WordpressInstaller.net - Automatically install & configure Wordpress Blog, Theme, Plugins and Posts. Wordpress Installer will DO IT ALL for you in just a FEW SECONDS AND best of all, it's FREE Mihir.info - A developer's blog

10-31-2010, 01:47 AM	#12
nava28 HyperActive Warrior Join Date: Aug 2010 Posts: 120 Thanks: 6 Thanked 5 Times in 5 Posts	Re: How Do I Plug Wordpress wordpress 3.0.1. Vulnerability? my site also got hacked by deface method. im using wp 3.0.1
	Antivirus Programs - Antivirus programs for home and business. Be always up to date on the latest products and the best prices! Top 10 Antivirus - The top 10 antivirus Review, comparison and download Free Online Games - Only Top Rated Flash Games