WordPress security

[redsnappa]

My WordPress website was hacked recently and replaced with a porn site. I cleared the offending site using the TSOhost cpanel.
Before I restore my site from backup I want to know what you guys use do for WordPress security. I thought my 17 character password would be good enough, obviously not.

 

[Keith W]

My WordPress website was hacked recently and replaced with a porn site. I cleared the offending site using the TSOhost cpanel.
Before I restore my site from backup I want to know what you guys use do for WordPress security. I thought my 17 character password would be good enough, obviously not.

You need to make sure all your themes and plugins are up to date and secure.

Did you ask TSOHost if they could help identify any weakness in your WordPress install?

Of course always make sure your own computer/email etc. are secure are free from viruses and malware

 

[redsnappa]

My themes and plugins had been updated a couple of days prior to the hack attack. I did not ask TSOhost because their answer to my previous query was to tell me so seek the services of a web developer. I presume the drop in quality of customer service is a direct consequence of the recent GoDaddy take over.

 

[Keith W]

I use TSOHost myself for my WordPress website, I do not use anything special security wise, just always make sure that all plugins and themes are up to date

What plugins were you using?

 

[redsnappa]

The plugins I used were:

All in One WP Migration, Download Manager, Duplicate Page, Envato WordPress Toolkit, Google Fonts For WordPress

Limit Login Attempts, Unite Gallery Lite, WordPress Importer, WordPress Reset, WP Config File Editor.

 

[Harriers9]

Wordfence. https://www.wordfence.com/

Install it from the plug in and let it run

 

[Kris]

Any limit login attempts add on.

 

[Harriers9]

Included. The only add on needed would be by upgrading to Premium. Everything you would normally need is there.

Todays log. This is on the dashboard.

 

[Harlequin565]

I'm struggling with a charity site I look after at the moment. Still not got to the bottom of it and am looking at rebuilding from scratch. It looks like the vulnerability wasn't in my site - but in the wordpress db. Hacker gets into the db, creates himself an admin logon, does the damage, then logs out.

Had wordfence in from the start. It can't find anything wrong.
Have tried: Changing db password, user passwords (several times), & cpanel password.
Host has run a virus scan of the db which came up blank.

Next steps are very complicated database tweaks which will take me longer to figure out and do than to rebuild.

I'm guessing there's a back door in the db that's been there since my oldest backup which just allows the hacker to keep messing me about. Trying to find the will to take a day off to rebuild. I feel your pain. :-( Hope it's a simple case of restoring.

 

[redsnappa]

I agree with @Harlequin565 I think they got in through a backdoor in WordPress rather then the website host.
I have an offline backup but hope to get more info regarding security before restoring the site.

 

[neil_g]

My themes and plugins had been updated a couple of days prior to the hack attack. I did not ask TSOhost because their answer to my previous query was to tell me so seek the services of a web developer. I presume the drop in quality of customer service is a direct consequence of the recent GoDaddy take over.

What was your previous query? To be fair they're a host and won't really be able to assist if it's an issue with code etc.

 

[afasoas]

WordPress can never truly be secure - not until they start signing the updates and checking the signatures prior to installation.
That said, WordFence is a good shout.
It's possible WordPress wasn't the attack vector - if it's shared hosting it could be the result of another site on the same server getting compromised and then exploiting the OS
Or it could be that your account details were compromised. Without evidence, it's not fair to assume it's Wordpress

Just make sure you have a decent backup regime and maybe something set-up to alert you if the site name/description changes ... I think you might be able to do this with a pingdom free account.

 

[Deleted sulking member 63079]

Add some form of second factor authentication to be sure as well.

 

[mused]

I am with Webhost.uk.net and this guys did deal with such problem with one of my customers website.. i guess they suggested sucuri worked great , never faced the problem later.

 

[frank]

I use Ithemes Security a free wp plugin and never had a problem, it has a number of useful functions including brute force attack protection. That and a unusual username something like a long phrase in local lingo and a weird stupid sounding password again in local lingo which foreigners probly wouldn't guess as their not in any dictionary has kept hackers at bay, also changining user/password regularly.

 

[DuncTheGeek]

I've already been beaten to the punch with the Wordfence comments, I install it on every WP site I work on!

But just to reiterate and add a few bits & pieces...

• Do not use 'Admin' as a username.
  • Or indeed anything easily guessable such as the business name.
• Configure Wordfence to immediately block anyone trying to use 'Admin' to log in.
• Configure WFence to block after a low number of login attempts AND change the default so it blocks anyone nasty for the longest possible period.
• Use a strong password for Wordpress itself
• Keep plugins updated.
• Beware of certain plugins that are known to be easily compromised (Rev Slider used to be a big culprit).

Most site hacks I come across are down to compromised, outdated plugins and/or SQL injections so try & sanitise inputs if possible.

Securi is another security plugin that some people like so worth a try to see if you like it (oh yes, just scrolled up & I've been beaten to that one too! )

And take backups. And then some more backups. The easiest solution to intrusion is to simply nuke & reinstall from backup. But always try & work out how they got in so you can fix the hole...

 

[redsnappa]

I restored my site from backup, updated to latest wordpress, updated all plugins, deleted the default admin account and created my own user account with admin privileges.and , installed (but foolishly did not configure) Wordfence and within 20 minutes my site was hacked again. From the hosts cpanel I could see files being added and removed from the folder where Wordpress was installed.
On checking the WordPress panel, I could see that the hackers had recreated the default admin account which I had previously deleted. There must be some vulnerability in WordPress that allows the recreation of the default admin account.

After nuking and re-uploading my site I configured Wordfence to block the IP addresses of anyone attempting to perform following actions:

1. Any attempted login with the username. wp-admin, wpadmin, administrator etc is blocked
2. Any attempt to use a URL that ends in .php .jsp .json
3. Two failed login in a 4 hour period blocks that IP address for 12 hours

One thing I could not figure out how to do in Wordfence is how to restrict Wordpress login to WordPress just my own IP address.

My site remains unhacked after nine days despite Wordfence showing the bastards are still trying. I owe a big thanks to @AloeToday and @Harriers9.

 

[asaspasas6]

looks like they have something added into your functions.php (via add_action) backdoor code. and it's simply using www.yoursite.com/?HackerCustomPath^administrator^password to create an admin account in the db. after that he can just login as normal.

 

[ChrisR]

My WP blog is on the WordPress site. What security precautions should I take? I'm not even sure how to back it up!

 

[Jonnybrad2001]

I presume the drop in quality of customer service is a direct consequence of the recent GoDaddy take over.

******s.
Not sure how missed that, had been toying with moving away for something a bit more specialist, this news is going to accelerate that move.

Actually digging I'd noticed drop off in Vidahost phone support a while ago and that seems to tie back to when they were bought out by Host Europe Group, expect Godaddy will move to their usual "as long as the server is up anything else is not our problem"

 

[Deleted sulking member 63079]

******s.
Not sure how missed that, had been toying with moving away for something a bit more specialist, this news is going to accelerate that move.

Actually digging I'd noticed drop off in Vidahost phone support a while ago and that seems to tie back to when they were bought out by Host Europe Group, expect Godaddy will move to their usual "as long as the server is up anything else is not our problem"

SiteGround are probably the best bang for the buck.

 

[Jonnybrad2001]

SiteGround are probably the best bang for the buck.

Thanks will add them to the list.

Already got one site moved away for speed, so looking to either shift everything else to that, or just move them all to another provider. Speed/reliability will be the key, somehow upped my spend to £200 a year so its not about utter bargain basement.

 

[Deleted sulking member 63079]

Thanks will add them to the list.

Already got one site moved away for speed, so looking to either shift everything else to that, or just move them all to another provider. Speed/reliability will be the key, somehow upped my spend to £200 a year so its not about utter bargain basement.

Well my GTMetrix is over 90%, and they have rolling 30 day backups and include SSL as standard. Service is really good, price is good. Unless you need insane performance, in which case I'd look at WPEngine.

 

[Jonnybrad2001]

Well my GTMetrix is over 90%, and they have rolling 30 day backups and include SSL as standard. Service is really good, price is good. Unless you need insane performance, in which case I'd look at WPEngine.

Thanks, yeah got one over on Guru scoring 91%, Vida seems to be scoring 40-75%. Which plan are you on?

 

[Deleted sulking member 63079]

Thanks, yeah got one over on Guru scoring 91%, Vida seems to be scoring 40-75%. Which plan are you on?

GrowBig

 

[redsnappa]

What security precautions should I take? I'm not even sure how to back it up!

I use the plugin All in One WP Migration to back up and restore my website, it works well and fairly quickly., YouTube videos will tell you how to use it.
For security the free version of Word Fence is working very well for me now.

 

[afasoas]

I could see that the hackers had recreated the default admin account which I had previously deleted.

Or your backup is compromised?

One thing I could not figure out how to do in Wordfence is how to restrict Wordpress login to WordPress just my own IP address.

This is probably not a good idea, given that your IP address is probably not static and even if it is, there's no guarantee it won't change in future.

 

[redsnappa]

Or your backup is compromised?

I have scanned my backups and they are fine thankfully. The problem from what I have read is that php has a vulnerability in the forgotten password section, there are scripts available online to automate this hack, Wordfence backs that up by showing ip address of who try to use the forgotten password method vulnerability. Most attempted hacks are shown to be brute force password hacks the user names try most are: admin, wp-admin or wpadmin. I don't use any of those usernames on my Wordpress install.

I did not think about my IP address being dynamic. Thanks @afasoas.