|
Our weblog network got hacked. Tips please!
Hello,
I have a small network with free blogs. Runs on Wordpress. I'm not a n00b, but when it comes to security I'm just a fucking retard. What is the best way to secure a Wordpress blog? Which plugins do I need? What do I have to change on the server? Please help! :( http://i.imgur.com/ywdoAirl.png |
use only known plugins, change the admin url from wp-admin to something else, use the login attempts limitation, and use good password of course ... just for the start ... have luck :)
|
Quote:
First time one of my websites is hacked in 10 years. Maybe now I will take security more serious. |
Hello, from what I seen before you installed WP over the top of the infected site was that it was an XSS exploit against a vulnerable plugin. You really should have kept the site up until someone could ID which plugin was exploited so it could be fixed properly. :2 cents:
|
Jizzzz
Backup ur db and install them from the scratch. Be aware of the content.... Buy/rent a new server and install fresh WP... Protect the blogs with cloudflare. |
Quote:
Quote:
|
Quote:
|
Quote:
|
A friend who has a site that supplies police and federal departments just go the same hack.
Site set up by IT guy of one of the nations largest police force. makes you wonder if anyone knows anything.... |
Quote:
do all the things guys above me suggested you. then check out the source code of your pages, and try to identify plugins which leave html comments, and remove them from the source code. try to use cache plugins which are doing HTML/JS/CSS code minifying. that way it would be much harder (if not impossible) to read the actual code and identify vulnerable plugins. |
|
Hardening WordPress - Part 1.
Jul 06, 2014 07:55pm WordPress is the most popular blogging and CMS system on the Internet which, obviously, makes it a juicy target for hackers. Using WordPress as your CMS of choice means that you have to make some extra efforts to stop these naughty boys and girls from ruining your hard work at the press of a few keys. ** It is important to mention that these measures don't guarantee a 100% protection against hacking attempts, simply because a 100% secure website doesn't exist, but they will help against the majority of attacks. ** 1. Keep WordPress up to date. This seems like a no-brainer for most people, but you would be very surprised just how lazy Adult webmasters are when it comes to keeping their WP site up to date. I don't recommend using auto-updating to do this as sometimes it can result in broken sites. You don't even need to do anything to check this, you can simply signup to http://wordpress.org/list/ and you'll be emailed instant an update is available. If you don't want to give out your email out you can use a plugin, for example WP Updates Notifier by Scott Cariss (http://wordpress.org/plugins/wp-updates-notifier/). Using the plugin you can set how often it will check (via CRON) for updates. I'd recommend once per hour. 2. Stop Wordpress helping the hackers. The most popular and easiest method someone will use against your site is a Brute Force attack. Brute Force just means running through combinations of usernames and passwords until they get lucky. The main problem with WordPress itself is that it is a big help to the attackers due to the very helpful error messages it spits out. This is especially worrying on the WP Login Page. When you enter a wrong password or an invalid username, WordPress replies with an error message in the stating which is wrong. So if a hacker gets one thing right, the error message will help them identify that. Best practice is to simply remove the error message entirely. Locate your functions.php in you theme folder and add the following to it: add_filter('login_errors',create_function('$a', "return null;")); This will remove the helpful error messages from the Login screen and, most importantly, will annoy/stop 99% of the current WP brute force scripts/worms. 3. Default settings are like handing over the keys. Never use "admin" as a username. Ever. Pick something unique. Don't, obviously, use your nickname that you use on public forums etc. And, it goes without saying, never ever use the same password twice. And make them strong. By strong I mean mix up letters and numbers. Don't use LetMeIn1234, use L3Tme1N1two3four etc. As I mentioned above, if you use say "admin" as a username then WordPress will tell me that user exists, but the password I entered is wrong. So instantly I have cut my work in half as I now know the username and just have to work on your password. You can also annoy the naughty people by using a plugin like Login Lockdown by mvandemar (http://wordpress.org/plugins/login-lockdown/) which will block IPs that try to access your wp-login.php too often within a time frame you set. 4. Authentication Unique Keys and Salts. This is really simple but is overlooked way, way too often. When most people install WordPress all that happens is wp-config-sample.php is renamed to wp-config.php with values you have entered (database name, database password, etc) when you go to log into the WP admin during setup. If you locate your wp-config.php and open it up, scroll down a little bit and you will see the "Authentication Unique Keys and Salts." normally looking like this: define('AUTH_KEY', 'put your unique phrase here'); define('SECURE_AUTH_KEY', 'put your unique phrase here'); define('LOGGED_IN_KEY', 'put your unique phrase here'); define('NONCE_KEY', 'put your unique phrase here'); define('AUTH_SALT', 'put your unique phrase here'); define('SECURE_AUTH_SALT', 'put your unique phrase here'); define('LOGGED_IN_SALT', 'put your unique phrase here'); define('NONCE_SALT', 'put your unique phrase here'); To fix this simply go to https://api.wordpress.org/secret-key/1.1/salt/ and then simply copy and paste over the above with the freshly generated secret keys. These keys can be changed at any time, especially after changing your password to force everyone to log back in again and validate the latest password you are using if you think you may have been hacked etc. 5. Don't use the default wp_ database prefix. Most people use a "1 Click Install" that many hosts have avilable these days to install WordPress on their server. While this is, of course, super nice and easy, most of the default prefixes used by these 1 Click Install packages are known to the naughty boys and girls. An especially critical one is the default prefix wp_ for your WordPress databases. Simply pick a unique prefix for it, I sometimes use the 1st letter of the day I'm installing WordPress with an acronym of the site name. So if I was installing WordPress on a Sunday and my site name was www.freehardcoregardengnomeporn.com I'd use the prefix fhcgnp_ as a database prefix. Think up your own ones tho, obviously. 6. Protect you wp-config.php and .htaccess files. As everyone should know by now the wp-config.php contains all the important information and details about your WordPress site, so it is an absolute must that it be protected from public viewing. You can do this really simply by including the following in your .htaccess file in the root of your Wordpress installation: <Files wp-config.php> order allow,deny deny from all </Files> Obviously at this point it would be a good time to protect your .htaccess file itself from prying eyes, so you can simply add the following to it to lock it down: <Files .htaccess> order allow,deny deny from all </Files> It's simple things like these that a lot of people do not do. It only takes a few seconds to add them and they will help you a lot, so there is no excuse in skipping them. |
7. Hide your WordPress version.
This is an important one, very important actually. Simply by using Google a naughty person can search for sites using an out of date WordPress installation and target it using one of the exploits available for the out of date version. If you take a look at the source code of your WordPress site you can see this between the <head></head> HTML tags: <meta name="generator" content="WordPress 3.x.x" /> (the x.x is the specific WordPress Version) So all they have to do is ask Google to search for the out of date WordPress string and up pops sites galore for them to attempt to plunder. So it's obviously best to stop WordPress inserting the generator meta tag into your site. You can do this by opening up the functions.php of the theme you are using and adding this to the top or bottom of it: add_filter('the_generator', 'xbiz_complete_version_removal'); function xbiz_complete_version_removal() { return ''; } Now when WordPress generates the HTML for your site the generator tag will not appear. You should also delete the readme.html file in the WordPress root folder of your site as it contains the version number right at the top, which is ridiculous. 8. Directory Indexing. Stop that. To check for directory indexing you can browse to folder locations on your site and see if you get a response that includes 'Index Of' and a list of folders / files. Common locations to check would be: /wp-content/ /wp-content/plugins/ /wp-content/themes/ If any of these show a list of the files they contain you need lock these down asap. You can disable Directory Indexing a number of ways, the quickest is to simply add: <IfModule mod_autoindex.c> Options -Indexes </IfModule> to your .htaccess file in the root folder of your site. You can also simply create a blank index.php file and upload it to the folders that are showing their contents in your browser if you prefer not to mess with your .htaccess file. 9. Disable file editing via the dashboard. Everyday there are new bugs and exploits found for WordPress, it's just one of those things. Now if a an exploit is found that gives one of the naughty boys and girls access to your WordPress admin panel, or they do guess your login details, on default WordPress installation they can simply navigate to Appearance > Editor and edit and execute any code they wish right from your WordPress dashboard. To prevent this simply add: define( ?DISALLOW_FILE_EDIT?, true ); to your wp-config.php file and that will prevent them going bananas via your own dashboard in the event they actually do get in. 10. If you're doing this seriously, spend a little money. And backups. Everything I've said so far can be bypassed by the one hack tool that never, ever, fails: Human stupidity. If you are on $5 a month shared hosting you not only have to worry about protecting your own stuff you also have the constant worry that some idiot on the same server as you will do something dumb and open up the entire server for the naughty boys and girls to plunder. If you're in this for more than a hobby and beer tokens get yourself your own server, go with a managed option if you know nothing about servers, but spend a little bit of money to protect your work. Now, I'm not advocating that all shared hosts are useless, far from it. But what I am saying is you ARE taking a chance on months and months and months of you hard work, tweaking, updates, etc, being wiped out in seconds due to something YOU did not do. Remember, all it takes is for 1 person on the shared host to install a hacked script, themes, plugin, whatever and your efforts of building traffic, updating your site with content everyday, spending all that time, etc can vanish in seconds. So if you are on shared hosting backup your site every single day. I mean that. Every single day. There are a myriad of backup tools you can use so I'll talk about those and more ways to secure your WordPress site in Part 2... There ya go. :) |
Thanks TROLLENSTEIN!
I'm learning more today then then all those years I went to school. Haha. :1orglaugh |
Quote:
This is just a new chapter in my life. It's better to be an allround webmaster... |
Use a plugin named Bulletproof Security and check daily for updates.
If you manage your own hosting a Software Firewall like CSF/LFD helps as does a WAF (Web Application Firewall) like mod_security. If you are on shared hosting these are questions you should be asking your hosting provider if they have/use them or something similar. |
Quote:
There's several decent security plugins like Wordfence, iThemes Security, etc that you could install (infact Wordfence saved my ass once and cleaned out some malware on one of my Wordpress installs, worked amazing.) - those plugins will usually protect your wp-login.php from bruteforce attacks, allow you to scan for malware, and some will keep track of any files that have changed. Also if you don't use it, disable XMLRPC. Make sure you set the right permissions for your files and folders - and KEEP EVERYTHING UP-TO-DATE!!! I can't stress that enough! Don't use a lot of plugins (and keep them up to date) and do NOT use any "free" themes that you come across from searching via Google unless you know for sure they are clean (go through them with a scanner and open up files looking for any suspicious coding. http://codex.wordpress.org/Hardening_WordPress If this is on a VPS or dedicated server then I would hope you would already have a firewall setup, CSF, UFW, or just iptables without all that other stuff (or bare minimal lock down ports and install Fail2ban). You can install mod_security and look for wordpress rules. |
Quote:
Next time is will be a lot harder for those bitches to attack us. :winkwink: |
1. Dehumanize yourself
2. Face to bloodshed |
Quote:
|
Check out incapsula.com
|
Quote:
A good Wordpress security resource is here |
Change your passwords, delete any plugins or databases that you are not using. Manually update your scripts.
|
Good info.
|
Quote:
|
Quote:
|
| All times are GMT -7. The time now is 10:55 PM. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2025, vBulletin Solutions, Inc.
©2000-, AI Media Network Inc