Wait... Hacking wordpress sites?

29 replies
Im continuously reading about people saying how there word press / niche blog site got hacked... How do I avoid this if im running a couple sites on wordpress/ Cpanel.... whats the process to avoid any mishaps... any info would be great warriors... Thanks!
#hacking #sites #wait #wordpress
  • Profile picture of the author cassidywilliams
    Start by changing your admin username from admin to something else
    {{ DiscussionBoard.errors[4652717].message }}
  • Profile picture of the author MarkusD
    I can't give you a 100% guarantee that what I suggest won't still allow hackers to gain entry to your wordpress blog. I run over 100 blogs at this point and time and I make sure my username is not Admin, my passwords are all different for all blogs (a pain I know)

    And I use these two free plugins.

    WP Security Scan

    And

    Login Lockdown

    I was going to post a link but I don't have enough posts to do so, but you can find them via Wordpress.
    {{ DiscussionBoard.errors[4652736].message }}
    • Profile picture of the author netnutmike
      the 2 addons that MarkusD suggested are a great place to start.

      Definiately change your admin login to something other than admin.

      It is also very important to keep the version of plugins and wordpress up to date. Wordpress is great about getting out fixes as soon as a vulnerability is found.

      Here some additional plugins I can recommend:

      WP-DBManager - automatically backs up your wordpress data
      antivirus (Search wordpress plugins)- Checks your theme for anything suspicious
      WP-Security-Scan - Checks for server permissions issues, the database for security risks and more
      Akismet (probably already installed) - Check for spam and other bad comments.
      Bad Behavior - Blocks the spam bots from getting website content and emails.
      Signature
      Mike Myers
      mikemyers.me
      iDavi - The Digital Products Marketplace

      Get great addons for Rapid Action Profits at rap-tools.com

      {{ DiscussionBoard.errors[4652777].message }}
      • Profile picture of the author KLinfluence
        Originally Posted by netnutmike View Post

        the 2 addons that MarkusD suggested are a great place to start.

        Definiately change your admin login to something other than admin.

        It is also very important to keep the version of plugins and wordpress up to date. Wordpress is great about getting out fixes as soon as a vulnerability is found.

        Here some additional plugins I can recommend:

        WP-DBManager - automatically backs up your wordpress data
        antivirus (Search wordpress plugins)- Checks your theme for anything suspicious
        WP-Security-Scan - Checks for server permissions issues, the database for security risks and more
        Akismet (probably already installed) - Check for spam and other bad comments.
        Bad Behavior - Blocks the spam bots from getting website content and emails.
        Ok got it! Thanks Mike!
        {{ DiscussionBoard.errors[4652847].message }}
  • Profile picture of the author KLinfluence
    Oh ok.. thanks guys... yea i heard about the admin thing... It says you cant change it in my back office though.. is there a way around that? either way im going to upload those plugins now thanks!
    {{ DiscussionBoard.errors[4652752].message }}
  • Profile picture of the author cassidywilliams
    Just add another admin user, log in with it and then delete the user 'admin'
    {{ DiscussionBoard.errors[4652759].message }}
  • Profile picture of the author AnniePot
    Originally Posted by KLinfluence View Post

    Im continuously reading about people saying how there word press / niche blog site got hacked... How do I avoid this if im running a couple sites on wordpress/ Cpanel.... whats the process to avoid any mishaps... any info would be great warriors... Thanks!
    Hi - I intend to write a detailed post on my blog within he next couple of days, detailing exactly how I secure all my Wordpress installations. Once it's finished I'll PM you. To date, and I've been working on the internet for 9+ years, I've never had a Wordpress blog hacked, although (unfortunately), the same cannot be said for the few regular websites I've also worked with.
    {{ DiscussionBoard.errors[4652802].message }}
  • Profile picture of the author Ga RedNeck
    Agree with the rest do not use Admin for the user
    And Password are 123456 or some crazy stuff for your pass
    Signature
    Steve - Ga RedNeck
    {{ DiscussionBoard.errors[4652844].message }}
  • Profile picture of the author Pixel Minisite
    try to avoid installing lots of plugins, and always update the plugins you're using
    Signature
    Minisite Designs as low as $17
    http://www.pixelminisite.com
    {{ DiscussionBoard.errors[4652874].message }}
  • Profile picture of the author Dee Odus
    Couple of things to do to protect yourself

    1) Use a strong username that is not just "admin"
    2) Create a strong 10+ character password with numbers, letters and non-alphanumerical characters
    3) Protect each folder with index.html/index.php so that the folder cannot be browsed
    4) Backup your website daily
    5) Always update the plugins and WordPress installation so that known security holes can be blocked
    6) Don't brag that your website is hack-proof (because no website is :-)

    goodluck
    {{ DiscussionBoard.errors[4652899].message }}
  • Profile picture of the author Mike Baker
    Something nobody has said, change the Authentication Unique Keys and Salts that are in your config file. Go to https://api.wordpress.org/secret-key/1.1/salt/ and refresh the page a couple of times, then copy and paste it into your config file in the appropriate area.
    Signature

    {{ DiscussionBoard.errors[4653320].message }}
    • Profile picture of the author Jake Gray
      Originally Posted by Mike Baker View Post

      Something nobody has said, change the Authentication Unique Keys and Salts that are in your config file. Go to https://api.wordpress.org/secret-key/1.1/salt/ and refresh the page a couple of times, then copy and paste it into your config file in the appropriate area.
      Mike,

      Probably because it's irrelevant.
      {{ DiscussionBoard.errors[4653644].message }}
      • Profile picture of the author Mike Baker
        Originally Posted by Jake Gray View Post

        Mike,

        Probably because it's irrelevant.
        How is it irrelevant?
        Signature

        {{ DiscussionBoard.errors[4653668].message }}
    • Profile picture of the author AnniePot
      Originally Posted by Mike Baker View Post

      Something nobody has said, change the Authentication Unique Keys and Salts that are in your config file. Go to https://api.wordpress.org/secret-key/1.1/salt/ and refresh the page a couple of times, then copy and paste it into your config file in the appropriate area.
      Right Mike, this is one great brick in the defense wall.
      {{ DiscussionBoard.errors[4654829].message }}
  • Profile picture of the author Summer1
    Originally Posted by KLinfluence View Post

    Im continuously reading about people saying how there word press / niche blog site got hacked... How do I avoid this if im running a couple sites on wordpress/ Cpanel.... whats the process to avoid any mishaps... any info would be great warriors... Thanks!

    First of all, the most important is the webhost itself (especially shared hosting). It doesn't matter how good you are protecting the cPanel, if the webhost is weak on the security it will be still hacked.

    If the webhost is good, then we can harden with some methods which are already mentioned above.

    - Always update the wordpress itself and the plugins, or themes, all of the files whenever updates are available.

    - Backup database regularly as well as backup wp-content folder for the images you have uploaded. If you restore your site only with database, you will lose all the images. So wp-content is also important.

    To backup, there are plugins, such as wp-backup-manager or wb-db-backup, but to be sure, I backup manually once a week.

    -Use other username instead of "Admin". Hide the one for login, and create another one to be displayed for everyone on the site.

    - Use other database prefix, avoid using wp_ prefix which can be done actually in the installation of wordpress.

    - Avoid a new registration in your site if it isn't necessary by removing the "Log in" link in the meta widget.

    - Login to secure admin page, login lockdown, or login logger. Plus blocking all of ip address in wp-admin and wp-config.php except your IP via .htaccess

    - Scan all the security with wp-security scan regularly. I personally deactivate the plugin after scanning.

    Oh and I personally change my password regularly at least once a month.

    Good luck
    Signature

    {{ DiscussionBoard.errors[4653365].message }}
    • Profile picture of the author dborg9
      There's some good tips already posted, I'll add a couple:

      1. Change the database prefix from wp_ to something like Nh87eW3_ (many hackers gain access through the database, they know the wordpress default prefix is wp_, if you change it that is one more thing they have to figure out to gain access to your account). I can't post a link yet but if you search google for 'change wp_ prefix wordpress' you'll find some tutorials.

      2. Ensure your own computer is free of viruses and spyware, a keylogger on your computer can get your usernames and passwords.
      Signature
      Are you Open to taking a look at a New Marketing System that generates sign-ups daily!
      Click Here for Free Look Around
      {{ DiscussionBoard.errors[4653390].message }}
  • Profile picture of the author Ti
    None of the suggested methods will resolve any of the Wordpress hacking issues that are going around.

    You can, however, fix the wordpress hacking security flaw by doing 1 simple thing: chmod -R 444.

    Set your entire wordpress directory root to READ ONLY.

    The current method of wordpress hacks all take advantage of a variety of security flaws with image uploading, signature uploading, emoticon uploading, flaws in the authoring security model of wordpress and then uploading, etc.

    So right now, the easiest way to give yourself some level of comfort is to READ ONLY all the files in your wordpress directory root. Change then when you need to upload something (which is not needed when adding simply articles/text, that is DB).

    EDIT: It doesn't take much searching on Google to know the current popular hack methods for Wordpress. Once you find those, you will realize why the READ ONLY setting of all your WP files will combat that.
    Signature

    Affiliates Wanted --> http://Pwnboxer.com <-- Promote to your MMORPG/World of Warcraft Niche
    Insanely Popular Software Lets You Play 5x WoW+ On 1 PC - 100% Legit Bliz Approves Multiboxing
    Current Affiliate Stats: June 4th 2011: EPC = $3.50, Conversions = 10.2%, $23.50/sale

    {{ DiscussionBoard.errors[4653538].message }}
  • Profile picture of the author Adie
    Nothing is secure so my advise is, don't put something you don't want others to have......
    Signature



    Moderator's Note: You're only allowed to put your own products or sites in your signature.

    Signature edited.
    {{ DiscussionBoard.errors[4654057].message }}
  • Profile picture of the author Alexdoerr
    Hacking attempts to WP sites are increasing these days. It was with Joomla few years back, but now WP seems to be on target of hackers. It is better to not keep any username as admin. Also, changing password frequently is recommended.
    {{ DiscussionBoard.errors[4654129].message }}
  • Profile picture of the author Tmill
    I have also been wondering about this. Thanks for the plugin names
    {{ DiscussionBoard.errors[4654228].message }}
  • Profile picture of the author londoncoffee
    Yeah! Just use some good passwords. Gary McKinnon the famous NASA hacker said he was gobsmacked at the number of login passwords that were left as default Admin' and i think that's why Uncle Sam was so miffed. Lol!
    {{ DiscussionBoard.errors[4654469].message }}
  • Profile picture of the author cooler1
    What is the most security plugins you recommend installing? Some people recommend login lockdown, some recommend seo firewall 2, some recommend bulletproof security, etc... so it's confusing.

    I gather that having too many plugins will slow things down and be a resource hog.

    Would having these 3 plugins installed be sufficient?

    WP Security Scan
    Login Lockdown
    Bad Behaviour
    Signature

    {{ DiscussionBoard.errors[4654571].message }}
  • Profile picture of the author msafi
    If you're really serious about protecting your WordPress site, read and understand what's on this page—it's the official security guide for WordPress.

    You may also wanna consider using VaultPress (created by Automattic—the company behind WordPress).
    {{ DiscussionBoard.errors[4671174].message }}
  • Profile picture of the author Patrick
    Plugins..Plugins ..Plugins ! lol Plugins all over....

    Instead of relying on plugins just go thorough the text in this page, and you will never get your Wordpress site "hacked"

    Hardening WordPress « WordPress Codex
    {{ DiscussionBoard.errors[4671241].message }}
  • Profile picture of the author budhaya
    just get Last Pass lastpass.com. it will generate secure computer generated passwords.
    any passwaord that you can remember is not good enough. there are programs out there that try any combination.
    also to limit login attempts.
    {{ DiscussionBoard.errors[4671311].message }}

Trending Topics