How do hackers get in?

Wordpress is a database system, so they just need to find a flaw, usually found with plugins and tools that data mine your posts such as search bars, or related post plugins.

Once they find the flaw, they can call a specific parameter using a SQL statement that outputs important files to your MySQL accounts.

Once they have those outputs, they keep working the MySQL database until they can get access to your usernames.

Of course they know you'll see it, but either they have something against you, it's a "hacker" test, or they are trying to get some traffic from you.

Hello,
hackers can get into some forums and find passwords and emails.
Many people use the same passwords for their email accounts and other sensitive sites as well.
Just use different passwords for all sites and you will have less problems.
Roboform will work great for this.

Thanks guys. It just amazes me that people spend time doing stuff like that. I guess for them its a thrill.

If someone could do a WSO and offer to stress test someone's site/s and report the flaws I think they could do well.

Ahhh Hackers, really 'crackers'. It isn't really that hard to go anywhere. The 'good' ones still use Windows 95 as a base, best OP ever designed to use for cracking. Every server has a backdoor and is only as secure as that back door no matter what you do. It helps them if there is a hole in a plug-in, OP system or application they find and share with other hackers, but an intent hacker can get anywhere they want to eventually if they are any 'good'.
I heard there is only one firewall ever made that has never been cracked. That is a 1970's SAC firewall. 90% of those protect things that are not even online. (In the rare event they 'go on-line' it is for a set and short period of time just to transfer encrypted info and is well guarded the whole time by several teams.)

Just be glad all they changed out is the index page. Usually those guys are just 'script kiddies' that do it just to see if they can. If it had been a serious player, you'd never know it until you found a few of your internal links went to strange places (or if even then, as sometimes they just install a malware dropper that just infects the computers of your visitors with bots while protecting the IP of the owner so until you get an email from Google, you never find out). Lol.

flaws in the coding, teams of groups who pass information around

great info everyone ...

js

It sucks when this happens. I recently had a site get the forum, blog and main content script hacked.

The problem wasn't really that the forum was disabled and and the blog and script had a bunch of links added to them...the problem is where those links went.

Many of them went straight to js scripts, trojans and malicious spyware executables. So someone on my site that clicked that link could have conceivably got a virus from my website.

Google sent me a phishing alert/warning because they saw those links too!!!

Several of my visitors emailed me and the links were taken down in about 20 minutes...but not fast enough for Googles little spider to find them.

Long story short...

Watch your sites - especilly those that are just sitting there. You should visit them at least once a day.

Backup your files daily (or however often you change them) - and if you use SQL databases, backup the databases regularly as well. Then, if you are hacked like this, you simply restore the files and databases from backup. Hopefully before anyone else notices!

Allen

2 things to check too

1. permissions on your folders
2. strength of passwords
3. contact host to make them aware of this on that server

Hey Scott.. if you put this behind your blog domain ...

wp-content/plugins/

and see all plugin listed.. that is one of the flaw your blog is having that gives easy access to hackers.

You can add robot.txt in the root directory of your blog to both blog the search engine from indexing them and hackers from easily access them..

But that's NOT the only flaw.. I think there was WSO selling a plugin to protect Wordpress blog. Perhaps you should search for it..

Change admin name too

Just a blank index.html page on every directory, so if they go to that address they will see a blank page instead of all your plugins.

Remove the wordpress version from you header info, put a plugin that prevents brute force attacks on your login page and if you blog from only 1 IP address set permissions in your .htaccess file so that only that IP can mess with the files.

All my sites were taken down the other day. I had backups, but they left a lot of doors open for mischief. Spent all morning getting rid of suspicious files and scripts, replacing the core with a fresh one, etc. PITA. They did a number on me. Not sure if I got it all. We'll soon find out. Set a couple of traps for them so I kind of hope they do it again or try.

A lot of times they will use an innocuous sounding file name. In my case, one of the bad files was called "500.php." It was right under 500.shtml so I barely noticed it.

Be very careful about javascript files, too. I've disabled it on my sites for now.

If you allow users to post content, be very careful to filter their input aggressively. Don't allow <img> or <a href> because both of those can be used to call nasty scripts on other servers that stuff cookies and steal your money.

Better yet, instead of placing blank index.html files in each directory, modify your .htaccess file in the root directory to disallow auto-indexing. Add something like this to your .htaccess file:

Scott,

People telling you here THIS is how they all do it, THIS is THE fix, etc... are all WRONG!
HECK, **I** don't know everything about it, and I could write volumes on it.

Firewalls won't work, unless they are on your database. MYSQL actually has one BUILT IN! Of course, you have to enable it. LMC is probably wrong though, so that may not help you. ALSO, "SQL INJECTION" MIGHT be used, and mysqls firewall, or ANY firewall, won't protect against that. The one in MYSQL helps fight things like attack by direct connection, and allows multiple tiers to effectively make it impervious. You could also use a non routable server, and only trust one system. Of course, if it directly connected, and they use SQL injection, all bets are off. There MAY be a default password somewhere, or they may guess. Making sure that data folders are outside of the HTTP servers reach, or simply that indexing is off or that you have an index.html in the folder will go a LONG way towards making it harder. So what would I do?

1. If it is microsoft, get LINUX!!!!!!
2. check permissions, passwords, users.
3. If it is linux or unix, get rkhunter, or a similar program, and USE IT! That will tell you of many system problems, possibly how they got in, etc...
4. Check bug reports for HTTP software you are using, like wordpress. Make sure you patch all the known bugs.
5. check your http server logs.

BTW use ONLY SSL enabled software to access unix accounts, control panels, and admin accounts. That means NO HTTP, FTP, TELNET! Use HTTPS, SFTP, SSH INSTEAD!

BTW SQL injection WILL show up on your server logs. MOST people use weak passwords, bugs in popular programs, or a flaw in the way HTTP servers work to gain some access.

Steve

Thanks for the information.
My wordpress blog was hacked 2 months ago and
i had to hire a designer to build it all over again,
at the cost of $180 (Darrin Cooper)

It was terrible!

Annette.

This maybe a dumb question but does different host companies offer different levels of security? Doesn't shared hosting have the same IP and wouldn't a phising problem on one site affects other sites as well. From the address point not each individual site viewpoint.

My understanding is that, for instance someone has a "questionable" site or are accused of propagating spyware/malware (whatever) that all sites from that IP is somewhat tarnished by that. And with that in mind some hosting companies might view security issues with a higher priority than others.
If that is the case I'd much rather pay a few dollars more for that security.

First of all, Scott -- when did you upgrade to WP 2.8.6 ? They just released it 11/12! Fast move, if you did!

Second, for users of WP, then you really should be on the watch to upgrade immediately when there is a new release. Pain, yes. So is getting hacked. When a new release is out you have to realize that is is like a NEWS RELEASE to the cracker community of where the bugs are in the previous versions that they can exploit.

CDarklock & others: Yes, you should definitely back up your websites...but if they get into your website via an exploit, you aren't closing the hole by which they got in, yah?

Last month I made I started a thread here on password security, and discovered that Google had nearly simultaneously published a blog post on the same topic on one of their blogs (I discovered later this was because October was "computer security month" or something like that.)

There are a lot of different approaches to securing your website --
excellent passwords are one of those.
(The number of people who use the same password and/or weak passwords on all their sites sends chills up my spine.)

Seasoned's recommendation of using https/sftp/ssh on your website is also wise. Though keeping up on security issues on software that you commonly use (wordpress, browsers, ftp, etc.) is important as well. Filezilla (an open source ftp client that also supports sftp) recently was attacked.

There are some excellent comments on WP security on the wordpress.org blog. I recommend them to you, as things like "hiding the version number" are nearly so widely known in the cracker community that they hardly look at that any more. They look for specific vulnerabilities, not for version numbers.

In the latest versions of wordpress, they have already installed "blank" index.php files (I'd rather it were blank index.html, but that's another story.) in places like wp-content and wp-includes folders.

robots.txt is a file that google came up with that has more to do with search engine indexing (as indicated, already, here on the forum) than with web security. Just to recap what's been said, it can be easily used by crackers to find out where your "secret files" are located. Note that POLITE SEs pay attention to robots.txt -- but there are lots of SEs out there, and not all of them pay attention to robots.txt.

If you want/need more information or help with your site, let me know.
You can find out more about my technical background by clicking on the link in my sig "Wordpress blogger".

Live JoyFully!

Judy

Generally speaking it's automated, looking for exploits. If exploits are found, then they look at your site to see whether it is worth (money-wise) to extract any value from it.

I have hosted my site in hostgator and I am always on guard about my blog. I take daily backups and watch my sites several times a day to see if its live. I guess this is not enough, may be I should look forward to buying some security products! Nice thread with a lot of useful posts!

1. Stay proactive at keeping your site secure.
2. Routinely change your password(s) and make sure they are complex.
3. Keep backups
4. If you use blogs keep the software up-to-date
5. Stay away from unknown plugins.
6. Watch your stats

Know your risks and accept risk based upon what you are willing to live with.

The server my sites are hosted on got hacked awhile back and all they did was deface all of the index files. It was a linux server and once they got in it's a simple command to do that. Supposedly we were moved to a BSD server but my cpanel still says linux.

Don't get me wrong, I'm a linux guy but linux and BSD are two different things.

I also like wordpress but it has some inherent vulnerabilities. Namely that every hacker and their brother knows the structure. My wish list for wordpress is that they will add the functionality to rename wp-admin at install. That alone IMO would make it much more secure.

Other than that, I use strong passwords,login lockdown and blank index files where appropriate. Also upgrade every time they come out with a new version.

For the OP, if you really want to learn about security I would suggest you listen Steve Gibson's "Security Now" podcasts at grc.com. There's only 200+ of them now but you will gain some great insight into the security side of life on the internet.

Hackers are so smart. I hope they will use their talent somewhere else where they can benefit people.

Blog security is vital (this is why its part of my course). Here's a quick test for you to do on your own blog.

Put this in your browser for your blog (and close up the gaps).

www. yourblogname .com/wp-content/themes
If you see an index page that lists your themes then you are vulnerable and need to do something about it