A warning to secure your clients' Wordpress sites

24 replies
If you provide any kind of web services for clients using Wordpress, you might want to learn a lesson from what I've been through in the last couple of days, after 14 of my clients' sites were hacked.

Even though I had made an effort to keep wordpress updated on all the sites, I was using the same FTP and wordpress password on all sites. Fatal mistake number one.

I woke yesterday to find a welcome message from the hackers, and Indonesian music playing on one of my sites. I was able to restore a backup, thankfully, and thought I was over the worst.

But no such luck. One by one, my other sites started going down like dominoes. Five in the first day.

Then this morning I found another 9 affected. I have a Virtual Private Server, so had to roll back the entire VPS to last Friday, to be sure of getting rid of everything. This meant some of my clients lost updates they had made in the last few days.

So, a lesson to be learned. Always have different passwords on every site, and different passwords for the FTP and wordpress admin. And above all, always make sure your sites are backed up in such a way that they can be quickly restored.

You might think "it will never happen to me." That's what I thought. It's a sickening feeling when it happens.

Makes you wonder what goes on in the minds of the low-lifes who do this kind of hacking.
#clients #secure #sites #warning #wordpress
  • Profile picture of the author Raineer
    Definitely a mistake most people will make. I recommend using the password creation that Hostgator does for you (for those who use HG). I hope you quickly recover from this I hope it doesn't happen again!
    {{ DiscussionBoard.errors[7426046].message }}
  • Profile picture of the author azurews
    That sounds like a nightmare! I feel your pain. I have had it happen, though not to the extent you have. But yes, never use the same passwords.

    Also, don't let your FTP client program save your passwords. I had a few sites compromised that way too.
    {{ DiscussionBoard.errors[7426070].message }}
    • Profile picture of the author iAmNameLess
      Secure wordpress sites... what an oxymoron...

      Anyway, I hope you changed ALL your passwords, they likely injected a base64 or eval script.. and if they didn't they will do it again.

      It seems to me, you learned work arounds, but really learned nothing from this experience. You are learning to use different passwords, different FTP accounts, take regular backups... but you didn't learn how to fight the real problem..

      Rolling the server back doesn't fix it.. you need to fix the vulnerability.
      {{ DiscussionBoard.errors[7426382].message }}
      • Profile picture of the author Vikuna2009+
        Originally Posted by iAmNameLess View Post

        Secure wordpress sites... what an oxymoron...

        Anyway, I hope you changed ALL your passwords, they likely injected a base64 or eval script.. and if they didn't they will do it again.

        It seems to me, you learned work arounds, but really learned nothing from this experience. You are learning to use different passwords, different FTP accounts, take regular backups... but you didn't learn how to fight the real problem..

        Rolling the server back doesn't fix it.. you need to fix the vulnerability.
        Any light you can shed on this would be greatly appreciated,

        Eva
        {{ DiscussionBoard.errors[7427135].message }}
        • Profile picture of the author iAmNameLess
          Originally Posted by Vikuna2009+ View Post

          Any light you can shed on this would be greatly appreciated,

          Eva
          It's common sense, kind of. If one of your sites, on your server was compromised and hacked, the problem isn't fixed by installing a back up or rolling the servers back, and the problem likely isn't the same pw or database pw. The problem is you had a vulnerability in your server. A lot of people make an amateur mistake and end up with something having 777 permissions. Another problem is being vulnerable to SQL injections and common exploits.

          Changing passwords, making backups, they don't fix the initial problem...
          {{ DiscussionBoard.errors[7428505].message }}
  • Profile picture of the author Kung Fu Backlinks
    IAN, I'm guessing this would come down to the HOST being used, right? If that's the case, what web host do you use?
    Signature
    G+ LOCAL SETUP ___and____ Custom WordPress - Genesis Child Themes (see portfolio here)

    SCHEMA.ORG + GEOTAGGING + KML + PUBLISHERSHIP + so much more...
    {{ DiscussionBoard.errors[7428577].message }}
  • Profile picture of the author Jason Kanigan
    IAN's fixes are at a stronger level but also require more technical expertise. Here are some fixes you can do that don't require a high programming IQ:

    Go into your hosting control panel and delete the "admin" login. You can't do this from inside Wordpress. Google how to do this for your host.

    Create a new one that nobody will have an easy time guessing. Don't use "support", "test", anything typical. Don't use your name, either.

    Make your password alpha-numeric, and include a symbol in there somewhere. That alone makes it far more difficult to crack.

    Finally, install and set up the "Limit Login Attempts" plugin. People get so many chances to log in, after which they're locked out for 24 hours. After a week, check the stats--you'll be amazed how many people are trying to get into your site. This blocks brute force attempts, in which a program tries password combinations over and over in an attempt to stumble on the right one and get in.
    {{ DiscussionBoard.errors[7428629].message }}
    • Profile picture of the author DABK
      I've deleted admin-named admin users from inside wordpress. But not while I was logged in as 'admin.'

      I created another user account and set it as admin, then, while logged in as the new admin user, I could delete the old one.



      Originally Posted by Jason Kanigan View Post


      Go into your hosting control panel and delete the "admin" login. You can't do this from inside Wordpress. Google how to do this for your host.
      {{ DiscussionBoard.errors[7440751].message }}
  • Profile picture of the author Kingfish85
    Here's a starter guide - which I'm sure the mods will delete since it links back to my company site. I've typed all this out before on the forum, but frankly I don't feel like searching through 1,000 posts to quote it again.

    Securing Wordpress - A Definitive guide to Wordpress Security Tips—LiquiLayer Technologies – Web Hosting & Solutions

    It's a good start, but is not the "end all be all" for securing Wordpress.

    EDIT: I also can't reiterate enough: password protect the wp-admin directory.
    Signature

    |~| VeeroTech Hosting - sales @ veerotech.net
    |~| High Performance CloudLinux & LiteSpeed Powered Web Hosting
    |~| cPanel & WHM - Softaculous - Website Builder - R1Soft - SpamExperts
    |~| Visit us @veerotech Facebook - Twitter - LinkedIn

    {{ DiscussionBoard.errors[7428658].message }}
    • Profile picture of the author Vikuna2009+
      I hit the Thank You button for you Jason. Kingfish85, glad I got that link now in case it gets taken down.

      I greatly appreciate the alert from the OP and the solutions given, thanks again for sharing,

      Eva
      {{ DiscussionBoard.errors[7428690].message }}
    • Profile picture of the author Tess D
      That lockdown procedure from Kingfish85 works wonderfully.
      {{ DiscussionBoard.errors[7439890].message }}
  • Profile picture of the author WebSeeds
    Hey plainwords,

    I'm sorry to hear about your recent vulnerability issues. Though you are on the right track, I agree with everyone that you are still extremely vulnerable to many attacks.

    Jason's words were very wise, and hopefully I can make it even easier for you!

    The first thing you can do is install a Security plugin for Wordpress, which will cover all of the areas every has previously mentioned + more! I would HIGHLY suggest Better WP Security by Bit51. Better Wordpress Security will secure you from 99% of attacks. (leaving out advanced hacks of course, but unless you've pissed off some russian hackers or you have an open trail to a bank account, you should be pretty safe! :p) They have an option to do a 'one click activation' which will automatically secure and modify all files and areas other than those more detailed which you might want to take a day sometime to learn about. (server side issues, along with core wordpress coding and structure.) BEFORE you install this plugin though, make a backup of your site just in case the install goes wrong and messes with your site! I've never heard this happening before from this plugin, and I personally think it is impossible due to the skill of the developers.... but this is Wordpress.... and well, shit happens.

    I'm sure you will click on the link and see what it offers, but to make it simpler and to show off my uncanny ability to click ctrl+c and ctrl+v, here are it's features!

    Obscure
    As most WordPress attacks are a result of plugin vulnerabilities, weak passwords, and obsolete software. Better WP Security will hide the places those vulnerabilities live keeping an attacker from learning too much about your site and keeping them away from sensitive areas like login, admin, etc.

    Remove the meta "Generator" tag
    Change the urls for WordPress dashboard including login, admin, and more
    Completely turn off the ability to login for a given time period (away mode)
    Remove theme, plugin, and core update notifications from users who do not have permission to update them
    Remove Windows Live Write header information
    Remove RSD header information
    Rename "admin" account
    Change the ID on the user with ID 1
    Change the WordPress database table prefix
    Change wp-content path
    Removes login error messages
    Display a random version number to non administrative users anywhere version is used


    Protect
    Just hiding parts of your site is helpful but won't stop everything. After we hide sensitive areas of the sites we'll protect it by blocking users that shouldn't be there and increasing the security of passwords and other vital information.

    Scan your site to instantly tell where vulnerabilities are and fix them in seconds
    Ban troublesome bots and other hosts
    Ban troublesome user agents
    Prevent brute force attacks by banning hosts and users with too many invalid login attempts
    Strengthen server security
    Enforce strong passwords for all accounts of a configurable minimum role
    Force SSL for admin pages (on supporting servers)
    Force SSL for any page or post (on supporting servers)
    Turn off file editing from within WordPress admin area
    Detect and block numerous attacks to your filesystem and database


    Detect
    Should all the protection fail Better WP Security will still monitor your site and report attempts to scan it (automatically blocking suspicious users) as well as any changes to the filesystem that might indicate a compromise.

    Detect bots and other attempts to search for vulnerabilities
    Monitor filesystem for unauthorized changes


    Recover
    Finally, should the worst happen Better WP Security will make regular backups of your WordPress database (should you choose to do so) allowing you to get back online quickly in the event someone should compromise your site.

    Create and email database backups on a customizable schedule


    Other Benefits
    Make it easier for users to log into a site by giving them login and admin URLs that make more sense to someone not accustomed to WordPress
    Detect hidden 404 errors on your site that can affect your SEO such as bad links, missing images, etc.


    Compatibility
    Works on multi-site (network) and single site installations
    Works with Apache, LiteSpeed or NGINX (NGINX will require you to manually edit your virtual host configuration)
    Some features can be problematic if you don't have enough RAM to support them. All my testing servers allocate 128MB to WordPress and usually don't have any other plugins installed. I have seen issues with file check and database backups failing on servers with 64MB or less of RAM, particularly if there are many other plugins being used.



    Other than installing that plugin, getting used to creating secure passwords is a very healthy habit, generally speaking. As Jason mentioned, you can use a slew or string of keys, numbers, and symbols to make things unique. If you're worried about forgetting them, especially if you have many to memorize, try this.

    Whatever you are creating the password for, find some natural association your brain makes with the subject. Association is a very strong security practice, because unless the potential enemy knows you entirely, and has done a complete psych evaluation on you, they will be completely out of the loop. (and even if they did... lol, good luck to them!) Everyone's mind associates things differently based from societal teachings, along with personal understanding and experience. For example:

    You are creating a password for a client who owns a puppy store. You love puppies. When you were a child, you used to play with your neighbors puppy, who had the cutest red collar and bell. Whenever you were outside, you heard that bell from across the street, and knew that puppy was there to play. Now a days, every time you walk into a puppy store or see a puppy, for some reason that red collar and bell thinks you. 99% of the time, you probably don't even realize it, or you just ignore it and not think anything of it. But it's there, it's in all of us.

    Remember that red collar and bell, and use it to your advantage. Now the words 'redcollarbell' might be unique, and noone will really associate it other than you... but you need to encrypt it. One example, for instance, is to match the written enunciation with your speech. Say, 'redcollarbell'. Personally, I enunciate the words like this: 'reDcoLLarbeLL'. Most probably will, but again, it really depends on your personal experience, accent, etc.

    Now that you have your enunciated written version, add a few extra characters to make it more unique and encrypted. Maybe you remember you were 11 years old when you played with that dog. Maybe the puppy was 6 months old then (and is still 6 months old in your head).

    reDcoLLarbeLL116

    Did you think that puppy was awesome? HECK YEAH YOU DID!

    reDcoLLarbeLL116!

    ^^^^^^^
    I don't know about you, but I don't think that can be traced to you in anyway, and even the most sophisticated crackers will have a tough shot at that. (granted all of your other vulnerabilities aren't so vulnerable anymore.)

    Memorization wise, that will be simple. It may not make sense, but it will come in a very short amount of time. You won't need to think about those questions to yourself, it will just naturally flow, accessing the archive of your brain naturally. The more you do it, the more your brain becomes used to accessing that kind of information and things will be second nature. Some of my passwords go 30+ keys long, all randomly structured, and they just type themselves when needed.


    Anyway, I hope I helped some. Sorry for the inadvertent psychological/brain exercise lesson. It will help if you enable yourself though, I promise!


    Luke
    {{ DiscussionBoard.errors[7428896].message }}
  • Profile picture of the author flnz400
    If you tighten up mod security, it'll require ftp pw to change or update any plugins or themes. This will mitigate most of the php injections, but be forewarned... it makes doing the simple modifications you're used a PITA.
    {{ DiscussionBoard.errors[7428897].message }}
  • Profile picture of the author jayspann
    I've never had a site hacked knock on wood.... but I have had a ton of other issues.

    I moved my sites (the WP ones anyway) over to WP Engine managed cloud hosting and I could not be happier with the service.

    They provide several layers of security for WP because thats all they do.

    Worth checking them out. There are a few other managed WP hosting services as well but I've only used the WP Engine. But I hear Page.ly is a good one as well.
    {{ DiscussionBoard.errors[7428919].message }}
  • Profile picture of the author Jason Kanigan
    AAAAAAND one of mine got hacked yesterday. Not through the regular channels...through the wiki plugin I installed a year and a half ago so others could build content for it!

    When it's back up, I'll be uninstalling the plugin...not cool.
    {{ DiscussionBoard.errors[7432990].message }}
    • Profile picture of the author WebSeeds
      Originally Posted by Jason Kanigan View Post

      AAAAAAND one of mine got hacked yesterday. Not through the regular channels...through the wiki plugin I installed a year and a half ago so others could build content for it!

      When it's back up, I'll be uninstalling the plugin...not cool.
      Sorry to hear that Jason... :\

      Been there time and time again when I first ventured into the realm of Wordpress. Especially when you're running so many sites, old and new.

      As a protocol for plugins, try to only involve yourself with product that is active, and established. Keep the mentality that because it's free, it's free for a reason. Look into it, and if you prove yourself wrong, then go for it! Look at the developer, what they have done before. Look at the changelogs, see how often it's updated, and if the updates are for adding content, removing, or fixing. If there has been security breaches in the past.

      Think of it as if you are buying the product for $1000, I know you are going to think twice before you whip out your wallet and swipe your card!

      Take an hour to go through all of your sites and see what's on them, please. as so11 said above: "Information and computer security is a state/status (ex.: of a website) that needs to be achieved and maintained continuously. It is achieved by implementing a set of secure practices such as configurations (ex. plug-ins, add-ons, etc.), maintenance and processes (ex. password change). And that's where most of us stop. We forget to continue keeping it secure. We change code and configurations, install new plug-ins and add-ons and forget to check if it is still secure."

      I hope you resolve your security breach, and you are able to be pro-active in the future so you can free up your security time to work on what you do best!

      Luke
      {{ DiscussionBoard.errors[7434520].message }}
  • Profile picture of the author so11
    My webiste got hacked again...

    All of the known Wordpress security plug-ins are installed, all website configurations and tune-ups are done, personal computer is running fine… but my website/blog got hacked again! Why? Am I doing something wrong? Is something missing? Where is the problem?

    Here is a little security advice for Internet marketers…the problem is your misunderstanding of what security is. Information and computer security is a state/status (ex.: of a website) that needs to be achieved and maintained continuously. It is achieved by implementing a set of secure practices such as configurations (ex. plug-ins, add-ons, etc.), maintenance and processes (ex. password change). And that’s where most of us stop. We forget to continue keeping it secure. We change code and configurations, install new plug-ins and add-ons and forget to check if it is still secure.

    read more here : My website got hacked again? | Security | ITadvices.com

    and here : Security advice for WordPress plug-in use | ITadvices.com

    good luck
    Signature
    www.groupesoloviev.com
    We help businesses manage cyber risk and compliance requirements.
    {{ DiscussionBoard.errors[7433374].message }}
    • Profile picture of the author Kingfish85
      Originally Posted by so11 View Post

      My webiste got hacked again...

      All of the known Wordpress security plug-ins are installed, all website configurations and tune-ups are done, personal computer is running fine… but my website/blog got hacked again! Why? Am I doing something wrong? Is something missing? Where is the problem?

      Here is a little security advice for Internet marketers…the problem is your misunderstanding of what security is. Information and computer security is a state/status (ex.: of a website) that needs to be achieved and maintained continuously. It is achieved by implementing a set of secure practices such as configurations (ex. plug-ins, add-ons, etc.), maintenance and processes (ex. password change). And that’s where most of us stop. We forget to continue keeping it secure. We change code and configurations, install new plug-ins and add-ons and forget to check if it is still secure.

      read more here : My website got hacked again? | Security | ITadvices.com

      and here : Security advice for WordPress plug-in use | ITadvices.com

      good luck
      Why not provide actual security techniques/guides instead of pushing your website defender affiliate link on those pages? Those pages are nothing more than a bunch or run on sentences repeating the same things then promoting an affiliate link.
      Signature

      |~| VeeroTech Hosting - sales @ veerotech.net
      |~| High Performance CloudLinux & LiteSpeed Powered Web Hosting
      |~| cPanel & WHM - Softaculous - Website Builder - R1Soft - SpamExperts
      |~| Visit us @veerotech Facebook - Twitter - LinkedIn

      {{ DiscussionBoard.errors[7433399].message }}
      • Profile picture of the author so11
        Originally Posted by Kingfish85 View Post

        Why not provide actual security techniques/guides instead of pushing your website defender affiliate link on those pages? Those pages are nothing more than a bunch or run on sentences repeating the same things then promoting an affiliate link.
        thanks for your question...The blog is about security awareness...and that's what awareness is... repeating same things using different approaches...

        They are not just affiliate links...they are proven products that were tested myself or my team at many different clients. We do not push our own products, we provide services using proven security tools.

        The link was to the articles for information purposes. Don't wonna click the aff link, dont...period.

        ps. : by the way, check ur site for compatibility issues...it looks horrible with IE8.

        hope it helps...
        Signature
        www.groupesoloviev.com
        We help businesses manage cyber risk and compliance requirements.
        {{ DiscussionBoard.errors[7433552].message }}
  • Profile picture of the author JHC
    I have a client who allows his browser (chrome or IE) to save his user name and password for accessing his sites. Should I advise against this?
    {{ DiscussionBoard.errors[7439109].message }}
    • Profile picture of the author so11
      Originally Posted by JHC View Post

      I have a client who allows his browser (chrome or IE) to save his user name and password for accessing his sites. Should I advise against this?
      Hi,

      it isn't considered as bad practice, as long as he/she does it using his/her own computer. Although, it is important to understand that risks of getting security issues, such as personal information theft, are much higher if you do it.

      Let's say there is somebody else using the PC or it got infected with a virus, basically, it is easier to get to the info (user, passwords, etc.) if its stored somewhere, like in your browser's config. file.

      To conclude, it is better and more secure if you can avoid it.

      hope it helps,
      Signature
      www.groupesoloviev.com
      We help businesses manage cyber risk and compliance requirements.
      {{ DiscussionBoard.errors[7440089].message }}
  • Profile picture of the author RichBeck
    Originally Posted by plainwords View Post

    Even though I had made an effort to keep wordpress updated on all the sites, I was using the same FTP and wordpress password on all sites. Fatal mistake number one.
    plainwords,

    I'm sorry to hear about your issues.....

    You have to keep in mind, the problem is FTP not with WordPress... In all cases..... Just say no to FTP...

    Here is why.... FTP sends EVERYTHING in clear text... Including your username and password...

    So, having a "strong" password means nothing... The hackers can see it...

    When you connect to an FTP server, it makes various "hops" sending your data through various servers over the Internet...

    All a hacker has to do is have a "packet sniffer" attached to one of those servers... Once they have your user name and password, they have free reign on your FTP account... If you use one FTP account for all your clients (a huge no-no), they have free reign...

    If you must use FTP, use secure FTP. You can read more about it here.

    I hope you get everything up and running...

    All The Best,

    Rich Beck BCIP, MCSD, MCIS
    {{ DiscussionBoard.errors[7548457].message }}
  • Profile picture of the author CrapeMyrtleGuy
    What can a guy that is just trying to figure out how to build his website on WP do? Is there a plug in I can download that will help prevent? I don't even know how I would recover. CrapeMytleGuy
    {{ DiscussionBoard.errors[7548536].message }}

Trending Topics