How do hackers get in?

40 replies
I have several sites hosted at the same place, many are a sub domain of the main domain. Recently some hacker got in and put a new index.html page on every one of them. The new index redirected to some spam stuff.

I use WordPress and I keep it up to date. How the heck did they get in?

I'm also wondering why anyone would think this tactic would work. I discovered it and removed the problem almost instantly. Do they really think I would not notice?
#hackers
  • Profile picture of the author LMC
    Wordpress is a database system, so they just need to find a flaw, usually found with plugins and tools that data mine your posts such as search bars, or related post plugins.

    Once they find the flaw, they can call a specific parameter using a SQL statement that outputs important files to your MySQL accounts.

    Once they have those outputs, they keep working the MySQL database until they can get access to your usernames.

    Of course they know you'll see it, but either they have something against you, it's a "hacker" test, or they are trying to get some traffic from you.
    {{ DiscussionBoard.errors[1380918].message }}
  • Profile picture of the author Lou Diamond
    Hello,
    hackers can get into some forums and find passwords and emails.
    Many people use the same passwords for their email accounts and other sensitive sites as well.
    Just use different passwords for all sites and you will have less problems.
    Roboform will work great for this.
    Signature

    Something new soon.

    {{ DiscussionBoard.errors[1380931].message }}
  • Profile picture of the author Scott Ames
    Thanks guys. It just amazes me that people spend time doing stuff like that. I guess for them its a thrill.

    If someone could do a WSO and offer to stress test someone's site/s and report the flaws I think they could do well.
    Signature

    Success consists of going from failure to failure without loss of enthusiasm. -Winston Churchill

    {{ DiscussionBoard.errors[1380941].message }}
    • Profile picture of the author CDarklock
      Originally Posted by Scott Ames View Post

      It just amazes me that people spend time doing stuff like that.
      They don't. It's all very organised and completely automated. The lone hacker scouring the net is a thing of the past.

      The people who put this stuff on your website did not stay up late looking for it. They sent out a piece of spam to a hundred million people, with a link in it that pointed to some spyware. When an idiot clicked on the link, that spyware got onto their PC and watched the sites they browsed.

      When the idiot went to your site, the spyware did some quick checks to see what software you were running, and sent that information back to a central computer. That computer looked up the software in a database to see if it could break in.

      Now, if there's a vulnerability the central computer can exploit, it pays the spyware's owner a small commission. Then it goes to your site, cracks open whatever it can, and leaves a back door open.

      Then it tells another computer that it left a back door on your computer. This computer's owner pays the owner of the central computer a small fee for this information. And then that computer goes in the back door to gather more information about your machine, and find some way to spam your site.

      Then it tells yet another computer to spam your site through the backdoor. This computer is part of a network of computers owned by someone who pays a subscription fee to get those "go spam it" alerts. It jogs over to your site and spams. And that spam basically hijacks your traffic to the spammer's moneymaking scheme.

      If it sounds a lot like IM, that's because it is. It's pretty much the same basic elements: CPA, commissions, and memberships. It's just the blackest of black hat marketing.
      Signature
      "The Golden Town is the Golden Town no longer. They have sold their pillars for brass and their temples for money, they have made coins out of their golden doors. It is become a dark town full of trouble, there is no ease in its streets, beauty has left it and the old songs are gone." - Lord Dunsany, The Messengers
      {{ DiscussionBoard.errors[1381069].message }}
      • Profile picture of the author Scott Ames
        Originally Posted by CDarklock View Post

        They don't. It's all very organised and completely automated. The lone hacker scouring the net is a thing of the past.
        .
        Holy freak.. I didn't know that. Thanks for that. I've been hit on every site I've put up at some point. I back everything up daily so I can restore it quickly, it's just a major PITA to keep doing it.
        Signature

        Success consists of going from failure to failure without loss of enthusiasm. -Winston Churchill

        {{ DiscussionBoard.errors[1381083].message }}
      • Profile picture of the author DogScout
        Originally Posted by CDarklock View Post

        They don't. It's all very organised and completely automated. The lone hacker scouring the net is a thing of the past.

        The people who put this stuff on your website did not stay up late looking for it. They sent out a piece of spam to a hundred million people, with a link in it that pointed to some spyware. When an idiot clicked on the link, that spyware got onto their PC and watched the sites they browsed.

        When the idiot went to your site, the spyware did some quick checks to see what software you were running, and sent that information back to a central computer. That computer looked up the software in a database to see if it could break in.

        Now, if there's a vulnerability the central computer can exploit, it pays the spyware's owner a small commission. Then it goes to your site, cracks open whatever it can, and leaves a back door open.

        Then it tells another computer that it left a back door on your computer. This computer's owner pays the owner of the central computer a small fee for this information. And then that computer goes in the back door to gather more information about your machine, and find some way to spam your site.

        Then it tells yet another computer to spam your site through the backdoor. This computer is part of a network of computers owned by someone who pays a subscription fee to get those "go spam it" alerts. It jogs over to your site and spams. And that spam basically hijacks your traffic to the spammer's moneymaking scheme.

        If it sounds a lot like IM, that's because it is. It's pretty much the same basic elements: CPA, commissions, and memberships. It's just the blackest of black hat marketing.
        Those are the 'big boys' Ukrainian, Bulgarian, some other places rife with them, they usually don't change an index page, too obvious and causes undue attention. It is estimated over 10,000 million PCs have bots on them that sit quietly in the background causing no trouble until the 'bot herder' launches a DNS attack to a gambling site or other high dollar site that won't pay protection. Many times the bots are installed by hacking a site and dropping bots into surfer's machines, but usually those guys are not as obvious as to ever do anything that lets you know it is going on.

        DNS attacks are less effective as they used to be due to high bandwidth and other defenses designed to ward them off. So now many of the bots pass on CC numbers and other personal info in order to steal identities. You can have firewalls and anti-virus up the wazoo and it is no surety that you are protected. It is almost a crap shoot being on-line at all.
        {{ DiscussionBoard.errors[1381175].message }}
    • Profile picture of the author John Cabral
      Originally Posted by Scott Ames View Post

      Thanks guys. It just amazes me that people spend time doing stuff like that. I guess for them its a thrill.

      If someone could do a WSO and offer to stress test someone's site/s and report the flaws I think they could do well.
      Hackers have way too much time on their hands. If I knew 1/2 of what thry know I would be rich I tell you.... LOL
      Signature

      I like to mess around with software programming.

      {{ DiscussionBoard.errors[1381293].message }}
  • Profile picture of the author DogScout
    Ahhh Hackers, really 'crackers'. It isn't really that hard to go anywhere. The 'good' ones still use Windows 95 as a base, best OP ever designed to use for cracking. Every server has a backdoor and is only as secure as that back door no matter what you do. It helps them if there is a hole in a plug-in, OP system or application they find and share with other hackers, but an intent hacker can get anywhere they want to eventually if they are any 'good'.
    I heard there is only one firewall ever made that has never been cracked. That is a 1970's SAC firewall. 90% of those protect things that are not even online. (In the rare event they 'go on-line' it is for a set and short period of time just to transfer encrypted info and is well guarded the whole time by several teams.)

    Just be glad all they changed out is the index page. Usually those guys are just 'script kiddies' that do it just to see if they can. If it had been a serious player, you'd never know it until you found a few of your internal links went to strange places (or if even then, as sometimes they just install a malware dropper that just infects the computers of your visitors with bots while protecting the IP of the owner so until you get an email from Google, you never find out). Lol.
    {{ DiscussionBoard.errors[1381059].message }}
  • Profile picture of the author JonMills
    flaws in the coding, teams of groups who pass information around
    Signature
    http://www.thecopywriterwhisperer.com/ Persuasion at it's best!
    http://www.affiliateorganizer.com/ Organize your entire online business - Super affiliates give it the thumbs up!
    {{ DiscussionBoard.errors[1381088].message }}
  • Profile picture of the author Jon Steel
    great info everyone ...

    js
    {{ DiscussionBoard.errors[1381113].message }}
  • Profile picture of the author Allen Graves
    It sucks when this happens. I recently had a site get the forum, blog and main content script hacked.

    The problem wasn't really that the forum was disabled and and the blog and script had a bunch of links added to them...the problem is where those links went.

    Many of them went straight to js scripts, trojans and malicious spyware executables. So someone on my site that clicked that link could have conceivably got a virus from my website.

    Google sent me a phishing alert/warning because they saw those links too!!!

    Several of my visitors emailed me and the links were taken down in about 20 minutes...but not fast enough for Googles little spider to find them.

    Long story short...

    Watch your sites - especilly those that are just sitting there. You should visit them at least once a day.

    Backup your files daily (or however often you change them) - and if you use SQL databases, backup the databases regularly as well. Then, if you are hacked like this, you simply restore the files and databases from backup. Hopefully before anyone else notices!

    Allen
    Signature
    Every day I check the obituaries. If I don't see my name there, then I know it's going to be a good day!
    {{ DiscussionBoard.errors[1381141].message }}
  • Profile picture of the author JonMills
    2 things to check too

    1. permissions on your folders
    2. strength of passwords
    3. contact host to make them aware of this on that server
    Signature
    http://www.thecopywriterwhisperer.com/ Persuasion at it's best!
    http://www.affiliateorganizer.com/ Organize your entire online business - Super affiliates give it the thumbs up!
    {{ DiscussionBoard.errors[1381170].message }}
  • Profile picture of the author waken
    Hey Scott.. if you put this behind your blog domain ...

    wp-content/plugins/

    and see all plugin listed.. that is one of the flaw your blog is having that gives easy access to hackers.

    You can add robot.txt in the root directory of your blog to both blog the search engine from indexing them and hackers from easily access them..

    Code:
    Sitemap:/sitemap.xml
    
    User-agent:*
    Disallow:/wp-content/cache/
    Disallow:/wp-content/themes/
    Disallow:/wp-content/plugins/
    Disallow:/wp-admin
    Disallow:/wp-includes/
    Disallow:/wp-login.php
    But that's NOT the only flaw.. I think there was WSO selling a plugin to protect Wordpress blog. Perhaps you should search for it..
    {{ DiscussionBoard.errors[1381240].message }}
    • Profile picture of the author Scott Ames
      Great stuff! Thank you for that!

      Originally Posted by waken View Post

      Hey Scott.. if you put this behind your blog domain ...

      wp-content/plugins/

      and see all plugin listed.. that is one of the flaw your blog is having that gives easy access to hackers.

      You can add robot.txt in the root directory of your blog to both blog the search engine from indexing them and hackers from easily access them..

      Code:
      User-agent: *
      # disallow all files in these WordPress directories
      User-agent:*
      Disallow:/wp-content/cache/
      Disallow:/wp-content/themes/
      Disallow:/wp-content/plugins/
      Disallow:/wp-admin
      Disallow:/wp-includes/
      Disallow:/wp-login.php
      But that's the only flaw.. I think there was WSO selling a plugin to protect Wordpress blog. Perhaps you should search for it..
      Signature

      Success consists of going from failure to failure without loss of enthusiasm. -Winston Churchill

      {{ DiscussionBoard.errors[1381260].message }}
    • Profile picture of the author CDarklock
      Originally Posted by waken View Post

      You can add robot.txt in the root directory of your blog to both blog the search engine from indexing them and hackers from easily access them..
      A lot of people don't seem to understand what robots.txt really does.

      A robots.txt file asks politely for automated web-bots to please not look in certain places.

      The spambots do not care. In fact, your robots.txt file may as well be a big flashing neon sign telling them exactly where they should look FIRST.
      Signature
      "The Golden Town is the Golden Town no longer. They have sold their pillars for brass and their temples for money, they have made coins out of their golden doors. It is become a dark town full of trouble, there is no ease in its streets, beauty has left it and the old songs are gone." - Lord Dunsany, The Messengers
      {{ DiscussionBoard.errors[1381273].message }}
      • Profile picture of the author Scott Ames
        Originally Posted by CDarklock View Post

        A lot of people don't seem to understand what robots.txt really does.

        A robots.txt file asks politely for automated web-bots to please not look in certain places.

        The spambots do not care. In fact, your robots.txt file may as well be a big flashing neon sign telling them exactly where they should look FIRST.
        Now I don't know what to do.
        Signature

        Success consists of going from failure to failure without loss of enthusiasm. -Winston Churchill

        {{ DiscussionBoard.errors[1381285].message }}
        • Profile picture of the author CDarklock
          Originally Posted by Scott Ames View Post

          Now I don't know what to do.
          Pretty much the only thing you can do is keep your system up to date nd backup regularly, and it's never guaranteed that you'll be safe. You just have to understand and accept the risk, then have an action plan to deal with it.

          We all get hit. The more sites you have, the more traffic you get, the more often it will happen. But you just clean up the mess and move on.
          Signature
          "The Golden Town is the Golden Town no longer. They have sold their pillars for brass and their temples for money, they have made coins out of their golden doors. It is become a dark town full of trouble, there is no ease in its streets, beauty has left it and the old songs are gone." - Lord Dunsany, The Messengers
          {{ DiscussionBoard.errors[1381379].message }}
        • Profile picture of the author halfpoint
          Originally Posted by Scott Ames View Post

          Now I don't know what to do.
          Pick up a copy of TheRichJerksNet's Wordpress Secured - WordPressSecured.com :: secure, security, wordpress, exploits, hackers, secured, wordpress.org (no aff link)

          I haven't actually gotten around to making the changes on my blogs yet as I'm most likely going to outsource it because it looks difficult but the techniques all look very solid.

          Additionally, download the Wordpress DP Backup plugin - WordPress › WP-DB-Backup WordPress Plugins (free)

          You can set it up to automatically email you a copy of your blog once a week. I set up a new Gmail account specifically for this so I now have an email account with a seperate folder for each blog that automatically gets updated each week with a fresh copy of my blogs.

          I then also download a copy of each blog to my external hard drive once a month.
          {{ DiscussionBoard.errors[1381664].message }}
      • Profile picture of the author waken
        Originally Posted by CDarklock View Post

        A lot of people don't seem to understand what robots.txt really does.

        A robots.txt file asks politely for automated web-bots to please not look in certain places.

        The spambots do not care. In fact, your robots.txt file may as well be a big flashing neon sign telling them exactly where they should look FIRST.
        Yeah.. kinda. but that does avoid your download page from being indexed and shown on SE at least..

        Anyway.. here's another tip ..

        If you have a static IP - Create a new .htaccess file in the wp-admin folder (do not replace the .htaccess file in the root folder)..

        Code:
        AuthUserFile /dev/null
        AuthGroupFile /dev/null
        AuthName "Root777 Access Control"
        AuthType Basic
        <LIMIT GET>
        order deny,allow
        deny from all
        # whitelist home IP address
        allow from (put your IP here)
        # whitelist work IP address
        allow from (other ip that you want to allow access)
        </LIMIT>
        You can add as many IP as you like.

        If you have dynamic IP - Use the Login Lockdown plugin. You can even view failed logins attempt .. WordPress › Login LockDown WordPress Plugins

        But again.. these are not the only possible flaws.. but you can at least block low level hackers..
        {{ DiscussionBoard.errors[1381349].message }}
      • Profile picture of the author Johnathan
        Originally Posted by CDarklock View Post

        A lot of people don't seem to understand what robots.txt really does.

        A robots.txt file asks politely for automated web-bots to please not look in certain places.

        The spambots do not care. In fact, your robots.txt file may as well be a big flashing neon sign telling them exactly where they should look FIRST.
        Haha, actually that's an excellent point. And, actually I have seen some people advertising to do *exactly* that So a robots file is more likely (for a serious hacker) to get you to have some difficulties than not having it. It basically says "Here is my secret stuff. Please don't look at it.". Google might say 'ah, ok', but hackers don't care.
        Signature
        Make money from writing, find out how now.
        {{ DiscussionBoard.errors[1381741].message }}
  • {{ DiscussionBoard.errors[1381272].message }}
  • Profile picture of the author Marian Berghes
    Just a blank index.html page on every directory, so if they go to that address they will see a blank page instead of all your plugins.

    Remove the wordpress version from you header info, put a plugin that prevents brute force attacks on your login page and if you blog from only 1 IP address set permissions in your .htaccess file so that only that IP can mess with the files.
    {{ DiscussionBoard.errors[1381304].message }}
  • All my sites were taken down the other day. I had backups, but they left a lot of doors open for mischief. Spent all morning getting rid of suspicious files and scripts, replacing the core with a fresh one, etc. PITA. They did a number on me. Not sure if I got it all. We'll soon find out. Set a couple of traps for them so I kind of hope they do it again or try.

    A lot of times they will use an innocuous sounding file name. In my case, one of the bad files was called "500.php." It was right under 500.shtml so I barely noticed it.

    Be very careful about javascript files, too. I've disabled it on my sites for now.

    If you allow users to post content, be very careful to filter their input aggressively. Don't allow <img> or <a href> because both of those can be used to call nasty scripts on other servers that stuff cookies and steal your money.
    Signature
    {{ DiscussionBoard.errors[1381359].message }}
  • Profile picture of the author mrmagos
    Better yet, instead of placing blank index.html files in each directory, modify your .htaccess file in the root directory to disallow auto-indexing. Add something like this to your .htaccess file:
    Code:
    
    Options All -Indexes
    
    Signature
    {{ DiscussionBoard.errors[1381360].message }}
  • Profile picture of the author seasoned
    Scott,

    People telling you here THIS is how they all do it, THIS is THE fix, etc... are all WRONG!
    HECK, **I** don't know everything about it, and I could write volumes on it.

    Firewalls won't work, unless they are on your database. MYSQL actually has one BUILT IN! Of course, you have to enable it. LMC is probably wrong though, so that may not help you. ALSO, "SQL INJECTION" MIGHT be used, and mysqls firewall, or ANY firewall, won't protect against that. The one in MYSQL helps fight things like attack by direct connection, and allows multiple tiers to effectively make it impervious. You could also use a non routable server, and only trust one system. Of course, if it directly connected, and they use SQL injection, all bets are off. There MAY be a default password somewhere, or they may guess. Making sure that data folders are outside of the HTTP servers reach, or simply that indexing is off or that you have an index.html in the folder will go a LONG way towards making it harder. So what would I do?

    1. If it is microsoft, get LINUX!!!!!!
    2. check permissions, passwords, users.
    3. If it is linux or unix, get rkhunter, or a similar program, and USE IT! That will tell you of many system problems, possibly how they got in, etc...
    4. Check bug reports for HTTP software you are using, like wordpress. Make sure you patch all the known bugs.
    5. check your http server logs.

    BTW use ONLY SSL enabled software to access unix accounts, control panels, and admin accounts. That means NO HTTP, FTP, TELNET! Use HTTPS, SFTP, SSH INSTEAD!

    BTW SQL injection WILL show up on your server logs. MOST people use weak passwords, bugs in popular programs, or a flaw in the way HTTP servers work to gain some access.

    Steve
    {{ DiscussionBoard.errors[1381677].message }}
  • Profile picture of the author 101millionAds
    Thanks for the information.
    My wordpress blog was hacked 2 months ago and
    i had to hire a designer to build it all over again,
    at the cost of $180 (Darrin Cooper)

    It was terrible!

    Annette.
    Signature

    It's official: Instant Article Wizard 4.0 (IAW4) has launched!

    {{ DiscussionBoard.errors[1381680].message }}
  • Profile picture of the author MaddenGeneration
    Banned
    [DELETED]
    {{ DiscussionBoard.errors[1381782].message }}
    • Profile picture of the author steve39
      I switched most of my sites from Wordpress to static html. Drastic measure, but I have had no problems since. Couldn't take it anymore
      Signature

      {{ DiscussionBoard.errors[1381815].message }}
  • Profile picture of the author Lyn Woodring
    This maybe a dumb question but does different host companies offer different levels of security? Doesn't shared hosting have the same IP and wouldn't a phising problem on one site affects other sites as well. From the address point not each individual site viewpoint.
    {{ DiscussionBoard.errors[1381822].message }}
    • Profile picture of the author seasoned
      Originally Posted by Lyn Woodring View Post

      This maybe a dumb question but does different host companies offer different levels of security? Doesn't shared hosting have the same IP and wouldn't a phising problem on one site affects other sites as well. From the address point not each individual site viewpoint.
      Phishing generally wouldn't do ANYTHING here!

      Shared hosting CAN have the same IP, not that it matters.

      But YES, different companies have different admins and software, and that means different security. Still, if you install a buggy program, you can get a break in! It is a bug with how HTTP works. 8-(

      Steve
      {{ DiscussionBoard.errors[1381849].message }}
  • Profile picture of the author Lyn Woodring
    My understanding is that, for instance someone has a "questionable" site or are accused of propagating spyware/malware (whatever) that all sites from that IP is somewhat tarnished by that. And with that in mind some hosting companies might view security issues with a higher priority than others.
    If that is the case I'd much rather pay a few dollars more for that security.
    {{ DiscussionBoard.errors[1382487].message }}
  • Profile picture of the author zapseo
    First of all, Scott -- when did you upgrade to WP 2.8.6 ? They just released it 11/12! Fast move, if you did!

    Second, for users of WP, then you really should be on the watch to upgrade immediately when there is a new release. Pain, yes. So is getting hacked. When a new release is out you have to realize that is is like a NEWS RELEASE to the cracker community of where the bugs are in the previous versions that they can exploit.

    CDarklock & others: Yes, you should definitely back up your websites...but if they get into your website via an exploit, you aren't closing the hole by which they got in, yah?

    Last month I made I started a thread here on password security, and discovered that Google had nearly simultaneously published a blog post on the same topic on one of their blogs (I discovered later this was because October was "computer security month" or something like that.)

    There are a lot of different approaches to securing your website --
    excellent passwords are one of those.
    (The number of people who use the same password and/or weak passwords on all their sites sends chills up my spine.)

    Seasoned's recommendation of using https/sftp/ssh on your website is also wise. Though keeping up on security issues on software that you commonly use (wordpress, browsers, ftp, etc.) is important as well. Filezilla (an open source ftp client that also supports sftp) recently was attacked.

    There are some excellent comments on WP security on the wordpress.org blog. I recommend them to you, as things like "hiding the version number" are nearly so widely known in the cracker community that they hardly look at that any more. They look for specific vulnerabilities, not for version numbers.

    In the latest versions of wordpress, they have already installed "blank" index.php files (I'd rather it were blank index.html, but that's another story.) in places like wp-content and wp-includes folders.

    robots.txt is a file that google came up with that has more to do with search engine indexing (as indicated, already, here on the forum) than with web security. Just to recap what's been said, it can be easily used by crackers to find out where your "secret files" are located. Note that POLITE SEs pay attention to robots.txt -- but there are lots of SEs out there, and not all of them pay attention to robots.txt.

    If you want/need more information or help with your site, let me know.
    You can find out more about my technical background by clicking on the link in my sig "Wordpress blogger".

    Live JoyFully!

    Judy
    {{ DiscussionBoard.errors[1382922].message }}
  • Profile picture of the author jjthomas
    Banned
    Originally Posted by Scott Ames View Post

    I have several sites hosted at the same place, many are a sub domain of the main domain. Recently some hacker got in and put a new index.html page on every one of them. The new index redirected to some spam stuff.

    I use WordPress and I keep it up to date. How the heck did they get in?

    I'm also wondering why anyone would think this tactic would work. I discovered it and removed the problem almost instantly. Do they really think I would not notice?
    Generally speaking it's automated, looking for exploits. If exploits are found, then they look at your site to see whether it is worth (money-wise) to extract any value from it.
    {{ DiscussionBoard.errors[1383027].message }}
  • Profile picture of the author Deepak Media
    I have hosted my site in hostgator and I am always on guard about my blog. I take daily backups and watch my sites several times a day to see if its live. I guess this is not enough, may be I should look forward to buying some security products! Nice thread with a lot of useful posts!
    Signature
    Digital Marketing Author | Speaker | Consultant

    Read my Blog: DigitalDeepak.com

    @ Bangalore, India.
    {{ DiscussionBoard.errors[1846469].message }}
  • Profile picture of the author UBotBuddy
    1. Stay proactive at keeping your site secure.
    2. Routinely change your password(s) and make sure they are complex.
    3. Keep backups
    4. If you use blogs keep the software up-to-date
    5. Stay away from unknown plugins.
    6. Watch your stats

    Know your risks and accept risk based upon what you are willing to live with.
    Signature
    UBot Expert
    Need a Demo, Proof of Concept, Product Creation, UBot Source Code or Training?
    Just Ask Me! Psst...for ubot training I give discounts
    {{ DiscussionBoard.errors[1846766].message }}
  • Profile picture of the author slatron25
    The server my sites are hosted on got hacked awhile back and all they did was deface all of the index files. It was a linux server and once they got in it's a simple command to do that. Supposedly we were moved to a BSD server but my cpanel still says linux.

    Don't get me wrong, I'm a linux guy but linux and BSD are two different things.

    I also like wordpress but it has some inherent vulnerabilities. Namely that every hacker and their brother knows the structure. My wish list for wordpress is that they will add the functionality to rename wp-admin at install. That alone IMO would make it much more secure.

    Other than that, I use strong passwords,login lockdown and blank index files where appropriate. Also upgrade every time they come out with a new version.

    For the OP, if you really want to learn about security I would suggest you listen Steve Gibson's "Security Now" podcasts at grc.com. There's only 200+ of them now but you will gain some great insight into the security side of life on the internet.
    {{ DiscussionBoard.errors[1846788].message }}
  • {{ DiscussionBoard.errors[1846925].message }}
    • Profile picture of the author bgmacaw
      Hint #1: Don't use one of these for your password for either WordPress, email, CPanel or FTP...

      password
      123456
      qwerty
      abc123
      monkey
      password[number]
      [your name]
      [your name][number]

      These are some of the more common passwords lazy people use. Use a strong password instead. Don't be lazy and open yourself up to a dictionary based hack attack.
      {{ DiscussionBoard.errors[1848340].message }}
    • Profile picture of the author seasoned
      Originally Posted by lduan2009 View Post

      Hackers are so smart. I hope they will use their talent somewhere else where they can benefit people.
      MOST "hackers" aren't smart AT ALL! For example, on "wargames", he used little tricks, like looking at the board the secretary wrote her passwords on, going to a game writer to get a junior guy that wasn't too bright to reveal things, or researching a persons life to find likely passwords. The KEY one was the name of his dead son!

      HEY, I knew the guy that some claimed was an inspiration for that, an we knew someone that REALLY wanted to be a "hacker", and ended up getting the other person jailed for being a hacker. He, the guy that REALLY wanted to be a "hacker" wrote a CHEAP little program that emulated the login page. He then started that program on every terminal in the computer department, at CSUN(Cal State University Northridge). When someone logged in, HE got their password.

      Steve
      {{ DiscussionBoard.errors[1848693].message }}
  • Profile picture of the author Tony Hetherington
    Blog security is vital (this is why its part of my course). Here's a quick test for you to do on your own blog.

    Put this in your browser for your blog (and close up the gaps).

    www. yourblogname .com/wp-content/themes
    If you see an index page that lists your themes then you are vulnerable and need to do something about it
    {{ DiscussionBoard.errors[1848717].message }}

Trending Topics