GoFuckYourself.com - Adult Webmaster Forum

GoFuckYourself.com - Adult Webmaster Forum (https://gfy.com/index.php)
-   Fucking Around & Business Discussion (https://gfy.com/forumdisplay.php?f=26)
-   -   Wordpress security question (https://gfy.com/showthread.php?t=1026527)

newB 06-14-2011 09:36 AM
Wordpress security question
 
Apparently someone has been trying to hack my site, trying to access plugin readme.txt files to get the version of wordpress and shit like that.

I've taken the usual security measures (at least they seem like the reasonable ones to me, but this is my first project with wordpress) such as removing the wp version indicators, adding plugin and theme index files, removing error indicators on login and relocating my login page. So far that seems to be keeping them out, but I'm concerned that it's only a matter of time before they find a way in.

Is there anything else I could do to better protect my site? Also, is this something most wordpress users have to deal with, or have I somehow made a target of myself?

I should add, that all of the questionable hits are coming from a Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90) user agent, but the IP's change daily, so obviously they are using proxies to mask their IP.

fris 06-14-2011 12:28 PM
i would only allow your ip in the admin block all others out.

PhantomFrog 06-14-2011 07:12 PM
Quote:
Originally Posted by fris (Post 18215703)
i would only allow your ip in the admin block all others out.
Words of wisdom from the mouths of babes.

Also ... get on the WordPress mailing list ... to keep your eyes open for updates! ... join WP forums ... stay in touch with the buzz.

DangerX !!! 06-14-2011 07:38 PM
"Wordpress" and "Security" are two incompatible meanings. Sorry but as long as it will be developed the way it is now your website and your server are in danger. Good luck though.

http://codex.wordpress.org/Hardening_WordPress

Kiopa_Matt 06-14-2011 07:44 PM
You could always buy xMarkPro (see sig). Next upgrade coming out tomorrow will also contain an automated backup & revert feature for domains (including WP blogs). For example, have your blogs backed up every 3 hours. If someone hacks it, it's the click of a mouse, and it's back online. Plus have your blogs automatically updated when WP releases new versions, ensuring you're always running the most stable version. :)

vdbucks 06-14-2011 07:46 PM
Quote:
Originally Posted by Kiopa_Matt (Post 18216543)
You could always buy xMarkPro (see sig). Next upgrade coming out tomorrow will also contain an automated backup & revert feature for domains (including WP blogs). For example, have your blogs backed up every 3 hours. If someone hacks it, it's the click of a mouse, and it's back online. Plus have your blogs automatically updated when WP releases new versions, ensuring you're always running the most stable version. :)
Well, there's a free plugin that does automated db backups. Emails them, saves them to disk, whatever you prefer. And updating wordpress automatically is a no no.. bad things can happen when you do that.

TheDoc 06-14-2011 07:50 PM
Lots of things to do with wp...

I've found you can't always block based on IP because some scripts use the ajax in the admin area... thus visiting your site can create a warning.

Give the plugin login lockdown a shot... it masks login errors, can set time out limits on fails, etc.. if someone happens to get to the login screen.

Another thing you can do is protect your wp-login.php with basic user/pass protection to access it. It's not an end all, it's just another step. Drop this into your functions file, and set a user/pass...

Code:
  if ($_SERVER['PHP_SELF'] == "/wp-login.php"){ add_action('init', 'login_init');}
 function login_init(){
  $user = "YOUR-USERNAME";
  $pass = "YOUR-PASSWORD";
  get_option('get_header');
    if($_SERVER['PHP_AUTH_USER'] != $user && $_SERVER['PHP_AUTH_PW'] != $pass){
        header("WWW-Authenticate: Basic realm=\"\"");
        header("HTTP/1.0 401 Unauthorized");
    exit;
  }
 }

Marquis85 06-15-2011 04:52 AM
Thanks for asking this question. One of my WP blogs was recently hacked and I'm trying to take all precautions necessary so it doesn't happen again.

fris 06-15-2011 05:23 AM
i wouldnt even let subscribers in the admin area, if you are just using it for a login system so they can comment, i would redirect anyone that you dont want access to wp-admin out of there.

raymor 06-15-2011 10:26 AM
Quote:
Originally Posted by DangerX !!! (Post 18216532)
"Wordpress" and "Security" are two incompatible meanings. Sorry but as long as it will be developed the way it is now your website and your server are in danger. Good luck though.

http://codex.wordpress.org/Hardening_WordPress
QFT. The Wordpress developers in general don't understand basic security concepts even
when I explain it to them. I pointed out a significant security flaw repeatedly for over a year and
none of the Wordpress devs could even understand that there was a problem until thousands
of sites were hacked.

Secure, as much as possible, PHP itself. Make sure it's up to date, as PHP has recently started
to such a lot less in terms of security. If you have a version that's a couple years old you may as
well post your FTP password on your front page. One example is "register globals", which is
tied with "running suexec on a dedicated serer" for the stupidest, most damaging thing anyone
has ever done on a web server.
Once it's up to date, make sure the settings are right for reasonable security. fopen_url, for
example, show be off be default, but make sure it is. Disabling a few functions including eval,
exec, and popen will stop most crack scripts, but some legitimate scripts may need to be
adjusted to work in that case. Similarly for an egress firewall, but now we're getting more
into general server security and away from Wordpress.


All times are GMT -7. The time now is 11:59 PM.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2025, vBulletin Solutions, Inc.
©2000-, AI Media Network Inc