My wordpress blog hacked - again!

by Alminc 64 replies
I need urgent advice from experienced wordpress bloggers.

My (semiologic) wordpress (2.5.1) was hacked yesterday.

I don't know what it is exactely, but it is 'defaced'.

Ok, I can and will upgrade to wp 2.6.2 , but now I think
that I need additional protection from hackers, when I upgrade.

I found the simple script 'wp secure pro' that protects admin
area using IP access restriction. I don't know if it is good.

Do you know if this script is good protection from hackers?

Can you point me to maybe even better solution ?

Almin
#main internet marketing discussion forum #blog #hacked #wordpress
Avatar of Unregistered
  • Profile picture of the author Eswar
    I am hearing More & more wordpress hacking stories. Its discouraging many people to build a serious content website.

    Eswar
    {{ DiscussionBoard.errors[118237].message }}
    • Profile picture of the author Alminc
      Is there any really good anti-hacker protection
      for wordpress ?
      Signature
      No links :)
      {{ DiscussionBoard.errors[118294].message }}
      • Profile picture of the author Scott Voss
        Almin,
        First off, you are getting ready to do one of the most important things you can security wise for you wordpress site... Upgrading to the latest version. But, you also want to make sure you have the latest upgrades to your plugins. They can be a security weakpoint for you blog and many of them are regularly updated just for this reason.

        Now, there are some other things you can do to help decrease the chances of getting hacked.

        ****PASSWORD= password****
        OK, I am sure you are not doing anything like having your password be password, but if you are not using a complex hexidecimal password you are leaving yourself open to hacking. Try to make it no less than 10 characters long, made up of numbers, symbols, and letters. Also, make it as random as possible and not contain any words. The brute force hacking programs will sit there and throw a dictionary at your site until they find your password. Don't make it easy for them.

        While we are on the subject of passwords, also make sure you do this for your hosting account as well. If they can get into wordpress from your wp-admin, they can also get into the files through cPanel as well.

        Also, if you are using a single password for all of your online interactions, you are leaving yourself vulnerable. For instance, lets say that you sign up for a membership site that requires a password. All that person has to do is look at their database and link that password to any of your sites or email accounts and BLAMO you are toast.

        ****HACKER ACCESS DENIED!!****
        If someone is trying to hack into your blog, chances are they will not get in on the first try. This is a statistical certainty. Use that to your advantage and block out the bad guys and gals after a certain number of attempts. Look for programs that will block the IP after a multiple attempts. There is a free plugin that will do this for you called "Login LockDown" and you can find it in the Wordpress Plugin directory.

        ****GOING STEALTH****
        Once a vulnerability is known for a version of Wordpress or its associated plugins, the hacker community begins to share this information openly. Then the bad guys and gals start looking for sites with those versions and they can use good old Google to help them do this. Don't let them know what versions you are running.

        How do you do that? Just go into your header.php file and do a little version-ectomy. There is a line of code that lets the world know the version you are running, just cut it out. The code will be:
        <meta name="generator" content="WordPress <?php bloginfo('version'); ?>" />

        As for the plugins, because there are so many there is no good way to explain how to hide each plugin's data. But, I can tell you how to not go out of your way and share it. There are certain plugins that will let you announce to the world what plugins you use. No matter what you do, don't share this information. If a bad dude knows that a certain plugin has a vulnerability and they come across your site you are saying, "Hey bad dude, please come muck up my site." So, just like Nancy Reagan "Just say no" to the plugins that show your plugins.

        Unless you are implementing this next strategy, you are already openly sharing with the world what plugins you are using. Wordpress by default has a plugin folder that is visible to anyone who knows where to look: www.MyFakeBlogURL1234.com/wp-content/plugins

        Open that directory and you are taken to a handy dandy listing of all of the plugins, a hackers paradise. Just take away their temptation and block their access to the directory. You can do this by creating a blank html file called index.html. Then upload this file into the plugins directory. Once that file is uploaded, then when www.MyFakeBlogURL1234.com/wp-content/plugins is accessed, they only get a blank screen. Do yourself a favor and don't try to get cute with this and taunt the hackers by saying "Nany nany boo boo, I blocked you" or something like that. This will just may them focus on your site out of anger. You just want to close a door.

        ****SECURING YOUR SECURITY****
        This one is not for everyone, especially if you are a mobile blogger or use a dynamic IP. But, if you only make changes to your blog from a defined number of locations with a set IP, then this is a good option for you. You can set up .htaccess to only allow certain IP addresses to access your wp-admin folder. Since I don't want to be on the hook if you screw this one up, I am going to point you to a blog post about it from back in 2007: http://www.reubenyau.com/protecting-...-admin-folder/

        I hope this helps you out and good luck with blocking out the hackers.

        -Scott Voss
        {{ DiscussionBoard.errors[118377].message }}
  • Profile picture of the author Mark McWilliams
    Almin, Just a general question but were you allowing registrations on the blog. IE, then either had to sign up to comment or somthing similar?

    The reason I ask is that could very well be the way they hacked your blog. There was apparently some kind of flaw type thing, and it's been sorted in the latest version! (2.6.2)

    I know people don't like updating scripts, but if you want to prevent this kind of thing happening, then it has to be done!

    Anyway, I hope some of that info may be helpful to yourself!

    Thanks
    Mark
    Signature
    On mark.mcwilliams.me or @markmcwilliams you'll find me!
    {{ DiscussionBoard.errors[118310].message }}
  • Profile picture of the author violationz
    Hackers are always searching for exploits - bottom line is you're never safe when it comes to content management systems, especially the ones that are open source. Make sure you don't use v2.6.1, an admin takeover exploit was released on the 10th of this month.

    The best you can do is generate random passwords (ie: E1962A0C) and update as soon as an update is released, anything else is wasted time and effort IMO.
    {{ DiscussionBoard.errors[118318].message }}
  • Profile picture of the author Deepak Raj
    I guess I can see only a pattern of websites hacked. Not sure anyway, what type of content do you have in your blog?
    Signature
    I Love Internet Marketing for the freedom of Lifestyle that it empowers and for the money it puts in my bank account :)
    {{ DiscussionBoard.errors[118327].message }}
    • Profile picture of the author Alminc
      I wasn't allowing registration but they hacked it anyway.

      I am now updating to latest version, but it is only a question
      of time when it will be hacked too.

      That's why I ask about additional protection(e.g. wp secure pro).

      Any tips ?
      Signature
      No links :)
      {{ DiscussionBoard.errors[118344].message }}
  • Profile picture of the author violationz
    What website are we talking about? The one in your signature? The website itself looks fine - they just uploaded index.html which your domain automatically loads.

    Hacked site: H4CK3D BY ejder21

    Regular site: Resell Rights Professional - Profitable Products with Resell Rights

    Solution: step one is to delete index.html and change your hosting/FTP logins and/or passwords to random characters.

    As for Wordpress security, WP Secure Pro is useless - if they want in they'll get in, restricting access to an IP address won't stop it and will only create potential issues for you. Does your ISP provide dynamic IP address? Or if you have a static IP, what if your ISP does some upgrades and assigns you a new IP address? You'd be back to step one; you'd have to delete the plug-in or even worse, backup the database and do a fresh install - total waste of time.

    Rather than post a 10 page essay just Google SQL injection and SQL column truncation to get a basic understanding of web-based security - not exactly what you want to hear but there's nothing you can do to stop it.
    {{ DiscussionBoard.errors[118373].message }}
  • Profile picture of the author Dave777
    Checkout the following thread...
    http://www.warriorforum.com/main-int...rity-tips.html

    Dave
    {{ DiscussionBoard.errors[118399].message }}
    • Profile picture of the author Alminc
      Violationz,

      thanks for your post. I see that there is an injected index.html file
      and it's not a big deal to delete it. But that tells me that they had ftp access to my site and I have no idea at all what they may have injected in my other files.

      To start with, I deleted my complete blog folder and I hope the outside static files are not damaged. I have to yet inspect them.


      One of my other sites was hacked ( defaced ) in a similar manner and I needed to clean each and every file from injected porn/warez links ( 100s of thousands ).

      Scott,

      thanks for many tips, I'll certainly apply them.


      Almin
      Signature
      No links :)
      {{ DiscussionBoard.errors[118576].message }}
    • Profile picture of the author Eric Lorence
      Originally Posted by Dave777 View Post

      Checkout the following thread...
      http://www.warriorforum.com/main-int...rity-tips.html

      Dave
      Good advise there, you don't need to spend anything on the Auto-Update plugin:

      WordPress › Wordpress Automatic upgrade WordPress Plugins
      {{ DiscussionBoard.errors[139606].message }}
      • Profile picture of the author TheRichJerksNet
        Originally Posted by eslorence View Post

        Good advise there, you don't need to spend anything on the Auto-Update plugin:

        WordPress › Wordpress Automatic upgrade WordPress Plugins
        Problem is as some have already found out, that does not fully block hackers and your security is still not very effective.

        Just keepng the software up-to-date will not stop hackers because hackers also get those updates. You want to block hackers and stay safe then you have to do more then just install this plug-in and that plug-in..

        James
        {{ DiscussionBoard.errors[139623].message }}
        • Profile picture of the author Eric Lorence
          Originally Posted by TheRichJerksNet View Post

          Problem is as some have already found out, that does not fully block hackers and your security is still not very effective.

          Just keepng the software up-to-date will not stop hackers because hackers also get those updates. You want to block hackers and stay safe then you have to do more then just install this plug-in and that plug-in..

          James
          Of course, and you'll never stop a determined hacker, or dDOS, or email hack or...

          Ultimately, you will need a combination of security and good habits, updating is a good habit, as is backing up your site.

          Best!
          {{ DiscussionBoard.errors[139819].message }}
  • Profile picture of the author Sean Donahoe
    There is actually a pretty cool script I recommend to my clients who use wordpress:

    Wordpress Firewall

    This protects:
    • SQL Injections
    • Coding Errors
    • Cross Site Scripting (XSS)
    • Cross-site request forgery (CSRF)
    • Password theft (IP Lock)
    • Comment Spam
    • DDoS Attacks
    • Customized wordpress ruleset (blocks all exploits)
    It is kinda pricey ($120) but it is a solid protection system for all your wordpress blogs. If you have a blog that is making you a few hundred dollars a week then protecting that asset is worth the money in my opinion.

    Hope that helps...
    {{ DiscussionBoard.errors[118595].message }}
    • Profile picture of the author Alminc
      Thanks Sean, I'll deffinitely check that script.
      Signature
      No links :)
      {{ DiscussionBoard.errors[118601].message }}
      • Profile picture of the author Alminc
        " FirewallScript is currently not accepting any more beta purchases. Please check back soon. "
        Signature
        No links :)
        {{ DiscussionBoard.errors[118626].message }}
        • Profile picture of the author Sean Donahoe
          Damn, they must have only taken that off the market in the last week or so. Well that is the script to use when it is available again.

          Here is a quick articles that may help meanwhile:

          3 Must Apply Security Tips for WordPress

          Also a lot of these hacks are automated using bots. Basically the bot goes to Google, looks for blogs checks for a vulnerable version and then hackss it.

          They look for something like:

          Code:
          <meta name="generator" content="WordPress 2.5" />
          To prevent this you can open functions.php in your theme folder and remove this line:

          Code:
          <?php remove_action( 'wp_head', 'wp_generator' ); ?>
          That way you do not give the hackers a nice head start...
          {{ DiscussionBoard.errors[118645].message }}
          • Profile picture of the author Raja Sekharan
            Aminc,

            First of all, you must find out how they hacked your website. This can be found out bygoing through your server's access logs. Find out which pages they accessed before the hacker page started showing up.

            Raja Sekharan
            {{ DiscussionBoard.errors[118658].message }}
    • Profile picture of the author Sean Donahoe
      Also you can add some mod_rewrite rules in your .htaccess file if you run apache on a linux box:

      Just add this as it blocks some common attacks and I use this on a lot of websites I run:

      Code:
      ########## TTM - Security Mods to block common exploits
      ## If you experience problems on your site block out the operations listed below
      #
      # Block out any script trying to base64_encode crap to send via URL
      RewriteCond %{QUERY_STRING} base64_encode.*(.*) [OR]
      # Block out any script that includes a <script> tag in URL
      RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
      # Block out any script trying to set a PHP GLOBALS variable via URL
      RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
      # Block out any script trying to modify a _REQUEST variable via URL
      RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
      # Send all blocked request to homepage with 403 Forbidden error!
      RewriteRule ^(.*)$ index.php [F,L]
      #
      ########## End - Rewrite rules
      
      Joomla installs use the same rules and they were adapted from them.
      {{ DiscussionBoard.errors[118602].message }}
      • Profile picture of the author garyl2k
        Originally Posted by Sean Donahoe View Post

        Also you can add some mod_rewrite rules in your .htaccess file if you run apache on a linux box:

        Just add this as it blocks some common attacks and I use this on a lot of websites I run:

        Code:
        ########## TTM - Security Mods to block common exploits
        ## If you experience problems on your site block out the operations listed below
        #
        # Block out any script trying to base64_encode crap to send via URL
        RewriteCond %{QUERY_STRING} base64_encode.*(.*) [OR]
        # Block out any script that includes a <script> tag in URL
        RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
        # Block out any script trying to set a PHP GLOBALS variable via URL
        RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
        # Block out any script trying to modify a _REQUEST variable via URL
        RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
        # Send all blocked request to homepage with 403 Forbidden error!
        RewriteRule ^(.*)$ index.php [F,L]
        #
        ########## End - Rewrite rules
        
        Joomla installs use the same rules and they were adapted from them.
        Was actually looking for something like this, Thanks!

        I know the same rules apply to Joomla sites which I have had hacked plenty of times before.

        Remember people, always make backups, saved my behind many a times.
        {{ DiscussionBoard.errors[118660].message }}
        • Profile picture of the author Alminc
          Thank you so much guys.

          I learned a lot from this thread, things
          that I am going to apply immediately.

          My host support guys scanned the account and deleted
          some shell files they found.

          I have changed the password and it is now
          20 random characters.

          I am installing the latest wp version and
          I will apply all the tips from Sean,Scott and others.
          Signature
          No links :)
          {{ DiscussionBoard.errors[118794].message }}
      • Profile picture of the author Alminc
        Originally Posted by Sean Donahoe View Post

        Also you can add some mod_rewrite rules in your .htaccess file if you run apache on a linux box:

        Just add this as it blocks some common attacks and I use this on a lot of websites I run:

        Code:
        ########## TTM - Security Mods to block common exploits
        ## If you experience problems on your site block out the operations listed below
        #
        # Block out any script trying to base64_encode crap to send via URL
        RewriteCond %{QUERY_STRING} base64_encode.*(.*) [OR]
        # Block out any script that includes a <script> tag in URL
        RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
        # Block out any script trying to set a PHP GLOBALS variable via URL
        RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
        # Block out any script trying to modify a _REQUEST variable via URL
        RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
        # Send all blocked request to homepage with 403 Forbidden error!
        RewriteRule ^(.*)$ index.php [F,L]
        #
        ########## End - Rewrite rules
         
        Joomla installs use the same rules and they were adapted from them.

        Sean,

        shell I add the above code in my .htaccess file placed in the subfolder where wordpress resides, or shell I have it at a top level ?
        Signature
        No links :)
        {{ DiscussionBoard.errors[120057].message }}
        • Profile picture of the author Alminc
          Here's what I did so far:

          1. Upgraded to the latest wp version

          Disabled registration

          Activated Akismet

          2. Changed username (in phpmyadmin) and password( 20 random characters) for admin

          3. Placed empty index.html files in all wp- folders/subfolders

          4. Placed robot.txt containing:

          User-agent: *

          Disallow: *

          in all wp- folders/subfolders

          5. Commented out

          <?php remove_action( 'wp_head', 'wp_generator' ); ?>

          in functions.php

          6. placed the .htaccess file in my blog folder :

          ## Deny access to wp-config.php
          <FilesMatch ^wp-config.php$>deny from all</FilesMatch>
          ########## TTM - Security Mods to block common exploits
          ## If you experience problems on your site block out the operations listed below
          #
          # Block out any script trying to base64_encode crap to send via URL
          RewriteCond %{QUERY_STRING} base64_encode.*(.*) [OR]
          # Block out any script that includes a <script> tag in URL
          RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
          # Block out any script trying to set a PHP GLOBALS variable via URL
          RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
          # Block out any script trying to modify a _REQUEST variable via URL
          RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
          # Send all blocked request to homepage with 403 Forbidden error!
          RewriteRule ^(.*)$ index.php [F,L]
          #
          ########## End - Rewrite rules

          7. Installed WP Secure Pro
          ( now only my own IP address is allowed to login into admin )



          I hope this is enough protection.



          Thank you all for information.
          You guys are precious.

          Almin
          Signature
          No links :)
          {{ DiscussionBoard.errors[120078].message }}
          • Profile picture of the author TheRichJerksNet
            Originally Posted by Alminc View Post

            Here's what I did so far:

            1. Upgraded to the latest wp version

            Disabled registration

            Activated Akismet

            2. Changed username (in phpmyadmin) and password( 20 random characters) for admin

            3. Placed empty index.html files in all wp- folders/subfolders

            4. Placed robot.txt containing:

            User-agent: *

            Disallow: *

            in all wp- folders/subfolders

            5. Commented out

            <?php remove_action( 'wp_head', 'wp_generator' ); ?>

            in functions.php

            6. placed the .htaccess file in my blog folder :

            ## Deny access to wp-config.php
            <FilesMatch ^wp-config.php$>deny from all</FilesMatch>
            ########## TTM - Security Mods to block common exploits
            ## If you experience problems on your site block out the operations listed below
            #
            # Block out any script trying to base64_encode crap to send via URL
            RewriteCond %{QUERY_STRING} base64_encode.*(.*) [OR]
            # Block out any script that includes a <script> tag in URL
            RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
            # Block out any script trying to set a PHP GLOBALS variable via URL
            RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
            # Block out any script trying to modify a _REQUEST variable via URL
            RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
            # Send all blocked request to homepage with 403 Forbidden error!
            RewriteRule ^(.*)$ index.php [F,L]
            #
            ########## End - Rewrite rules

            7. Installed WP Secure Pro
            ( now only my own IP address is allowed to login into admin )



            I hope this is enough protection.



            Thank you all for information.
            You guys are precious.

            Almin
            If your WP install pre-set the user / pass for your database, then change those also just like you did for admin. Edit your config file for the database changes and again use those very long passwords suggestion I made.

            James
            {{ DiscussionBoard.errors[120324].message }}
        • Profile picture of the author Sean Donahoe
          Originally Posted by Alminc View Post

          Sean,

          shell I add the above code in my .htaccess file placed in the subfolder where wordpress resides, or shell I have it at a top level ?
          I would add it to the top so it protects all your subfolders including your blog.

          Coming from a corporate network security background no script or site is 100%, ever. Though you can minimize the risks with good basic practices.

          Wordpress is so common that it is an easy and popular target for hackers, same as PHPBB forums are a very popular hacking target. The more widespread, the more these scriptkiddies (I cannot even call them hackers as they only tend to use canned scripts) get their stupid defacements so widespread.

          How many times has Windows been hacked or exploited? Its the same thing, Windows is so widespread that it makes it a popular target. If you use custom code then it will be much harder to attack as the code is not so widespread and available and you keep under the target radar, so to speak.

          I tend to use Joomla for my websites because I have so many more security options (using JDefender, SH404sef Security with Honeypot) but I also have the advantage of running a dedicated server with many security customization applied.

          Joomla was recently hit with a similar spate of attacks and defacements and part of that targeting was a meta tag stating it was a Joomla website, my sites (I have around 40+ Joomla websites) avoided all attacks.

          Anyway, thats my Sunday 2c
          {{ DiscussionBoard.errors[120544].message }}
          • Profile picture of the author jmorris18
            Hey Guys , quick question - If this is added to my .httaccess will this prevent scripts I currently have on my site from working?

            Also , when adding this - would I simply cut and paste this into the .httaccess and not paste / overwrite what is already there.

            Thanks,
            Jason


            ########## TTM - Security Mods to block common exploits
            ## If you experience problems on your site block out the operations listed below
            #
            # Block out any script trying to base64_encode crap to send via URL
            RewriteCond %{QUERY_STRING} base64_encode.*(.*) [OR]
            # Block out any script that includes a <script> tag in URL
            RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
            # Block out any script trying to set a PHP GLOBALS variable via URL
            RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
            # Block out any script trying to modify a _REQUEST variable via URL
            RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
            # Send all blocked request to homepage with 403 Forbidden error!
            RewriteRule ^(.*)$ index.php [F,L]
            #
            ########## End - Rewrite rules

            Joomla installs use the same rules and they were adapted from them.
            Signature

            Jason Morris

            {{ DiscussionBoard.errors[120731].message }}
  • Profile picture of the author braver55b
    Cyber crimes should be treated just as hard as violent robberies, they are robbing you of your reputation and income for every minute that your site is defaced.

    I am appalled as I did see the hacked site.

    For one thing frequently change your password, upgrade to the latest wordpress version and edit any place that would let hackers know what version you are currently using.

    How about going to statcounter.com or some other script to track ip addresses and pursue them wherever they are.

    This is a crying shame that people would do this for "for"

    Don't be discouraged, be determined.

    That statement has all the makings of a motto :-)
    {{ DiscussionBoard.errors[119001].message }}
  • Profile picture of the author TorontoCarol
    This thread is scaring me to death, especially since I am a non-techie and the solutions that were mentioned are totally over my head. My 83 year old mother has a wordpress blog and when I scrolled down to the bottom of it the other day, I noticed there were all kinds of links to places she would never have approved.

    I guess her site was hacked and I thought that if she changed her theme, it would make the links all go away. Is that wishful thinking?
    {{ DiscussionBoard.errors[119593].message }}
  • Profile picture of the author TheRichJerksNet
    WP is the worst blog software you could have and I certainly would not place my business in the hands of that software but for those that just insist on using it, this is the most effective way to secure it.

    * Go to your servers sql database and and change your login name as WP does not allow you to do this from the admin area. Change it from "admin" to something you do not use someplace else.

    For those that seriously insist on using WP..

    * Login into FTP and change the admin folder name to something else like maybe "blog_admin" but now when you do this you will also have to change any paths inside any wp files that reference the admin folder as being named "admin"

    * Also go to your config file on ftp and rename the database name and then login to your server and change your database name. If you have a pre-install like from using fantastico then wp set your database name for you and you should change it to use the name you wish.

    * Make sure every sub-folder (that is not being used as a site) contains a blank .html file and the robots.txt file which denies all.

    Code:
    User-agent: *
    
    Disallow: *
    * If you allow comments or registration make sure you have captcha installed on these as it will block auto post. Find a coder to block SQL injection on comments and the registration form.

    * If your server allows (HostGator does) have the host install SuExec as this will help further protect your folders as you will no longer need to use permissions such as 777 which allows anyone access to those folders.

    * Install the WP Security Plug-in if you choose to do so..

    * change the passwords on the database and WP if it was set by WP install.

    What I mean is change the passwords, do not use something like 8Vfcx4FDEs - That is NOT a secure password. A Secure password is more like

    I_had-Fun_With_tHe_NakED-Elf_inThE-Woods_Last-Night

    I make all my passwords just as complex because there is no way any bruteforce would ever figure it out because it mostly looks for normal passwords with letters and number such as the one above that I said is not secure.

    So make those password upper/lower case and use - & _ and make them 20 or 30 characters long.

    Now those are the best tips for security for those that really want to run WP..

    If you need security services let me know...

    James
    {{ DiscussionBoard.errors[119696].message }}
  • Profile picture of the author A Chandler SEO
    Wow, and double Wow!
    {{ DiscussionBoard.errors[119751].message }}
  • Profile picture of the author Dan Grossman
    Good reason to keep all your website files on a source control repository like Subversion. Assuming you have SSH access to wherever you host the files, you can know if any file changed just by typing "svn status" and can undo those changes with a simple "svn revert" command.
    Signature
    Improvely: Built to track, test and optimize your marketing.

    {{ DiscussionBoard.errors[119754].message }}
    • Profile picture of the author Colin Evans
      Poor old WordPress gets unfairly bashed again...

      No website app is safe from hackers, at least the popular free ones like WordPress get patched quickly. Many of the paid apps only get patched when enough people complain!!!

      BTW - If you are using shared hosting it doesn't matter how secure your own passwords are. There are a many ways your website can be compromised when you use shared hosting.

      The attack can come from another website on another account using the same shared hosting...

      The attack can come from another customers browser session being hijacked...

      If you have your own server or use a virtual private server you can substantially reduce the risks, but you cannot eliminate them all.

      The most important security measure you can take is to make sure you regularly back up your data, especially databases.
      Signature

      Sig not working today - too hung over...

      {{ DiscussionBoard.errors[119817].message }}
      • Profile picture of the author TheRichJerksNet
        Originally Posted by Colin Evans View Post

        No website app is safe from hackers, at least the popular free ones like WordPress get patched quickly. Many of the paid apps only get patched when enough people complain!!!

        BTW - If you are using shared hosting it doesn't matter how secure your own passwords are. There are a many ways your website can be compromised when you use shared hosting.

        The attack can come from another website on another account using the same shared hosting...

        The attack can come from another customers browser session being hijacked...

        If you have your own server or use a virtual private server you can substantially reduce the risks, but you cannot eliminate them all.

        The most important security measure you can take is to make sure you regularly back up your data, especially databases.
        None of my scripts get hacked and I provide 100% free for life support to all my clients. But then again all my scripts are 100% custom coded from the ground up and no free open source code is ever used.

        There is a great deal more to security besides passwords. I can if I choose to make WP 100% hacker free, even if on a shared hosting account but it is a time consuming process.

        James
        {{ DiscussionBoard.errors[119839].message }}
        • Profile picture of the author Colin Evans
          None of my scripts get hacked
          Well done, I hope you maintain this good record...

          I provide 100% free for life support to all my clients
          That is an admirable undertaking, not many programmers will offer life support especially free life support.

          all my scripts are 100% custom coded from the ground up and no free open source code is ever used
          IMO - The source of the code is not important, it's how the code is used/constructed - There are many secure open source code snippets available online.

          I can if I choose to make WP 100% hacker free, even if on a shared hosting account but it is a time consuming process.
          Therein lies the problem - not many hosts are prepared to optimally secure each customer's hosting account (why should they when you only pay $5 or $10 per month, and each customer has different requirements which makes the task more difficult). They have to balance hosting requirements, scripting requirements and cost of support, so the end result is at best a compromise...

          I agree with you on the password issue, but it's a lot easier to get a VPS account (or your own server) secured by virtue of the fact the added cost gets you true 24/7 technical support... By opening a VPS hosting account and letting the technical staff solve the security issues, my website and blog hacks have stopped, and I still have a PHP environment which allows my own scripts to do what I designed them to do.
          Signature

          Sig not working today - too hung over...

          {{ DiscussionBoard.errors[119885].message }}
          • Profile picture of the author Alminc
            How can I install captcha for comments?

            Is there some option in admin area or do I have
            to use some plugin for it ?
            Signature
            No links :)
            {{ DiscussionBoard.errors[119984].message }}
            • Profile picture of the author IPNHarvest
              Hi!

              Try THIS...

              I think that will help.

              Lycka till!
              {{ DiscussionBoard.errors[120013].message }}
            • Profile picture of the author Colin Evans
              Hi Almin,

              You will have to use a plugin to add captcha to your comments, I personally don't bother with captcha and just use the Askimet antispam plugin...
              Signature

              Sig not working today - too hung over...

              {{ DiscussionBoard.errors[120049].message }}
            • Profile picture of the author TheRichJerksNet
              Originally Posted by Alminc View Post

              How can I install captcha for comments?

              Is there some option in admin area or do I have
              to use some plugin for it ?
              The purpose of captcha (I personally use my own turing number system) is to not only block spam comments but also to block bad bots, most dont understand the full need for such protection and think it is just for blocking unwanted spam.

              The full purpose is additional security, blocking those bad bots from attempting to do sql injection and other things to your system. If you have SuExec installed on your server then sql injection is not much of a concern but it is still good practice to always block anyways.

              The host you are on makes a big difference too.. This has nothing to do with a shared hosting account, what it does have to do with is if the host you are on is running software other than cpanel then your site is open to attacks. This is one reason why most developers suggest and use hostgator because they are one of the very few that have up to date servers running cpanel up to date.

              James
              {{ DiscussionBoard.errors[120321].message }}
  • Profile picture of the author Chris_Willow
    Hi Almin
    You can put this code in your admin folder htaccess:
    Code:
    <Limit GET POST> 
    order deny,allow 
    deny from all 
    allow from xxx.xxx.xxx. (<- your IP of course) 
    </Limit>
    This will allow access from your ip only, but I' m not really sure if this helps against hackers...

    Chris
    {{ DiscussionBoard.errors[120073].message }}
  • Profile picture of the author askloz
    When installing your WP on your domain, always remove the version number in the header file, WP guys ask to keep it there with a comment code, to leave for stats, but I remove mine. If you leave that stat there, hackers will know what version you're using.

    One of the reasons why PHPBB decided to rename their versions cos hackers knew what people were using as their phpbb version and attacked it. Now hacking attempts have some what subsided.
    Signature
    {{ DiscussionBoard.errors[120744].message }}
    • Profile picture of the author jmorris18
      Can someone point me in the right direction for WP Secure Pro and Login Lockdown? Are these created by fellow Warriors? Also , If I use one of these programs - would I need the other as well?

      Thanks,
      Jason
      Signature

      Jason Morris

      {{ DiscussionBoard.errors[120758].message }}
      • Profile picture of the author TheRichJerksNet
        Originally Posted by jmorris18 View Post

        Can someone point me in the right direction for WP Secure Pro and Login Lockdown? Are these created by fellow Warriors? Also , If I use one of these programs - would I need the other as well?

        Thanks,
        Jason
        Jason,
        I assume this is what you are looking for... (would not waste my $10 but that's just me)

        WordPress Secure Pro

        Problem here is though people run to install this plug-in and that plug-in to try and secure something. People never wonder show secure the plug-in is... They are told it helps protect you and that is good enough for them.

        You should be securing your site yourself and not run after this plug-in and that plug-in which in the long run could cause you more problems. You seem to forget hackers also have access to these plug-ins also and they learn from them.

        If you take care of the security yourself then there is no way any hacker will know what to do because they do not have any plug-ins to learn from as they have no idea what you did do for security.

        You can make a WP install 100% secure without the need of any plug-ins or buying additional software, or using more free open source code.

        I think I should write an ebook or something...

        James
        {{ DiscussionBoard.errors[120804].message }}
        • Profile picture of the author jmorris18
          James , Wow I think this would be awesome - You writing an ebook on how to protect yourself from Hackers would a great resource that all Warriors would be interested in. Also, a step by step video would make it even better -

          One Question - How would this benefit Warriors if Hackers also was able to get access to your ebook?

          Thanks,
          Jason
          Signature

          Jason Morris

          {{ DiscussionBoard.errors[120872].message }}
          • Profile picture of the author TheRichJerksNet
            Originally Posted by jmorris18 View Post

            James , Wow I think this would be awesome - You writing an ebook on how to protect yourself from Hackers would a great resource that all Warriors would be interested in. Also, a step by step video would make it even better -

            One Question - How would this benefit Warriors if Hackers also was able to get access to your ebook?

            Thanks,
            Jason
            Because hackers would not know how you implement the things I teach you..

            Most people posting seem to think all you need to do is keep up to date and install this plug-in and that plug-in but that is 100% wrong.. DEAD WRONG!!!

            If you do proper security on your WP and have a properly built server from a up to date host then you will have no problems and I can 100% promise that...

            This is fact no matter what anybody else claims.

            You do need a Unix Server running Php 5.2.5 (or php 4 is fine), Cpanel 11, and apache compiled with SuExec installed.

            If you are running anything other than the above then your sites are not secure. Again this is why so many developers suggest hostgator.

            It has nothing to do with shared hosting, it has alot to do with the host you choose to use and as you already know it has alot to do with the script you choose to run.

            James
            {{ DiscussionBoard.errors[120962].message }}
  • Profile picture of the author garyl2k
    I have only had my main site hacked in to which was around 2 years ago, don't own the site any more but it was a lesson I learnt the hard way when it comes to keeping back ups of my site.

    Sadly kids around the world learn this stuff and find it funny to ruin peoples sites for the heck of it, to them their just having fun but to us we are losing business and earnings!
    {{ DiscussionBoard.errors[120774].message }}
  • Profile picture of the author AgileHosting
    Originally Posted by Alminc View Post

    My (semiologic) wordpress (2.5.1) was hacked yesterday.
    I am noting that this post is dated 9/20/08.

    You don't need any additional security, you simply need to stay current on updates. The minute a WP update is released, install it!! Updates are usually security patches.

    There were several known defacement-type exploits between WP 2.5.1 and the current build. These exploits have been known and were widely publicized to the WP community for several months now.

    If you had kept your site patched, it is extremely likely it wouldn't have been defaced. (However, keep in mind that plug-ins and themes can open exploits in code as well, so make sure that all of your plug-ins are up-to-date and that there isn't a hole in Semiologic.)

    Originally Posted by Alminc View Post

    Is there any really good anti-hacker protection
    for wordpress ?
    Yes: keeping the script updated.

    If you exercise good basic security, you will be fine.

    Bailey
    Signature

    Guacamole.

    {{ DiscussionBoard.errors[120904].message }}
  • Profile picture of the author thunderbird
    Is this thread pinned? It definitely SHOULD be!
    Signature

    Project HERE.

    {{ DiscussionBoard.errors[121860].message }}
  • Profile picture of the author TheRichJerksNet
    Ok I have got several PM's so I am putting together an eBook.. How many are interested ??

    I will teach you how to fully 100% secure your wordpress blog in easy simple to follow steps.

    James
    {{ DiscussionBoard.errors[128643].message }}
    • Profile picture of the author buckapple
      Interesting thread...

      On the backup procedure, does the WP Backup plugin work well? I notice you can put it on automatic pilot which would be nice.

      Other than that when you backup, are you saying use the database backup option in cpanel? I've been using that.

      Thanks,
      Gary
      {{ DiscussionBoard.errors[128966].message }}
      • Profile picture of the author Alminc
        I am interested. Count me in.
        Signature
        No links :)
        {{ DiscussionBoard.errors[129220].message }}
    • Profile picture of the author DonnaLeona
      Originally Posted by TheRichJerksNet View Post

      Ok I have got several PM's so I am putting together an eBook.. How many are interested ??

      I will teach you how to fully 100% secure your wordpress blog in easy simple to follow steps.

      James

      I'm interested too!


      Thanks
      {{ DiscussionBoard.errors[129453].message }}
      • Profile picture of the author sylviad
        This thread is very lengthy and contains tons of excellent advice. I didn't get through it all, but wanted to post a few quick comments.

        How much is Wordpress hacking related to the software being hosted on a server that does not have very good security? Someone mentioned "shared server" (I think it was) as being partially responsible. How secure are they? Would we be better off paying the bucks to get a dedicated server?

        Passwords...

        An excellent tool to create random keywords is Roboform. Well worth the measly price for it's convenience (saving passwords, auto-login, generating random keywords, etc.

        Re the Warrior who stated her 85-year-old mother's blog has undesirable links at the bottom...

        If this is a blog hosted on the Wordpress site, it's possible the links are randomly inserted by Wordpress as part of their money-making schemes. Check to see if the links are Adsense. And I'd check with Wordpress and ask them about those ads. If they are objectionable, you have a good argument to ask them to restrict the types of ads they show on your blog.

        Sylvia
        Signature
        :: Got a dog? Visit my blog. Dog Talk Weekly
        :: Need articles, ebooks written? - Award-winning Journalist is taking new projects. Warrior Discounts!
        {{ DiscussionBoard.errors[130104].message }}
        • Profile picture of the author TheRichJerksNet
          Originally Posted by sylviad View Post

          This thread is very lengthy and contains tons of excellent advice. I didn't get through it all, but wanted to post a few quick comments.

          How much is Wordpress hacking related to the software being hosted on a server that does not have very good security? Someone mentioned "shared server" (I think it was) as being partially responsible. How secure are they? Would we be better off paying the bucks to get a dedicated server?

          Passwords...

          An excellent tool to create random keywords is Roboform. Well worth the measly price for it's convenience (saving passwords, auto-login, generating random keywords, etc.

          Re the Warrior who stated her 85-year-old mother's blog has undesirable links at the bottom...

          If this is a blog hosted on the Wordpress site, it's possible the links are randomly inserted by Wordpress as part of their money-making schemes. Check to see if the links are Adsense. And I'd check with Wordpress and ask them about those ads. If they are objectionable, you have a good argument to ask them to restrict the types of ads they show on your blog.

          Sylvia
          Sylvia,
          Whoever stated you needed to stay away from shared hosting is wrong.. Shared hosting has nothing to do with it.. Even a dedicated server has more than your site attached to it.. It does matter who you host with, and that goes for any site not just wordpress..

          It is the software that is at fault because wordpress will not code security into the scripts and because it is so mass distributed hackers know the loops to get around.

          My eBook though will put a stop 100% to hackers....

          James
          {{ DiscussionBoard.errors[130523].message }}
  • Profile picture of the author jmorris18
    James , I am also very interested. Any chance of including step by step videos for us warriors that lack the understanding code ??

    Thanks,
    Signature

    Jason Morris

    {{ DiscussionBoard.errors[129495].message }}
    • Profile picture of the author TheRichJerksNet
      Originally Posted by jmorris18 View Post

      James , I am also very interested. Any chance of including step by step videos for us warriors that lack the understanding code ??

      Thanks,
      Thanks everyone.. Will get something put together soon..

      Hi Jason,
      Trust me it will be easy to follow and understand.. As for video when doing security I would rather not create videos showing databases, hosting controls and etc...

      There will be simple step by step information along with screenshots.

      I may even include one of my own personal scripts that I use for extra security but dont currently sell..

      James
      {{ DiscussionBoard.errors[129876].message }}
  • Profile picture of the author spicegator
    Can anyone find a hacker and rip his head off, I understand these morons even have conventions and get-togethers. They should be put in prison with a large cell mate (the only problem is most of them would enjoy that)
    {{ DiscussionBoard.errors[129649].message }}
  • Profile picture of the author TheRichJerksNet
    Ok everyone posted a poll on cost of eBook..

    Feedback very welcome

    http://www.warriorforum.com/main-int...d-you-pay.html

    James
    {{ DiscussionBoard.errors[139593].message }}
  • Profile picture of the author TheRichJerksNet
    I agree you should never use that auto update plug-in.. I created a solution to make word press secured.. Those that have used it are very thankful for my solution.

    James
    {{ DiscussionBoard.errors[191235].message }}
  • Profile picture of the author TheNightOwl
    It's a good solution. I bought the WSO.

    I recommend you at least check it out.
    Signature
    {{ DiscussionBoard.errors[192811].message }}
    • Profile picture of the author TheRichJerksNet
      Originally Posted by TheNightOwl View Post

      It's a good solution. I bought the WSO.

      I recommend you at least check it out.
      Thanks Night Owl ...

      James
      {{ DiscussionBoard.errors[192857].message }}
      • Profile picture of the author DJL
        Originally Posted by TheRichJerksNet View Post

        Thanks Night Owl ...

        James
        The WordPress Security link in your signature requires a username and password. Please advise.
        Signature

        None are more hopelessly enslaved than those who falsely believe they are free.
        --Johann Wolfgang von Goethe, Elective Affinities (1809)

        {{ DiscussionBoard.errors[265877].message }}
Avatar of Unregistered

Trending Topics