Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

WP site got hacked. Any WP security plugin/app recommendations?

patent10021

patent10021

macrumors 68040
Original poster
Apr 23, 2004
3,579
854
Wow, we got hacked and we aren't even a site that anyone would care about lol Well, at least I though we weren't. They erased the php file so our site went all blank. The only way they could've gained access is via some mail form script I'm guessing. Passwords are too strong etc.

Fortunately I always have a complete backup of our site so I just re-uploaded within minutes.

I asked Godaddy and they only have some generic one time virus scanner $300 for a daily scan no thanks.

Guys said to grab a WP plugin called Word Fence or something so I'll check it out.

Do you guys know of any thing else I should do or use?
 
I used WordFence for a while, and even the free version is pretty useful. It will notify you of failed login attempts, block offending IPs, and alert you of updates and security vulnerabilities. It's very nice.

However, Wordpress is becoming a lost cause in my opinion. Once your site has been found by these hacker-bots, it will continue to be found. When WordFence alerts you to a WP or plugin update, you'd better install it ASAP because the bad guys are coming back to exploit it if you wait longer than a few hours.

After several attacks on my employer's site, we had to drop Wordpress. It's just too much of a security vulnerability.
 
You know I think this is what happened because when I reinstalled it there were updates available so I had obviously not checked the site in at least a few days.

I thing the mail form is the biggest vulnerability don't you think? Since it access server. Maybe I should delete the form and just let people contact via ol' fashion link.

I'm not really worried about it though since everything is a 15 minute upload away from a full restore. We don't have a big ecommerce site or anything. If it gets to be ongoing then I'll worry about it.
 
Hosting on GoDaddy is a security risk. I would move to Rochen.

WP can be hardened quite nicely on good hosting environments. htaccess rules, file permissions, forcing SSL, using unique usernames and passwords for dbname, dbuser, and WP user, and changing db table prefix are all great ways to beef it up.

I would recommend searching for Wordpress security hardening, and follow the guidelines you find. You'll probably need to change hosts, though.
 
Last edited:
tsd said:
Hosting on GoDaddy is a security risk. I would move to Rochen.

WP can be hardened quite nicely on good hosting environments. htaccess rules, file permissions, forcing SSL, using unique usernames and passwords for dbname, dbuser, and WP user, and changing db table prefix are all great ways to beef it up.

I would recommend searching for Wordpress security hardening, and follow the guidelines you find. You'll probably need to change hosts, though.
Click to expand...
I will look into that. Thanks. For now I have installed WordFence and it seems really good.
 
I installed a free security plugin called Securi and changed my passwords to truly impossible to guess ones after I got hacked. This plugin emails me whenever a failed login attempt is made. Its been about a month since and no break in attempt has been successful.
 
Force your login to begin tar pitting after 3 failed attempts, sending an email notification to your email with alternative, immediate (very complex password) login link saved to the WP->_users->user_activation_key.

Tar pitting is the best security vs DOS and brute force hacks, in my very sheltered opinion.
I wouldn't recommend auto IP blocking as bots can/are written to DOS any returns identified.
 
I've used iThemes Security before with good success. Make sure you whitelist your own ip, as you can lock yourself out quite easily when tinkering with the config. As tsd states, this plugin will let you change WP default names / wp content locations / and it also lets you hide the wp login by changing the url for loggin in. This is best done on a new site. To implement on an existing site, you may need to export your content, then reimport for best operation.

Search for recommending settings for this or some online tut to help you figure it out if you need it.

I've had about 5 compromises on different sites before looking into the aforementioned 'hardening wordpress' and the ithemes secuity plugin.

And GoDaddy / Hostgator and the like are poor hosts... Look into site5 or bluehost.

Best,
nf
 
I run self-hosted WordPress on a Linode VPS, so I use OSSEC to handle host intrusion detection. OSSEC does it all as far as the OS and respective applications. It will handle real-time file system monitoring and real-time log monitoring (e.g. apache logs). Then craft OSSEC rules to handle alerting and/or active-response (e.g. dynamically load an iptables rules to block the attacker). You need root on your box to use OSSEC. If you're using someone else's vhost and not your own VPS, then the aforementioned WordFence is probably your best option.

Example detection, alert, and active response:

Code: 
OSSEC HIDS Notification.
2015 Jul 26 21:43:49

Received From: access_log
Rule: 31151 fired (level 10) -> "Multiple web server 400 error codes from same source ip."
Portion of the log(s):

193.201.224.176 - - [26/Jul/2015:21:43:45 -0700] "HEAD /Fckeditor/editor/ HTTP/1.1" 404 - "-" "-"
193.201.224.176 - - [26/Jul/2015:21:43:45 -0700] "HEAD /ckeditor/editor/ HTTP/1.1" 404 - "-" "-"
193.201.224.176 - - [26/Jul/2015:21:43:45 -0700] "HEAD /editorold/editor/ HTTP/1.1" 404 - "-" "-"
193.201.224.176 - - [26/Jul/2015:21:43:45 -0700] "HEAD /admin/fckeditor/editor/ HTTP/1.1" 404 - "-" "-"
193.201.224.176 - - [26/Jul/2015:21:43:44 -0700] "HEAD /system/fckeditor/editor/ HTTP/1.1" 404 - "-" "-"
193.201.224.176 - - [26/Jul/2015:21:43:44 -0700] "HEAD /inc/fckeditor/editor/ HTTP/1.1" 404 - "-" "-"
193.201.224.176 - - [26/Jul/2015:21:43:44 -0700] "HEAD /includes/fckeditor/editor/ HTTP/1.1" 404 - "-" "-"
193.201.224.176 - - [26/Jul/2015:21:43:44 -0700] "HEAD /scripts/fckeditor/editor/ HTTP/1.1" 404 - "-" "-"
193.201.224.176 - - [26/Jul/2015:21:43:44 -0700] "HEAD /include/fckeditor/editor/ HTTP/1.1" 404 - "-" "-"
193.201.224.176 - - [26/Jul/2015:21:43:44 -0700] "HEAD /js/fckeditor/editor/ HTTP/1.1" 404 - "-" "-"
193.201.224.176 - - [26/Jul/2015:21:43:43 -0700] "HEAD /common/fckeditor/editor/ HTTP/1.1" 404 - "-" "-"
193.201.224.176 - - [26/Jul/2015:21:43:43 -0700] "HEAD /sysadmin/fckeditor/editor/ HTTP/1.1" 404 - "-" "-"

Code: 
OSSEC HIDS Notification.
2015 Jul 26 12:20:57

Received From: auth.log
Rule: 5712 fired (level 10) -> "SSHD brute force trying to get access to the system."
Portion of the log(s):

Jul 26 12:20:57 sshd[23412]: Invalid user nagios from 162.213.154.14
Jul 26 12:20:56 sshd[23410]: Invalid user vnc from 162.213.154.14
Jul 26 12:20:55 sshd[23408]: Invalid user vnc from 162.213.154.14
Jul 26 12:20:53 sshd[23406]: Invalid user test from 162.213.154.14
Jul 26 12:20:52 sshd[23404]: Invalid user user3 from 162.213.154.14
Jul 26 12:20:40 sshd[23389]: Invalid user teamspeak from 162.213.154.14
Jul 26 12:20:38 sshd[23387]: Invalid user teamspeak from 162.213.154.14
Jul 26 12:20:36 sshd[23385]: Invalid user teamspeak from 162.213.154.14

Code: 
OSSEC HIDS Notification.
2015 Jul 21 18:47:19

Received From: access_log
Rule: 31510 fired (level 8) -> "CMS (WordPress or Joomla) brute force attempt."
Portion of the log(s):

185.40.4.30 - - [21/Jul/2015:18:47:18 -0700] "POST /wp-login.php HTTP/1.1" 301 316 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"
185.40.4.30 - - [21/Jul/2015:18:47:16 -0700] "POST /wp-login.php HTTP/1.1" 301 316 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"
185.40.4.30 - - [21/Jul/2015:18:47:13 -0700] "POST /wp-login.php HTTP/1.1" 301 316 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"

In all those cases above, OSSEC active-response rules were automatically triggered to set iptables rules to block the attacker.

I *was* using Google Authenticator for two-factor authentication with WordPress for a couple years, but I actually switched over to using Duo Security.

http://www.ocabj.net/duo-security-two-factor-authentication-with-wordpress/

I have been using Duo Security for a long time, but never bothered to look to see if they had a plugin integrating Duo with WordPress.

Note that if you use a VPS (or otherwise have root on your webserver), you can also use Duo Security's "Duo Unix" integration to set two-factor authentication on the PAM stack.
 
Last edited:
patent10021 said:
They erased the php file so our site went all blank. The only way they could've gained access is via some mail form script I'm guessing. Passwords are too strong etc.

Fortunately I always have a complete backup of our site so I just re-uploaded within minutes.

I asked Godaddy and they only have some generic one time virus scanner $300 for a daily scan no thanks.

Guys said to grab a WP plugin called Word Fence or something so I'll check it out.
Click to expand...

I'm not a fan of WordPress, but I have to work on it for some of my clients. WordFence is a really good place to start and I'd say is a must have in this day and age. Contrary to what you might think, the people running the botnets are looking specifically for small fry guys like you because your site is likely to be a lot easier to break into.

I'm surprised they wiped your site though. Usually they're not doing this to deface a site, rather they're using your site to help them sell contraband. I doubt that $300 scan from GoDaddy would have done you much good in the long run. It might have helped you find all the hacked files lurking in your system, but may not give you the information you need to pinpoint the source.

Make sure you scour your backup too. A lot of times they don't start "borrowing" your site for days or weeks after they first get in or the first attempt is just to get a foothold for a more substantial hack later.

If you want to scan your site, you can usually get a reasonably competent scan by downloading your entire site and running ClamAV on it from your Mac.
 
Yea I installed WordFence right after and paid for the Premium APIKey as well. Great investment. A few days later I got alerts identifying 2 IPs from France and Brazil trying to get in with the generic user name 'Admin'. Obviously they could be from anywhere but it's great to know how they were trying to get in as well.

Any IPs using any admin name and 5 failed logins is auto banned plus other goodies and I haven't had an alert or problem since.

How would you guys compare site5, bluehost and Rochen for security?
 
Last edited:
I'm not a huge fan of WordPress but in all honesty the software itself is rock solid. The issues usually come from third party plugins which aren't as well written.
 
If you can (not sure what GoDaddy's set up is, never used them), I would use Cloudflare for your site. Even the free option will give you better protection and performance, and for $20/month you get a web application firewall and a lot of other goodness. I use it on my personal site
 
  • Like
Reactions: JoelTheSuperior
patent10021 said:
Wow, we got hacked and we aren't even a site that anyone would care about lol Well, at least I though we weren't. They erased the php file so our site went all blank. The only way they could've gained access is via some mail form script I'm guessing. Passwords are too strong etc.

Fortunately I always have a complete backup of our site so I just re-uploaded within minutes.

I asked Godaddy and they only have some generic one time virus scanner $300 for a daily scan no thanks.

Guys said to grab a WP plugin called Word Fence or something so I'll check it out.

Do you guys know of any thing else I should do or use?
Click to expand...

GoDaddy are notoriously insecure and don't provide much in the way of help. At most, they might point you towards a folder where something weird is happening, but nothing else. And when your site gets compromised, BAM, they block your domain until you contact them to get a temporary URL to debug things. Not really ideal.

Kept up-to-date, a current WP install can be as secure as anything out there, but as others have said, it only takes one untested or older plugin to bring it all down. The old timthumb script, for instance, was one of the top vectors for hackers to knock over your site, and when they install their malware, it can be very hard to find and remove.

Basically my advice is: Nuke the site from orbit, and move to a better planet. And leave any questionable / older plugins or themes behind.

I've migrated a few friends' sites off GoDaddy and other generic LAMP hosts to WPEngine, which is a specialized hosting platform just for WordPress. It's more expensive than discount hosting, but it comes with a hack-proof guarantee, nightly restore points, optional staging server, and a CDN if you serve lots of images or other media. Even without the CDN, I've found it speeds up site delivery by a great deal.

Unlike a generic LAMP platform it doesn't have things like a mail server or other exposed command-line apps, so it's less tempting as a target for people who want to turn your WP install into a spam factory. They also test 3rd-party plugins and maintain a whitelist, and also auto-upgrade your WP setup to the latest version. They use SFTP for file transfer, which is encrypted end-to-end, and you can use an SSL certificate to secure the login screens if you want more security.

There are other hosted WP options like Page.ly and WordPress.com themselves (you can get a custom domain fairly easily).

If you still want to go the generic hosting route, this WP Codex article is a must-read:

http://codex.wordpress.org/Hardening_WordPress
 
I use the free version of WordFence on my sites and it has been helpful
Unbeknownst to me, my main site was receiving numerous login attempts and Wordfence has identified them and banned them
I used 1Password to change my password as a result and I feel a little better about it

I don't have anything of any significance on my site, but it is still irritating

I don't understand the bad guys
If they are smart enough to hack, they are smart enough to earn a living legitimately, without creating havoc for the innocents
The mentality is lost on me

*I use Hostmonster
 
Guys,

It's not that your site is significant. It's that you're unpatched enough that simple exploits can get in, that makes you tasty targets for bots. If you go unpatched for a long time, your site is considered a zombie (unmaintained, nobody cares about it, the owner forgot about it or doesn't even know it's there (in cases of a personnel changeover in an office)). They won't vandalise you because it means they can come back later when the broken credentials allow root access to the server (privilege escalation). Sometimes you're found via a simple Google Dork because of your software version.

Further, your app may be light in terms of traffic, but once your credentials are "verified" they get tagged in a large database as useful. So if your account name is matched to a non-related site, you know what password they will start working with? The one that already unlocked your app, because too many people re-use passwords. Your super mega ultra fancy password of 49 characters means pretty much nothing if you're using it all over the place.

Disclaimer: Post is heavily generalized. Infosec isn't my main sphere, but I keep an eye on it.
 
  • Like
Reactions: JoelTheSuperior
seamer said:
Guys,

It's not that your site is significant. It's that you're unpatched enough that simple exploits can get in, that makes you tasty targets for bots.
Click to expand...
This. It's not WP or Godaddy etc. It tends to happen if you leave plugins or WP not updated for a while since bots look for older versions with vulnerabilities and generic admin login names etc. Since I've kept everything up to date and use only 1 obscure login plus use WordFence for IP blacklisting I haven't had any issues.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back