Welcome to WebmasterWorld Guest from 18.104.22.168
Forum Moderators: mack
Then I realized I was hacked a month later. The support people keep saying that I must update my password regularly to protect my domain but this has never happened on any other webhost, like GoDaddy.
Please help me out here guys what do I do...what are the best practices to stop this from happening again?
If you still get hacked, change hosts.
* Many people take the wrong approach to securing scripts, in that they attempt to "filter out" what they don't want to accept as input. SQL injection attacks are based on this error. A better approach is to filter input based on what you *will* accept, and reject everything else. If you think about the effects of an error or omission using each of these approaches, the advantages of the "allow-only" approach become clear. For example, if you use the "filter out bad input" approach and you forget to filter out a particular string, then that string can be used to hack your site. On the other hand, if you forget to allow a certain harmless and valid string while using the "allow only this input" approach, then your site will be broken temporarily. While that may not sound attractive, the fact is that such a problem is one that can be very quickly discovered and corrected -- and more importantly, it won't result in a hack.
A better approach is to filter input based on what you *will* accept, and reject everything else. If you think about the effects of an error or omission using each of these approaches, the advantages of the "allow-only" approach become clear.
For example, if you use the "filter out bad input" approach and you forget to filter out a particular string, then that string can be used to hack your site. On the other hand, if you forget to allow a certain harmless and valid string while using the "allow only this input" approach, then your site will be broken temporarily. While that may not sound attractive, the fact is that such a problem is one that can be very quickly discovered and corrected -- and more importantly, it won't result in a hack.
Usually, you go to log file to fetch information about your hacker or see any strange URL being called, etc...
Not sure that changing password regularly will help. Make sure all your plugins are up to date and do some search on the net for each of name "[plugin name] hack" to see if your plugins are vulnerable.
My website was hacked...
It's not only here either but all over the Internet. Websites are getting hacked by the second and being exploited to the nth degree.
See what happens when an Open Source Software package goes mainstream? I've never been real fond of the Open Source thingamabob until recently. We're rebuilding WordPress on Windows and redoing everything to avoid these types of things to the best of our ability anyway. ;)
I've read some stories recently where free themes have been the underlying source of hacks and some of them are pretty brazen. And then of course you have the plugins. Running a WordPress website has become a challenge to say the least, unless you are running a hosted solution with WP themselves. Even then, there are still constant attempts to find new exploits.
WordPress need to do something soon to nip this in the bud. Maybe all WP installations need to be monitored by one resource? Maybe by the creators of the platform? I know, that would be a monumental task but, something has to give. This whole hacking thing is out of hand. How far out of hand? Enough to where websites are now being tagged in the SERPs as being unsafe.
Google have their own problems in this area. Their blogging platform is getting hacked at this very second. I KNOW, I'll get Google Alerts sometime today referencing company names and leading me to hacked and/or spammed Google Blogs. What a mess they have over there. I look at the host names on these Google Alerts and have to wonder how they even get by the system.
WordPress users beware, that is all I can say. I'm getting ready to join you too but with a different platform to avoid the issues regular WP users run into. We don't want to deal with that. ;)
If you are on a shared server you are being hacked within the server.
You can't just replace the one file, they usually leave a backdoor.
If you are on a vps or dedicated, when you are hacked you need to replace all system files otherwise they will leave a backdoor to get in again.
You are likely getting hacked via plugins or other software on your account that's not completely vetted.
If you are on a vps or dedicated you need a serious firewall like CSF.
Oh and if you have public directories with chmod 777, the attack could be coming from anywhere on your shared host.
Make sure your server is running a firewall like CSF or APF
(if on a shared host and they are not, change hosts)
Make sure your server has the most current version of apache+PHP
(if on a shared host and they are not, change hosts)
Make sure your PHP has security restrictions like open_basedir
(if on a shared host and they don't use it, change hosts)
Make sure you don't have public directories that are chmod 777 on a shared host
Recommended: remove version number announcements from apache, php and wordpress
Recommended: remove xmlrpc.php from wordpress
Consider getting your own VPS so you can setup security properly.
Guys this is too frustrating, my Wordpress website has been hacked twice and on both occasions I think they are trying to extort me
Extortion implies somebody wants something from you, (money maybe)... So, what do you mean by that statement?
"Hacked"... What do you mean by this? Site defaced? Comment spam? Site diverted?
Other than a public defacement where the hacker is just showing they can change your site, anyone with monetary gain in mind will have inserted a redirect to their own site, Adsense code, etc..
Someone trying to extort something from you will be telling you, "Leave an envelope containing XYZ... and come alone"...
So, please explain more what is happening to your site.
Other software may also have vulnerabilities but nothing I've ever read about has the same level or even comes close to comparing to the hacker friendly Swiss cheese holes of WordPress and/or it's plug-ins.
Your safest bet is no WordPress whatsoever.
[edited by: incrediBILL at 12:59 am (utc) on Oct. 26, 2008]
Your safest bet is no WordPress whatsoever.
That's not fair, at all. Every major blog or cms software has been hacked at one time or another. Movabletype, Drupal, Joomla all have security vulnerability fixes every few months.
WordPress just has far more users so it gets far more attention.
Most of all, we still don't know if this was WordPress related.
What if they spend a week changing software and get hacked again?
That's not fair, at all.
Not everything is fair.
Trying to secure WordPress is a nightmare, the hackers dream under constant search and invade, and the only way to get rid of a nightmare is to wake up and use something less of a target and more secure.
It's like a car accident, I didn't have to cause the situation to know enough to take the side streets to avoid it.
Not to tempt fate but my oldest WordPress blog is from 2004 and I have dozens of clients using WP as well. No one has been hacked. Maybe I'm just lucky, or maybe it's the way I run my servers? I dunno. Nothing is bulletproof, the key is to keep on top of things (and nothing beats a good backup routine).
But it's hard to keep up with all the updates and such, especially if you aren't in it all the time.
(not everyone spends as much time online as the denizens of WebmasterWorld ;))
the answer is to make WordPress not "look" like WordPress.
That's even worse because upgrading to get patches is no longer simple so people procrastinate and it's usually beyond the ability of most webmasters without the assistance of a programmer.
Hackers don't procrastinate.
If you are saying using WordPress makes you a target then maybe the answer is to make WordPress not "look" like WordPress. You can rename the wp-admin directory and delete xmlrpc.php and remove version number announcements and any hacker scanning for wordpress triggers should then fail.
That will help but its something I would consider as another layer of security and not something I would rely on. As far as the version number any software maker that has this in the footer is quite frankly asking to get their software hacked. This was removed from phpBB a few years ago, they even allow you to change the copyright text to an image if you wish so the "powered by phpBB" string is not searchable. That's not going to prevent someone from searching for a string in the URL that might be common to it or even common to a particular modification.
On the other hand if the stock install has this you may be able to fly under the radar of a lot of hackers.
You can do anything you want to your templates (themes) but leave the core alone an you can instantly upgrade to any newer version. There's even automatic updates available via plugin but new version notification has been available (and on by default) since version 2.3
If you use svn, you can even do slight modification to core files and still maintain the most current versions.
leave the core alone an you can instantly upgrade to any newer version
In that case you're left too many footprints and they'll still find you.
I have a few scripts used to locate WordPress sites that I captured from botnets trying to infect my machines and you would be amazed at all the things they look for in order to detect WordPress.
Therefore, you either do some major overhaul to avoid those scripts which thwarts upgrading easily or you avoid it altogether and just roll the dice, or host with WordPress which is safest.
[edited by: incrediBILL at 7:11 am (utc) on Oct. 27, 2008]
joined:June 2, 2003
In other words, can't the folks behind WordPress create a simplified version of a personal publishing platform - WordPressLite - that is rock solid?
Since it's a GPL licensed product has anyone attempted to take the code, gut it and reduce it to a product that offers 100% of what is needed to publish with only 95% of the bells or whistles that makes for added vulnerability?
Really, where is a simple, designed for security version of WordPress?
Why isn't there a WordPress community that has taken that mission upon itself? You mean there's no call for it?
can't the folks behind WordPress create a simplified version of a personal publishing
It doesn't need simplification, it simply needs a security code review before being released. Someone with a security background needs to check the code at all access points for vulnerabilities.
However, that would only secure WordPress which still leaves all the plug-ins and themes that need the same kind of testing otherwise you're still leaving it wide open.
What the heck, it's free, you get what you pay for! ;)
In fact, for this particular hack you can't even see the links on Google's cached version of a page unless you view the text cache version of the page.
Some pretty nasty stuff being injected through the above hack.
How do you lock down an application when you have hundreds if not thousands of plugins available? After seeing all the topics about WordPress Blogs being hacked, I'd have to say that hosting your Blog with WordPress is probably the best alternative if you do not have the ability to secure the platform yourself.
How does one manage their reputation when the platform they are using to build that reputation on is being undermined? I know, it can happen to anyone at anytime. It happens to Windows, IE, Firefox, everyone. Build it and they will hack.
joined:June 2, 2003
There isn't a WordPress security forum of some kind, one that is sponsored by WordPress.org, that is dedicated to closing the holes?
There aren't plugin design standards against which new plugins can be scrutinized for creating holes where one didn't exist? Is it so hard, when creating a new plugin, to avoid creating a new security hole?
Why not imposed a "vetted for security" standard on plugins - at least those that posted to the WordPress.org site? Does this exist?
Forget the plugins and themes and all that, why isn't there a simplified bullet proof version of WordPress? In other words, 2 versions: You want bells and whistles OR do you want simplified publishing with a security lock that only simplicity can offer?
I know simplicity isn't a guarantee but it sure seems that every new add-on creates a new opportunity for exploitation.
WordPress lite and secure, anyone? Can it be done?
I don't know how Wordpress handles things but any modifications that get the official nod of approval for phpbb3 must meet strict coding guidelines. Each mod is validated by a team member once submitted.
phpbb3 also employs an auto update feature that makes it easy to update modded boards.
Last but not least all mods that gain approval have an option to subscribe to them so you can be notified via email if there are any updates, this last feature is probably the biggest concerning the security of mods.
It's a lot of work and very few mods have been released in the last year but I think it's well worth the effort and the inconvenience.
WordPress lite and secure, anyone?
It obviously can be secured as WordPress hosts it themselves and it's not hacked all the time so that should tell you something.
Each mod is validated by a team member once submitted.
One team member isn't nearly enough to validate code for security because one person can easily overlook something that a team of review people might not miss.
These same people are then getting accounts on the same host and hacking into the blog. I had somebody do that to me once because I left permissions open to 777.
The way I found out was that google penalized my site. After I contacted google through webmaster tools they sent me a copy of my source code showing a bunch of hidden links to male enhancement drugs. I fixed the problem and told google about how I was hacked and that I had fixed it and they put my rankings back up.