Wordpress security question

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • newB
    Confirmed User
    • Jul 2006
    • 2870

    #1

    Wordpress security question

    Apparently someone has been trying to hack my site, trying to access plugin readme.txt files to get the version of wordpress and shit like that.

    I've taken the usual security measures (at least they seem like the reasonable ones to me, but this is my first project with wordpress) such as removing the wp version indicators, adding plugin and theme index files, removing error indicators on login and relocating my login page. So far that seems to be keeping them out, but I'm concerned that it's only a matter of time before they find a way in.

    Is there anything else I could do to better protect my site? Also, is this something most wordpress users have to deal with, or have I somehow made a target of myself?

    I should add, that all of the questionable hits are coming from a Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90) user agent, but the IP's change daily, so obviously they are using proxies to mask their IP.

    The best Adult Affiliate Programs reviewed and indexed by niche and feature.
    Easily find the sponsors that suit your needs.


  • fris
    Too lazy to set a custom title
    • Aug 2002
    • 55679

    #2
    i would only allow your ip in the admin block all others out.
    Since 1999: 69 Adult Industry awards for Best Hosting Company and professional excellence.

    Comment

    • PhantomFrog
      Registered User
      • Jul 2006
      • 89

      #3
      Originally posted by fris
      i would only allow your ip in the admin block all others out.
      Words of wisdom from the mouths of babes.

      Also ... get on the WordPress mailing list ... to keep your eyes open for updates! ... join WP forums ... stay in touch with the buzz.
      Last edited by PhantomFrog; 06-14-2011, 06:15 PM.
      PhantomFrog.com....Premium Password Protection
      PhantomCart.com....CCBill + Phantom Cart = Clips Store Solution
      PhantomFlicks.com .Token-based Clips Store

      Comment

      • DangerX !!!
        Confirmed User
        • Feb 2011
        • 886

        #4
        "Wordpress" and "Security" are two incompatible meanings. Sorry but as long as it will be developed the way it is now your website and your server are in danger. Good luck though.

        http://codex.wordpress.org/Hardening_WordPress
        This is sig area!

        Comment

        • Kiopa_Matt
          Confirmed User
          • Oct 2007
          • 1448

          #5
          You could always buy xMarkPro (see sig). Next upgrade coming out tomorrow will also contain an automated backup & revert feature for domains (including WP blogs). For example, have your blogs backed up every 3 hours. If someone hacks it, it's the click of a mouse, and it's back online. Plus have your blogs automatically updated when WP releases new versions, ensuring you're always running the most stable version.
          xMarkPro -- Ultimate Blog Network Management
          Streamline your marketing operations. Centralize management of domains, pages, Wordpress blogs, sponsors, link codes, media items, sales and traffic statistics, plus more!

          Comment

          • vdbucks
            Monger Cash
            • Jul 2010
            • 2773

            #6
            Originally posted by Kiopa_Matt
            You could always buy xMarkPro (see sig). Next upgrade coming out tomorrow will also contain an automated backup & revert feature for domains (including WP blogs). For example, have your blogs backed up every 3 hours. If someone hacks it, it's the click of a mouse, and it's back online. Plus have your blogs automatically updated when WP releases new versions, ensuring you're always running the most stable version.
            Well, there's a free plugin that does automated db backups. Emails them, saves them to disk, whatever you prefer. And updating wordpress automatically is a no no.. bad things can happen when you do that.

            Comment

            • TheDoc
              Too lazy to set a custom title
              • Jul 2001
              • 13827

              #7
              Lots of things to do with wp...

              I've found you can't always block based on IP because some scripts use the ajax in the admin area... thus visiting your site can create a warning.

              Give the plugin login lockdown a shot... it masks login errors, can set time out limits on fails, etc.. if someone happens to get to the login screen.

              Another thing you can do is protect your wp-login.php with basic user/pass protection to access it. It's not an end all, it's just another step. Drop this into your functions file, and set a user/pass...

              Code:
                if ($_SERVER['PHP_SELF'] == "/wp-login.php"){ add_action('init', 'login_init');}
               function login_init(){
                $user = "YOUR-USERNAME";
                $pass = "YOUR-PASSWORD";
                 get_option('get_header');
                  if($_SERVER['PHP_AUTH_USER'] != $user && $_SERVER['PHP_AUTH_PW'] != $pass){
                      header("WWW-Authenticate: Basic realm=\"\"");
                      header("HTTP/1.0 401 Unauthorized");
                  exit;
                 }
               }
              ~TheDoc - ICQ7765825
              It's all disambiguation

              Comment

              • Marquis85
                Confirmed User
                • Apr 2009
                • 622

                #8
                Thanks for asking this question. One of my WP blogs was recently hacked and I'm trying to take all precautions necessary so it doesn't happen again.
                Last 3 months SCORECash ratio: 1:237

                Comment

                • fris
                  Too lazy to set a custom title
                  • Aug 2002
                  • 55679

                  #9
                  i wouldnt even let subscribers in the admin area, if you are just using it for a login system so they can comment, i would redirect anyone that you dont want access to wp-admin out of there.
                  Since 1999: 69 Adult Industry awards for Best Hosting Company and professional excellence.

                  Comment

                  • raymor
                    Confirmed User
                    • Oct 2002
                    • 3745

                    #10
                    Originally posted by DangerX !!!
                    "Wordpress" and "Security" are two incompatible meanings. Sorry but as long as it will be developed the way it is now your website and your server are in danger. Good luck though.

                    http://codex.wordpress.org/Hardening_WordPress
                    QFT. The Wordpress developers in general don't understand basic security concepts even
                    when I explain it to them. I pointed out a significant security flaw repeatedly for over a year and
                    none of the Wordpress devs could even understand that there was a problem until thousands
                    of sites were hacked.

                    Secure, as much as possible, PHP itself. Make sure it's up to date, as PHP has recently started
                    to such a lot less in terms of security. If you have a version that's a couple years old you may as
                    well post your FTP password on your front page. One example is "register globals", which is
                    tied with "running suexec on a dedicated serer" for the stupidest, most damaging thing anyone
                    has ever done on a web server.
                    Once it's up to date, make sure the settings are right for reasonable security. fopen_url, for
                    example, show be off be default, but make sure it is. Disabling a few functions including eval,
                    exec, and popen will stop most crack scripts, but some legitimate scripts may need to be
                    adjusted to work in that case. Similarly for an egress firewall, but now we're getting more
                    into general server security and away from Wordpress.
                    For historical display only. This information is not current:
                    support@bettercgi.com ICQ 7208627
                    Strongbox - The next generation in site security
                    Throttlebox - The next generation in bandwidth control
                    Clonebox - Backup and disaster recovery on steroids

                    Comment

                    Working...