Wordpress Sites Hacked

shantanu

12 years ago

which vulnerability anyone got then only hackng is possible or someone spoofed it.

Thanks

{{ DiscussionBoard.errors[5729348].message }}

xtrapunch

12 years ago

Did you conduct a security audit for your WP sites? It can be fairly easy to secure some common security holes. Username should not be admin. Files permission should be 644 or 755, never 777. A few more things to take care of is adding a security token in wpconfig file.

Thanks
1 reply

Signature

>> Web Design, Wordpress & SEO - XtraPunch.com <<
Web Design & SEO Agency | Serving World Wide from New Delhi, India

{{ DiscussionBoard.errors[5732684].message }}

LeeShelton 12 years ago

I have had good success with checking access logs.

I use Microsoft Log Parser 2.2 to make a csv file and load it into MS Excel.

Then you filter and sort by IP Address, Request, etc.
Look for POST requests made direct to plugins or odd php files.

Also, you can use a FTP app like FileZilla to compare directories and files.
Get a copy of Wordpress 3.3 on your local laptop or desktop and compare it to your site files side-by-side -- it will highlight differences in red.
- Thanks
{{ DiscussionBoard.errors[5733052].message }}

zacsmith

12 years ago

Thanks, guys, for the suggestions. I got the site back from restoring a backup, and only lost as few changes to the home page of one site.

LeeShelton, I looked at the access logs, and it appears the hacker got in through FTP, either through anonymous FTP or a compromised password. There was definitely some suspicious activity there.

xtrapunch, I checked all updates and file/folder permissions; a few were incorrect.

Then, I loaded the Bulletproof Security plugin (highly ranked, so I thought I'd give it a try) to harden up HTACCESS files. Removed some troublesome plugins I found using a WP security scanner, and turned off anonymous FTP.

Then I laboriously went through and changed every WHM, CPanel and WP Admin password on every site (about 19 of them) to something much stronger, using a 13-figit numbers/letters password generator.

Hopefully, that keeps the bad guys out for a while. Thanks, again, for the feedback.

g

Thanks
1 reply

Signature

Gary Smith, Partner, Wells-Smith Partners
Your Employee Handbook Personnel Policies for Small Businesses
Eliminate the barriers to a successful life: How to Create a Happier Life
Stressful home life?: How to Create a Happier Home

{{ DiscussionBoard.errors[5733830].message }}

Kingfish85

12 years ago

Originally Posted by zacsmith

Thanks, guys, for the suggestions. I got the site back from restoring a backup, and only lost as few changes to the home page of one site.

LeeShelton, I looked at the access logs, and it appears the hacker got in through FTP, either through anonymous FTP or a compromised password. There was definitely some suspicious activity there.

xtrapunch, I checked all updates and file/folder permissions; a few were incorrect.

Then, I loaded the Bulletproof Security plugin (highly ranked, so I thought I'd give it a try) to harden up HTACCESS files. Removed some troublesome plugins I found using a WP security scanner, and turned off anonymous FTP.

Then I laboriously went through and changed every WHM, CPanel and WP Admin password on every site (about 19 of them) to something much stronger, using a 13-figit numbers/letters password generator.

Hopefully, that keeps the bad guys out for a while. Thanks, again, for the feedback.

g

Is your admin username still "admin"?

Is there a "lockout" period?

Where's your wpconfig file at?

You mentioned WHM, is this a reseller account or a dedicated server/vps?

Do you have any experience with securing WHM?

If you're using ssh, are you using keys?

Is mod_security installed?

Is your php hardened?

Are you backing up your data? If so, where? If remote, using FTP or SSH?

What level are your passwords?

Thanks
1 reply

Signature

|~| VeeroTech Hosting - sales @ veerotech.net
|~| High Performance CloudLinux & LiteSpeed Powered Web Hosting
|~| cPanel & WHM - Softaculous - Website Builder - R1Soft - SpamExperts
|~| Visit us @veerotech Facebook - Twitter - LinkedIn

{{ DiscussionBoard.errors[5737699].message }}

zacsmith 12 years ago

Hey kingfish85, thanks for the questions. Let's see...

Is your admin username still "admin"?

Nope. First thing I get rid of when I set up a WP site.

Is there a "lockout" period?

You mean "lockout" after a certain number of login tries? No, I don't believe so, and don't know where to set that up, either in the domain account or WP

Where's your wpconfig file at?

At the root of the WP install, file permissions now of 400. I've read that's it's a good idea to relocate wp-config elsewhere.

You mentioned WHM, is this a reseller account or a dedicated server/vps?

ABB Reseller account at Heroehost.com. I don't host any sites but my own.

Do you have any experience with securing WHM?

Nope. Didn't know it was possible. I'll have to look it up.

If you're using ssh, are you using keys?

Not using ssh.

Is mod_security installed?

Don't know. I'll check with the host.

Is your php hardened?

Don't know (boy, am I sounding ignorant!)

Are you backing up your data? If so, where? If remote, using FTP or SSH?

Yes, quite often as the host only does a monthly backup. I backup databases at least once a week, daily if I'm working on the site. I download a full site backup after every major upgrade, and at least monthly. This hacker just happened to catch me right after I made modifications to the home page and Flexsqueeze options.

What level are your passwords?

Not sure of the level. I now use 13-digit numbers and letters (upper and lower case).

befree22, I downloaded logs from CPanel and reviewed them. Also got input from the host, who reviewed them as well.

gary
- Thanks
- 1 reply
Signature
Gary Smith, Partner, Wells-Smith Partners
Your Employee Handbook Personnel Policies for Small Businesses
Eliminate the barriers to a successful life: How to Create a Happier Life
Stressful home life?: How to Create a Happier Home
{{ DiscussionBoard.errors[5737832].message }}
- Kingfish85 12 years ago
  
  Originally Posted by zacsmith
  
  Hey kingfish85, thanks for the questions. Let's see...
  
  Nope. First thing I get rid of when I set up a WP site...............................
  
  Ok, as a reseller some of those questions will not apply to you directly. If you've got ssh, it's jailed, but most likely it's not enabled unless you request ssh access.
  
  For your wp-config file, move it to the root directory of the user, so up one level from public_html. Leave the wp-config.php file in the public_html, create another file up one directory and call it wpconfiguration.php or something like that. Use an include in the original wp-config file to include the one you created. Put the include in place of the database information. Also, since your sites were compromised, you should change the database password, AND remove and create a new user. Put the details in the new configuration file.
  
  For backups - don't rely solely on the hosts backups, always keep your own backups. I have a web hosting company, based on multiple servers/locations and use multiple methods of backing up. Since you don't have root access, your options are limited. I would recommend Backomatic, since it's easy to use and you can automate it. Works well with whm too.
  
  For lockout, you could use login lockdown, but I'm not sure if it will conflict with bullet proof. This will aid against brute force attacks.
  
  You need to do some research on .htaccess options:
  
  This will deny all access to the config file: (use this in conjunction with using a "real" configuration file that is up one level)
  
  # to protect wp-config.php
  <Files wp-config.php>
  order allow,deny
  deny from all
  </Files>
  
  This will deny all access to the .htaccess file:
  
  # to protect the .htaccess file itself:
  <Files .htaccess>
  order deny,allow
  deny from all
  </Files>
  
  Hope this info helps!
  
  Thanks
  
  Signature
  
  |~| VeeroTech Hosting - sales @ veerotech.net
  |~| High Performance CloudLinux & LiteSpeed Powered Web Hosting
  |~| cPanel & WHM - Softaculous - Website Builder - R1Soft - SpamExperts
  |~| Visit us @veerotech Facebook - Twitter - LinkedIn
  
  {{ DiscussionBoard.errors[5738057].message }}

befree22

12 years ago

How do you obtain the REAL ip of access logs? Isn't that the web host's responsibility?

Thanks

Signature

The turtle always wins.

{{ DiscussionBoard.errors[5737617].message }}

Kung Fu Backlinks

12 years ago

I have had my sites hacked before, so I sympathize.

I now use Bulletproof Security, Secure WordPress, WP Security Scanner and the Ultimate Security Checker, and they all work really well.

I also make sure my tables start with some gobbledy-gook like "kueE88d," instead of "wp."

My admin usernames and passwords are always 25 characters, alphanumeric and special characters with at least 130 bit encryption.

Since making these changes, I haven't had a problem.

Thanks
2 replies

Signature

G+ LOCAL SETUP ___and____ Custom WordPress - Genesis Child Themes (see portfolio here)

SCHEMA.ORG + GEOTAGGING + KML + PUBLISHERSHIP + so much more...

{{ DiscussionBoard.errors[5737903].message }}

zacsmith

12 years ago

Originally Posted by Kung Fu Backlinks

I also make sure my tables start with some gobbledy-gook like "kueE88d," instead of "wp."

My admin usernames and passwords are always 25 characters, alphanumeric and special characters with at least 130 bit encryption.

I started recently renaming table prefixes.

My password generator is somewhat simple. I use a Mac, so I can use the Keychain Password Generator, but it's a real pain to get to (I should make the effort, though).

gary

Thanks

Signature

Gary Smith, Partner, Wells-Smith Partners
Your Employee Handbook Personnel Policies for Small Businesses
Eliminate the barriers to a successful life: How to Create a Happier Life
Stressful home life?: How to Create a Happier Home

{{ DiscussionBoard.errors[5737963].message }}

Kingfish85 12 years ago

Originally Posted by Kung Fu Backlinks

at least 130 bit encryption.

130 bit encryption?
- Thanks
- 1 reply
Signature

|~| VeeroTech Hosting - sales @ veerotech.net
|~| High Performance CloudLinux & LiteSpeed Powered Web Hosting
|~| cPanel & WHM - Softaculous - Website Builder - R1Soft - SpamExperts
|~| Visit us @veerotech Facebook - Twitter - LinkedIn
{{ DiscussionBoard.errors[5738126].message }}
- Kung Fu Backlinks 12 years ago
  
  Originally Posted by Kingfish85
  
  130 bit encryption?
  
  I use a program call Keepass 2. It has a built-in password generator and it is extremely helpful. Generally, the higher the bit count, the more complicated the password is.
  
  I'm not a password on password encryption, but that's the way the program works. It's free and I highly recommend it.
  
  Thanks
  
  Signature
  
  G+ LOCAL SETUP ___and____ Custom WordPress - Genesis Child Themes (see portfolio here)
  
  SCHEMA.ORG + GEOTAGGING + KML + PUBLISHERSHIP + so much more...
  
  {{ DiscussionBoard.errors[5762331].message }}

Hafeez

12 years ago

hello zacsmith,

Hackers continously searching any flaw or user mistake which give them access to admin panel.

Hacking can be possible in many ways but a couple fo things i would like to advise you.

1. Hacker can develop plug-ins and offer to you for FREE. in the plugins codes they can hardcode some methods to send them your user name and password. So try to avoid using unnecessary FREE plugins.

2. Scan your PC or MAC with updated antivirus for any keylogger type software installed onto your system. If its installed then it doesnt matter how difficult is your username or password. Whatever you will type, all key punching will be sent hiddenly to the hacker and he/she can know what is your new password.

In your case where two websites were hacked at a time, its seems true that someone (or even you have installed remote keylogger software by clicking any website) a keylogger. In this case its STRONGLY recommended that you should scan your system any popular and reliable antivirus software for keylogger.

Make your habbit to often change your password just before logout of your admin panel. Hackers are not superman, they just take advantage of MISTAKES.

Thanks

{{ DiscussionBoard.errors[5738738].message }}

Kingfish85

12 years ago

Also, look into implementing CloudFlare with your websites. There are a number of good reasons both security & performance wise to do so! Your host should have this installed as a service to offer their customers.

Thanks

Signature

|~| VeeroTech Hosting - sales @ veerotech.net
|~| High Performance CloudLinux & LiteSpeed Powered Web Hosting
|~| cPanel & WHM - Softaculous - Website Builder - R1Soft - SpamExperts
|~| Visit us @veerotech Facebook - Twitter - LinkedIn

{{ DiscussionBoard.errors[5738824].message }}

ChrisMoon

12 years ago

I'd advise getting Bulletproof Security Pro not just the free version (not an affiliate).
I use RoboForm 2Go for password generation and use 27 characters, alphanumeric and special characters.

good luck,
Chris

Thanks

Signature

GreyGable

{{ DiscussionBoard.errors[5768353].message }}

IM-software

12 years ago

Hi,

what about simple ideas:

- Close the comments. If you allow trackbacks and pingbacks, double check them. Sad, inhuman, anti SEO, however injection free.
- Use the old href="mailto:..." instead of contact forms.
- Install protection plugins, such as "User locker"...
- Limit to 25 the amount of characters one can enter in the search field, by adding the maxlength="25" piece of code in the tag: input type="text" within the searchform.php file.

There are worldwide massive attacks these days, mainly by injection.
WP being a "beloved" target for obvious reasons.

You should also protect your machine: firewall(s), anti this and that (better paid ones). Install the web developer FF addon, and disable cache, js "strict warnings", and Java.
Java and js are today's major breaches.

[ 1 ] Thanks

{{ DiscussionBoard.errors[5770485].message }}

zacsmith

12 years ago

Note to all: Thanks for the valuable information. I've implemented a lot of the suggestions, including BulletProof Security and some other highly-recommended plugins. Most of all, due to a couple of other attacks on my site and the host, I've moved every one of my sites to Kingfish85's hosting service, as he (Brent) has demonstrated the concern for security that matched my own.

Thanks

Signature

Gary Smith, Partner, Wells-Smith Partners
Your Employee Handbook Personnel Policies for Small Businesses
Eliminate the barriers to a successful life: How to Create a Happier Life
Stressful home life?: How to Create a Happier Home

{{ DiscussionBoard.errors[5878684].message }}

Wordpress Sites Hacked

Trending Topics

How did you turn it all around?

Any thoughts on golf's latest phenom...Scottie Scheffler??

What's the Best IM-Related Skill to Learn Today That Can Help in the Future?

Infographic: How B2B marketers on LinkedIn can maximise their efforts for better audience reach

Some interesting stats about brand comms