Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest
wordpress hacks
-
08-06-2013 5:06pm#1
Comments
-
-
-
I hope this helps.
WordPress Security Lockdown.
This security strategy is best implemented on new sites. It just makes everything (like renaming table prefixes) so much easier. Either way, you want to start with a clean batch of files. Upload a fresh copy of WordPress, update your plugins, theme files, and so on. You may want to redirect visitors to a maintenance page while you work on your site. That said, here is our five-step Security Lockdown for WordPress:
File Permissions
File Protection
Database Protection
Essential Plugins
Important Details
[1] File Permissions
After uploading fresh files, the next step is to ensure proper file permissions. WordPress defaults to 644 for files and 755 permissions for folders. Make sure these are set properly. While cleaning up, we noticed some crazy permission settings for sensitive files. For example, wp-config.php was set to 777 – executable and writable by the entire world!! Make sure you don’t see anything like that, and if you do, fix it.
[2] File Protection
In addition to setting proper file permissions, we can also lock down key files with .htaccess. There are numerous files to protect, perhaps most importantly the wp-config.php file, which contains your database login information. Place the following code in your site’s root .htaccess file to protect it:
# SECURE WP-CONFIG.PHP
<Files wp\-config\.php>
Order Deny,Allow
Deny from all
</Files>
You may also want to password-protect your wp-admin directory, but it may cause more trouble than it’s worth.
[3] Database Protection
Changing the default table prefix is one of the best ways to protect your database. Malicious scripts need targets, and default targets are easy to hit. Change wp_ to something more like a password. Some random string like “crUQZPadESeKSy8Q_” will make your tables difficult to hit. Like having a built-in password for your database
There are two ways to change your prefixes: the easy way and the hard way. The easy way is to add the following line to your wp-config.php file before installing WordPress (important: change the random string to something unique):
$table_prefix = 'crUQZPadESeKSy8Q_'; // custom table prefix
Do that before running the install script and WordPress takes care of the prefix naming automagically when it creates the database. Going forward, there is no reason not to change default prefixes for all future WordPress installs. For existing sites, you can do it the hard way using a plugin (404 link removed 2012/11/01) or doing it manually.
[4] Essential Plugins
After exploring the vast crop of WordPress security plugins, we narrowed it down to four plugins that collectively do just about everything in the easiest way possible:
WP File Monitor Plus
This plugin tracks changes made to your files. If/when anything changes, it notifies you via Admin Dashboard alert and/or email alert. So anytime a file is changed, moved, added, or removed, WP File Monitor lets you know. Here is a list of features:
Monitors file system for added/deleted/changed files
Sends email when a change is detected
Multiple email formats for alerts
Administration area alert to notify you of changes in case email is not received
Ability to monitor files for changes based on file hash or timestamp
Ability to exclude directories from scan
Site URL included in notification email in case plugin is in use on multiple sites
This is one of my favorite plugins. It’s perfect for keeping an eye on things. If anyone gets in and messes around with your files, you’ll know about it immediately, and even better, you’ll know exactly which files have been affected.
WP Security Scan
This plugin scans your WordPress installation for security vulnerabilities and suggests corrective actions. The scan report informs you of any problems with file permissions, system variables, and much more:
Passwords
File permissions
Database security
Version hiding
WordPress admin protection/security
Removes WP Generator META tag from core code
WP Security Scan also provides a nice summary of server information and latest scan information. Performing a new scan is immediate with the click of a button. Very easy.
Ultimate Security Checker
This plugin provides even more security information, helping you to identify potential issues with your WordPress installation. It scans your site for “hundreds of known threats,” and then “grades” your level of site security. Here are some of the key things it checks:
Checks for updates
Checks configuration file
Checks if config file is located in unsecured place
Checks presence of install script
Checks server configuration
Checks database
Checks code
And quite a bit more. The best part about Ultimate Security Check is that it’s so easy to use.
Secure WordPress
This plugin takes care of all those “little” things. Instead of installing a bunch of smaller plugins or custom functions for this stuff, the Secure WordPress plugin does it all for you:
Removes error-information on login-page
Adds index.php plugin-directory (virtual)
Removes the wp-version, except in admin-area
Removes Really Simple Discovery
Removes Windows Live Writer
Remove core update information for non-admins
Remove plugin-update information for non-admins
Remove theme-update information for non-admins (only WP 2.8 and higher)
Hide wp-version in backend-dashboard for non-admins
Block Bad Queries
Having all of this (and much more) done with a few clicks in the WordPress Admin is easy and effective.
[5] Important Details
The previous four steps comprise the majority of our security lockdown, but there are some important details to consider:
Keep your WordPress install, plugins, themes, and scripts updated with current versions
Use strong passwords and change them often
Disable user registration if not needed/used for your site
Check roles and permissions for all users
Clean up and consolidate old/loose files
Remove unused plugins and themes
Check permissions of upload, upgrade, and backup directories
Keep a backup of your site files
Keep your database optimized and backed up
We did these things here at DigWP.com, but certain tips may not apply to every site. As a side note, despite our new security lockdown, I am still concerned/confused about how to handle the upload, upgrade, and backup directories. It seems dangerous to leave these folders set with 777 permissions, and for many shared hosts, that seems to be the required setting. I would be interested in hearing any ideas about securing these directories.
Bottom Line
There is no such thing as perfect security. If someone wants in bad enough, they’re going to find a way, despite your best efforts at staying secure. Fortunately, most malicious scripts target the least common denominator, default WordPress installs. At the very least, ensure proper file permissions, secure wp-config.php, and use unique database prefixes. Together, these three steps will put your site out of reach for a vast majority of malicious scripts and other automated attacks. Of course, there are many other ways to strengthen your site’s security, depending on how far you want to go with it. The lockdown strategy presented in this article provides strong security in the most efficient way possible, but there is always room for improvement, so share your ideas and help the community secure their WordPress.
Link for Security Lockdown:
http://digwp.com/2010/07/wordpress-security-lockdown/0 -
I hope this helps.
WordPress Security Lockdown.
This security strategy is best implemented on new sites. It just makes everything (like renaming table prefixes) so much easier. Either way, you want to start with a clean batch of files. Upload a fresh copy of WordPress, update your plugins, theme files, and so on. You may want to redirect visitors to a maintenance page while you work on your site. That said, here is our five-step Security Lockdown for WordPress:
File Permissions
File Protection
Database Protection
Essential Plugins
Important Details
[1] File Permissions
After uploading fresh files, the next step is to ensure proper file permissions. WordPress defaults to 644 for files and 755 permissions for folders. Make sure these are set properly. While cleaning up, we noticed some crazy permission settings for sensitive files. For example, wp-config.php was set to 777 – executable and writable by the entire world!! Make sure you don’t see anything like that, and if you do, fix it.
[2] File Protection
In addition to setting proper file permissions, we can also lock down key files with .htaccess. There are numerous files to protect, perhaps most importantly the wp-config.php file, which contains your database login information. Place the following code in your site’s root .htaccess file to protect it:
# SECURE WP-CONFIG.PHP
<Files wp\-config\.php>
Order Deny,Allow
Deny from all
</Files>
You may also want to password-protect your wp-admin directory, but it may cause more trouble than it’s worth.
[3] Database Protection
Changing the default table prefix is one of the best ways to protect your database. Malicious scripts need targets, and default targets are easy to hit. Change wp_ to something more like a password. Some random string like “crUQZPadESeKSy8Q_” will make your tables difficult to hit. Like having a built-in password for your database
There are two ways to change your prefixes: the easy way and the hard way. The easy way is to add the following line to your wp-config.php file before installing WordPress (important: change the random string to something unique):
$table_prefix = 'crUQZPadESeKSy8Q_'; // custom table prefix
Do that before running the install script and WordPress takes care of the prefix naming automagically when it creates the database. Going forward, there is no reason not to change default prefixes for all future WordPress installs. For existing sites, you can do it the hard way using a plugin (404 link removed 2012/11/01) or doing it manually.
[4] Essential Plugins
After exploring the vast crop of WordPress security plugins, we narrowed it down to four plugins that collectively do just about everything in the easiest way possible:
WP File Monitor Plus
This plugin tracks changes made to your files. If/when anything changes, it notifies you via Admin Dashboard alert and/or email alert. So anytime a file is changed, moved, added, or removed, WP File Monitor lets you know. Here is a list of features:
Monitors file system for added/deleted/changed files
Sends email when a change is detected
Multiple email formats for alerts
Administration area alert to notify you of changes in case email is not received
Ability to monitor files for changes based on file hash or timestamp
Ability to exclude directories from scan
Site URL included in notification email in case plugin is in use on multiple sites
This is one of my favorite plugins. It’s perfect for keeping an eye on things. If anyone gets in and messes around with your files, you’ll know about it immediately, and even better, you’ll know exactly which files have been affected.
WP Security Scan
This plugin scans your WordPress installation for security vulnerabilities and suggests corrective actions. The scan report informs you of any problems with file permissions, system variables, and much more:
Passwords
File permissions
Database security
Version hiding
WordPress admin protection/security
Removes WP Generator META tag from core code
WP Security Scan also provides a nice summary of server information and latest scan information. Performing a new scan is immediate with the click of a button. Very easy.
Ultimate Security Checker
This plugin provides even more security information, helping you to identify potential issues with your WordPress installation. It scans your site for “hundreds of known threats,” and then “grades” your level of site security. Here are some of the key things it checks:
Checks for updates
Checks configuration file
Checks if config file is located in unsecured place
Checks presence of install script
Checks server configuration
Checks database
Checks code
And quite a bit more. The best part about Ultimate Security Check is that it’s so easy to use.
Secure WordPress
This plugin takes care of all those “little” things. Instead of installing a bunch of smaller plugins or custom functions for this stuff, the Secure WordPress plugin does it all for you:
Removes error-information on login-page
Adds index.php plugin-directory (virtual)
Removes the wp-version, except in admin-area
Removes Really Simple Discovery
Removes Windows Live Writer
Remove core update information for non-admins
Remove plugin-update information for non-admins
Remove theme-update information for non-admins (only WP 2.8 and higher)
Hide wp-version in backend-dashboard for non-admins
Block Bad Queries
Having all of this (and much more) done with a few clicks in the WordPress Admin is easy and effective.
[5] Important Details
The previous four steps comprise the majority of our security lockdown, but there are some important details to consider:
Keep your WordPress install, plugins, themes, and scripts updated with current versions
Use strong passwords and change them often
Disable user registration if not needed/used for your site
Check roles and permissions for all users
Clean up and consolidate old/loose files
Remove unused plugins and themes
Check permissions of upload, upgrade, and backup directories
Keep a backup of your site files
Keep your database optimized and backed up
We did these things here at DigWP.com, but certain tips may not apply to every site. As a side note, despite our new security lockdown, I am still concerned/confused about how to handle the upload, upgrade, and backup directories. It seems dangerous to leave these folders set with 777 permissions, and for many shared hosts, that seems to be the required setting. I would be interested in hearing any ideas about securing these directories.
Bottom Line
There is no such thing as perfect security. If someone wants in bad enough, they’re going to find a way, despite your best efforts at staying secure. Fortunately, most malicious scripts target the least common denominator, default WordPress installs. At the very least, ensure proper file permissions, secure wp-config.php, and use unique database prefixes. Together, these three steps will put your site out of reach for a vast majority of malicious scripts and other automated attacks. Of course, there are many other ways to strengthen your site’s security, depending on how far you want to go with it. The lockdown strategy presented in this article provides strong security in the most efficient way possible, but there is always room for improvement, so share your ideas and help the community secure their WordPress.
Link for Security Lockdown:
http://digwp.com/2010/07/wordpress-security-lockdown/
Some great info for preventative action there many thanks. I would like to achieve as much as I can without plug ins as you mentioned they can be the back doors to the probs0 -
-
Advertisement
-
The most recent problem with Wordpress hacks is the Social Media plugin. There are at least 783 compromised websites in the Irish webspace. Most of the recently compromised Wordpress sites have had loan links inserted into them.
http://blog.sucuri.net/2013/04/wordpress-plugin-social-media-widget.html
Regards...jmcc
I use custom post templates quiet a lot and think this might be a sec backdoor I'll check chmod but I don't think this will stop content injections
I'd say if I could rename the field that the_content() function uses I would be safe from generic attacks as the other fields that I have defined in functions.PHP are never touched. Is wp fence any good? 0 -
-
-
Not sure. It might be worth asking for advice on the Web Design forum here as some people there use Wordpress as a development tool and might be more up to speed on the issue. This one seems to have been malicious code that was added to the plugin at the development stage so all installations using that particular plugin were affected. The immediate action would be to deactivate the plugin or upgrade it. The later version apparently has the malicious code removed.swordsinfo wrote: »I use custom post templates quiet a lot and think this might be a sec backdoor I'll check chmod but I don't think this will stop content injections I'd say if I could rename the field that the_content() function uses I would be safe from generic attacks as the other fields that I have defined in functions.PHP are never touched. Is wp fence any good?
Regards...jmcc0 -
-
Advertisement
-
-
-
-
Advertisement