GoFuckYourself.com - Adult Webmaster Forum - View Single Post - Tech Our weblog network got hacked. Tips please!

TROLLENSTEIN · 10-27-2014, 07:52 AM

Hardening WordPress - Part 1.
Jul 06, 2014 07:55pm

WordPress is the most popular blogging and CMS system on the Internet which, obviously, makes it a juicy target for hackers. Using WordPress as your CMS of choice means that you have to make some extra efforts to stop these naughty boys and girls from ruining your hard work at the press of a few keys.

** It is important to mention that these measures don't guarantee a 100% protection against hacking attempts, simply because a 100% secure website doesn't exist, but they will help against the majority of attacks. **

1. Keep WordPress up to date.

This seems like a no-brainer for most people, but you would be very surprised just how lazy Adult webmasters are when it comes to keeping their WP site up to date. I don't recommend using auto-updating to do this as sometimes it can result in broken sites. You don't even need to do anything to check this, you can simply signup to http://wordpress.org/list/ and you'll be emailed instant an update is available. If you don't want to give out your email out you can use a plugin, for example WP Updates Notifier by Scott Cariss (http://wordpress.org/plugins/wp-updates-notifier/). Using the plugin you can set how often it will check (via CRON) for updates. I'd recommend once per hour.

2. Stop Wordpress helping the hackers.

The most popular and easiest method someone will use against your site is a Brute Force attack. Brute Force just means running through combinations of usernames and passwords until they get lucky. The main problem with WordPress itself is that it is a big help to the attackers due to the very helpful error messages it spits out. This is especially worrying on the WP Login Page. When you enter a wrong password or an invalid username, WordPress replies with an error message in the stating which is wrong. So if a hacker gets one thing right, the error message will help them identify that. Best practice is to simply remove the error message entirely. Locate your functions.php in you theme folder and add the following to it:

add_filter('login_errors',create_function('$a', "return null;"));

This will remove the helpful error messages from the Login screen and, most importantly, will annoy/stop 99% of the current WP brute force scripts/worms.

3. Default settings are like handing over the keys.

Never use "admin" as a username. Ever. Pick something unique. Don't, obviously, use your nickname that you use on public forums etc. And, it goes without saying, never ever use the same password twice. And make them strong. By strong I mean mix up letters and numbers. Don't use LetMeIn1234, use L3Tme1N1two3four etc. As I mentioned above, if you use say "admin" as a username then WordPress will tell me that user exists, but the password I entered is wrong. So instantly I have cut my work in half as I now know the username and just have to work on your password. You can also annoy the naughty people by using a plugin like Login Lockdown by mvandemar (http://wordpress.org/plugins/login-lockdown/) which will block IPs that try to access your wp-login.php too often within a time frame you set.

4. Authentication Unique Keys and Salts.

This is really simple but is overlooked way, way too often. When most people install WordPress all that happens is wp-config-sample.php is renamed to wp-config.php with values you have entered (database name, database password, etc) when you go to log into the WP admin during setup. If you locate your wp-config.php and open it up, scroll down a little bit and you will see the "Authentication Unique Keys and Salts." normally looking like this:

define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('AUTH_SALT', 'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT', 'put your unique phrase here');
define('NONCE_SALT', 'put your unique phrase here');

To fix this simply go to https://api.wordpress.org/secret-key/1.1/salt/ and then simply copy and paste over the above with the freshly generated secret keys. These keys can be changed at any time, especially after changing your password to force everyone to log back in again and validate the latest password you are using if you think you may have been hacked etc.

5. Don't use the default wp_ database prefix.

Most people use a "1 Click Install" that many hosts have avilable these days to install WordPress on their server. While this is, of course, super nice and easy, most of the default prefixes used by these 1 Click Install packages are known to the naughty boys and girls. An especially critical one is the default prefix wp_ for your WordPress databases. Simply pick a unique prefix for it, I sometimes use the 1st letter of the day I'm installing WordPress with an acronym of the site name. So if I was installing WordPress on a Sunday and my site name was www.freehardcoregardengnomeporn.com I'd use the prefix fhcgnp_ as a database prefix. Think up your own ones tho, obviously.

6. Protect you wp-config.php and .htaccess files.

As everyone should know by now the wp-config.php contains all the important information and details about your WordPress site, so it is an absolute must that it be protected from public viewing. You can do this really simply by including the following in your .htaccess file in the root of your Wordpress installation:

<Files wp-config.php>
order allow,deny
deny from all
</Files>

Obviously at this point it would be a good time to protect your .htaccess file itself from prying eyes, so you can simply add the following to it to lock it down:

<Files .htaccess>
order allow,deny
deny from all
</Files>

It's simple things like these that a lot of people do not do. It only takes a few seconds to add them and they will help you a lot, so there is no excuse in skipping them.

10-27-2014, 07:52 AM
TROLLENSTEIN Server Monkey Industry Role: Join Date: May 2013 Location: Europe. Posts: 164	Hardening WordPress - Part 1. Jul 06, 2014 07:55pm WordPress is the most popular blogging and CMS system on the Internet which, obviously, makes it a juicy target for hackers. Using WordPress as your CMS of choice means that you have to make some extra efforts to stop these naughty boys and girls from ruining your hard work at the press of a few keys. It is important to mention that these measures don't guarantee a 100% protection against hacking attempts, simply because a 100% secure website doesn't exist, but they will help against the majority of attacks. 1. Keep WordPress up to date. This seems like a no-brainer for most people, but you would be very surprised just how lazy Adult webmasters are when it comes to keeping their WP site up to date. I don't recommend using auto-updating to do this as sometimes it can result in broken sites. You don't even need to do anything to check this, you can simply signup to http://wordpress.org/list/ and you'll be emailed instant an update is available. If you don't want to give out your email out you can use a plugin, for example WP Updates Notifier by Scott Cariss (http://wordpress.org/plugins/wp-updates-notifier/). Using the plugin you can set how often it will check (via CRON) for updates. I'd recommend once per hour. 2. Stop Wordpress helping the hackers. The most popular and easiest method someone will use against your site is a Brute Force attack. Brute Force just means running through combinations of usernames and passwords until they get lucky. The main problem with WordPress itself is that it is a big help to the attackers due to the very helpful error messages it spits out. This is especially worrying on the WP Login Page. When you enter a wrong password or an invalid username, WordPress replies with an error message in the stating which is wrong. So if a hacker gets one thing right, the error message will help them identify that. Best practice is to simply remove the error message entirely. Locate your functions.php in you theme folder and add the following to it: add_filter('login_errors',create_function('$a', "return null;")); This will remove the helpful error messages from the Login screen and, most importantly, will annoy/stop 99% of the current WP brute force scripts/worms. 3. Default settings are like handing over the keys. Never use "admin" as a username. Ever. Pick something unique. Don't, obviously, use your nickname that you use on public forums etc. And, it goes without saying, never ever use the same password twice. And make them strong. By strong I mean mix up letters and numbers. Don't use LetMeIn1234, use L3Tme1N1two3four etc. As I mentioned above, if you use say "admin" as a username then WordPress will tell me that user exists, but the password I entered is wrong. So instantly I have cut my work in half as I now know the username and just have to work on your password. You can also annoy the naughty people by using a plugin like Login Lockdown by mvandemar (http://wordpress.org/plugins/login-lockdown/) which will block IPs that try to access your wp-login.php too often within a time frame you set. 4. Authentication Unique Keys and Salts. This is really simple but is overlooked way, way too often. When most people install WordPress all that happens is wp-config-sample.php is renamed to wp-config.php with values you have entered (database name, database password, etc) when you go to log into the WP admin during setup. If you locate your wp-config.php and open it up, scroll down a little bit and you will see the "Authentication Unique Keys and Salts." normally looking like this: define('AUTH_KEY', 'put your unique phrase here'); define('SECURE_AUTH_KEY', 'put your unique phrase here'); define('LOGGED_IN_KEY', 'put your unique phrase here'); define('NONCE_KEY', 'put your unique phrase here'); define('AUTH_SALT', 'put your unique phrase here'); define('SECURE_AUTH_SALT', 'put your unique phrase here'); define('LOGGED_IN_SALT', 'put your unique phrase here'); define('NONCE_SALT', 'put your unique phrase here'); To fix this simply go to https://api.wordpress.org/secret-key/1.1/salt/ and then simply copy and paste over the above with the freshly generated secret keys. These keys can be changed at any time, especially after changing your password to force everyone to log back in again and validate the latest password you are using if you think you may have been hacked etc. 5. Don't use the default wp_ database prefix. Most people use a "1 Click Install" that many hosts have avilable these days to install WordPress on their server. While this is, of course, super nice and easy, most of the default prefixes used by these 1 Click Install packages are known to the naughty boys and girls. An especially critical one is the default prefix wp_ for your WordPress databases. Simply pick a unique prefix for it, I sometimes use the 1st letter of the day I'm installing WordPress with an acronym of the site name. So if I was installing WordPress on a Sunday and my site name was www.freehardcoregardengnomeporn.com I'd use the prefix fhcgnp_ as a database prefix. Think up your own ones tho, obviously. 6. Protect you wp-config.php and .htaccess files. As everyone should know by now the wp-config.php contains all the important information and details about your WordPress site, so it is an absolute must that it be protected from public viewing. You can do this really simply by including the following in your .htaccess file in the root of your Wordpress installation: <Files wp-config.php> order allow,deny deny from all </Files> Obviously at this point it would be a good time to protect your .htaccess file itself from prying eyes, so you can simply add the following to it to lock it down: <Files .htaccess> order allow,deny deny from all </Files> It's simple things like these that a lot of people do not do. It only takes a few seconds to add them and they will help you a lot, so there is no excuse in skipping them.