WP site got hacked. Any WP security plugin/app recommendations?

Discussion in 'Web Design and Development' started by patent10021, Jul 24, 2015.

  1. patent10021 macrumors 68020

    patent10021

    Joined:
    Apr 23, 2004
    #1
    Wow, we got hacked and we aren't even a site that anyone would care about lol Well, at least I though we weren't. They erased the php file so our site went all blank. The only way they could've gained access is via some mail form script I'm guessing. Passwords are too strong etc.

    Fortunately I always have a complete backup of our site so I just re-uploaded within minutes.

    I asked Godaddy and they only have some generic one time virus scanner $300 for a daily scan no thanks.

    Guys said to grab a WP plugin called Word Fence or something so I'll check it out.

    Do you guys know of any thing else I should do or use?
     
  2. Darth.Titan macrumors 68030

    Darth.Titan

    Joined:
    Oct 31, 2007
    Location:
    Austin, TX
    #2
    I used WordFence for a while, and even the free version is pretty useful. It will notify you of failed login attempts, block offending IPs, and alert you of updates and security vulnerabilities. It's very nice.

    However, Wordpress is becoming a lost cause in my opinion. Once your site has been found by these hacker-bots, it will continue to be found. When WordFence alerts you to a WP or plugin update, you'd better install it ASAP because the bad guys are coming back to exploit it if you wait longer than a few hours.

    After several attacks on my employer's site, we had to drop Wordpress. It's just too much of a security vulnerability.
     
  3. patent10021 thread starter macrumors 68020

    patent10021

    Joined:
    Apr 23, 2004
    #3
    You know I think this is what happened because when I reinstalled it there were updates available so I had obviously not checked the site in at least a few days.

    I thing the mail form is the biggest vulnerability don't you think? Since it access server. Maybe I should delete the form and just let people contact via ol' fashion link.

    I'm not really worried about it though since everything is a 15 minute upload away from a full restore. We don't have a big ecommerce site or anything. If it gets to be ongoing then I'll worry about it.
     
  4. tsd, Jul 26, 2015
    Last edited: Jul 26, 2015

    tsd macrumors regular

    Joined:
    Aug 10, 2007
    Location:
    Greensboro, NC
    #4
    Hosting on GoDaddy is a security risk. I would move to Rochen.

    WP can be hardened quite nicely on good hosting environments. htaccess rules, file permissions, forcing SSL, using unique usernames and passwords for dbname, dbuser, and WP user, and changing db table prefix are all great ways to beef it up.

    I would recommend searching for Wordpress security hardening, and follow the guidelines you find. You'll probably need to change hosts, though.
     
  5. patent10021 thread starter macrumors 68020

    patent10021

    Joined:
    Apr 23, 2004
    #5
    I will look into that. Thanks. For now I have installed WordFence and it seems really good.
     
  6. mtasquared macrumors regular

    mtasquared

    Joined:
    May 3, 2012
    #6
    I installed a free security plugin called Securi and changed my passwords to truly impossible to guess ones after I got hacked. This plugin emails me whenever a failed login attempt is made. Its been about a month since and no break in attempt has been successful.
     
  7. 960design macrumors 68020

    Joined:
    Apr 17, 2012
    Location:
    Destin, FL
    #7
    Force your login to begin tar pitting after 3 failed attempts, sending an email notification to your email with alternative, immediate (very complex password) login link saved to the WP->_users->user_activation_key.

    Tar pitting is the best security vs DOS and brute force hacks, in my very sheltered opinion.
    I wouldn't recommend auto IP blocking as bots can/are written to DOS any returns identified.
     
  8. nfable macrumors regular

    nfable

    Joined:
    Apr 9, 2007
    #8
    I've used iThemes Security before with good success. Make sure you whitelist your own ip, as you can lock yourself out quite easily when tinkering with the config. As tsd states, this plugin will let you change WP default names / wp content locations / and it also lets you hide the wp login by changing the url for loggin in. This is best done on a new site. To implement on an existing site, you may need to export your content, then reimport for best operation.

    Search for recommending settings for this or some online tut to help you figure it out if you need it.

    I've had about 5 compromises on different sites before looking into the aforementioned 'hardening wordpress' and the ithemes secuity plugin.

    And GoDaddy / Hostgator and the like are poor hosts... Look into site5 or bluehost.

    Best,
    nf
     
  9. ocabj, Jul 28, 2015
    Last edited: Jul 28, 2015

    ocabj macrumors 6502a

    ocabj

    Joined:
    Jul 2, 2009
    #9
    I run self-hosted WordPress on a Linode VPS, so I use OSSEC to handle host intrusion detection. OSSEC does it all as far as the OS and respective applications. It will handle real-time file system monitoring and real-time log monitoring (e.g. apache logs). Then craft OSSEC rules to handle alerting and/or active-response (e.g. dynamically load an iptables rules to block the attacker). You need root on your box to use OSSEC. If you're using someone else's vhost and not your own VPS, then the aforementioned WordFence is probably your best option.

    Example detection, alert, and active response:

    Code:
    OSSEC HIDS Notification.
    2015 Jul 26 21:43:49
    
    Received From: access_log
    Rule: 31151 fired (level 10) -> "Multiple web server 400 error codes from same source ip."
    Portion of the log(s):
    
    193.201.224.176 - - [26/Jul/2015:21:43:45 -0700] "HEAD /Fckeditor/editor/ HTTP/1.1" 404 - "-" "-"
    193.201.224.176 - - [26/Jul/2015:21:43:45 -0700] "HEAD /ckeditor/editor/ HTTP/1.1" 404 - "-" "-"
    193.201.224.176 - - [26/Jul/2015:21:43:45 -0700] "HEAD /editorold/editor/ HTTP/1.1" 404 - "-" "-"
    193.201.224.176 - - [26/Jul/2015:21:43:45 -0700] "HEAD /admin/fckeditor/editor/ HTTP/1.1" 404 - "-" "-"
    193.201.224.176 - - [26/Jul/2015:21:43:44 -0700] "HEAD /system/fckeditor/editor/ HTTP/1.1" 404 - "-" "-"
    193.201.224.176 - - [26/Jul/2015:21:43:44 -0700] "HEAD /inc/fckeditor/editor/ HTTP/1.1" 404 - "-" "-"
    193.201.224.176 - - [26/Jul/2015:21:43:44 -0700] "HEAD /includes/fckeditor/editor/ HTTP/1.1" 404 - "-" "-"
    193.201.224.176 - - [26/Jul/2015:21:43:44 -0700] "HEAD /scripts/fckeditor/editor/ HTTP/1.1" 404 - "-" "-"
    193.201.224.176 - - [26/Jul/2015:21:43:44 -0700] "HEAD /include/fckeditor/editor/ HTTP/1.1" 404 - "-" "-"
    193.201.224.176 - - [26/Jul/2015:21:43:44 -0700] "HEAD /js/fckeditor/editor/ HTTP/1.1" 404 - "-" "-"
    193.201.224.176 - - [26/Jul/2015:21:43:43 -0700] "HEAD /common/fckeditor/editor/ HTTP/1.1" 404 - "-" "-"
    193.201.224.176 - - [26/Jul/2015:21:43:43 -0700] "HEAD /sysadmin/fckeditor/editor/ HTTP/1.1" 404 - "-" "-"
    Code:
    OSSEC HIDS Notification.
    2015 Jul 26 12:20:57
    
    Received From: auth.log
    Rule: 5712 fired (level 10) -> "SSHD brute force trying to get access to the system."
    Portion of the log(s):
    
    Jul 26 12:20:57 sshd[23412]: Invalid user nagios from 162.213.154.14
    Jul 26 12:20:56 sshd[23410]: Invalid user vnc from 162.213.154.14
    Jul 26 12:20:55 sshd[23408]: Invalid user vnc from 162.213.154.14
    Jul 26 12:20:53 sshd[23406]: Invalid user test from 162.213.154.14
    Jul 26 12:20:52 sshd[23404]: Invalid user user3 from 162.213.154.14
    Jul 26 12:20:40 sshd[23389]: Invalid user teamspeak from 162.213.154.14
    Jul 26 12:20:38 sshd[23387]: Invalid user teamspeak from 162.213.154.14
    Jul 26 12:20:36 sshd[23385]: Invalid user teamspeak from 162.213.154.14
    
    Code:
    OSSEC HIDS Notification.
    2015 Jul 21 18:47:19
    
    Received From: access_log
    Rule: 31510 fired (level 8) -> "CMS (WordPress or Joomla) brute force attempt."
    Portion of the log(s):
    
    185.40.4.30 - - [21/Jul/2015:18:47:18 -0700] "POST /wp-login.php HTTP/1.1" 301 316 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"
    185.40.4.30 - - [21/Jul/2015:18:47:16 -0700] "POST /wp-login.php HTTP/1.1" 301 316 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"
    185.40.4.30 - - [21/Jul/2015:18:47:13 -0700] "POST /wp-login.php HTTP/1.1" 301 316 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"
    In all those cases above, OSSEC active-response rules were automatically triggered to set iptables rules to block the attacker.

    I *was* using Google Authenticator for two-factor authentication with WordPress for a couple years, but I actually switched over to using Duo Security.

    http://www.ocabj.net/duo-security-two-factor-authentication-with-wordpress/

    I have been using Duo Security for a long time, but never bothered to look to see if they had a plugin integrating Duo with WordPress.

    Note that if you use a VPS (or otherwise have root on your webserver), you can also use Duo Security's "Duo Unix" integration to set two-factor authentication on the PAM stack.
     
  10. smirking macrumors 6502a

    Joined:
    Aug 31, 2003
    Location:
    Silicon Valley
    #10
    I'm not a fan of WordPress, but I have to work on it for some of my clients. WordFence is a really good place to start and I'd say is a must have in this day and age. Contrary to what you might think, the people running the botnets are looking specifically for small fry guys like you because your site is likely to be a lot easier to break into.

    I'm surprised they wiped your site though. Usually they're not doing this to deface a site, rather they're using your site to help them sell contraband. I doubt that $300 scan from GoDaddy would have done you much good in the long run. It might have helped you find all the hacked files lurking in your system, but may not give you the information you need to pinpoint the source.

    Make sure you scour your backup too. A lot of times they don't start "borrowing" your site for days or weeks after they first get in or the first attempt is just to get a foothold for a more substantial hack later.

    If you want to scan your site, you can usually get a reasonably competent scan by downloading your entire site and running ClamAV on it from your Mac.
     
  11. patent10021, Jul 30, 2015
    Last edited: Jul 30, 2015

    patent10021 thread starter macrumors 68020

    patent10021

    Joined:
    Apr 23, 2004
    #11
    Yea I installed WordFence right after and paid for the Premium APIKey as well. Great investment. A few days later I got alerts identifying 2 IPs from France and Brazil trying to get in with the generic user name 'Admin'. Obviously they could be from anywhere but it's great to know how they were trying to get in as well.

    Any IPs using any admin name and 5 failed logins is auto banned plus other goodies and I haven't had an alert or problem since.

    How would you guys compare site5, bluehost and Rochen for security?
     
  12. JoelTheSuperior macrumors 6502

    JoelTheSuperior

    Joined:
    Feb 10, 2014
    Location:
    London, UK
    #12
    I'm not a huge fan of WordPress but in all honesty the software itself is rock solid. The issues usually come from third party plugins which aren't as well written.
     
  13. conkerbot macrumors member

    Joined:
    Nov 26, 2010
    #13
    If you can (not sure what GoDaddy's set up is, never used them), I would use Cloudflare for your site. Even the free option will give you better protection and performance, and for $20/month you get a web application firewall and a lot of other goodness. I use it on my personal site
     
  14. BrianBaughn macrumors 601

    BrianBaughn

    Joined:
    Feb 13, 2011
    Location:
    Baltimore, Maryland
  15. ocabj macrumors 6502a

    ocabj

    Joined:
    Jul 2, 2009
    #15
    Use Duo Security for WP. You get Push two-factor, although you can use TOTP if you want, as well.
     
  16. arn macrumors god

    arn

    Staff Member

    Joined:
    Apr 9, 2001
    #16
    Usually it's an insecure plugin, not a bad password. You can also use an external web application firewall. They try to block questionable requests.

    We used sucuri for a bit https://sucuri.net/website-firewall/
     
  17. JayKay514 macrumors newbie

    Joined:
    Feb 28, 2014
    #17
    GoDaddy are notoriously insecure and don't provide much in the way of help. At most, they might point you towards a folder where something weird is happening, but nothing else. And when your site gets compromised, BAM, they block your domain until you contact them to get a temporary URL to debug things. Not really ideal.

    Kept up-to-date, a current WP install can be as secure as anything out there, but as others have said, it only takes one untested or older plugin to bring it all down. The old timthumb script, for instance, was one of the top vectors for hackers to knock over your site, and when they install their malware, it can be very hard to find and remove.

    Basically my advice is: Nuke the site from orbit, and move to a better planet. And leave any questionable / older plugins or themes behind.

    I've migrated a few friends' sites off GoDaddy and other generic LAMP hosts to WPEngine, which is a specialized hosting platform just for WordPress. It's more expensive than discount hosting, but it comes with a hack-proof guarantee, nightly restore points, optional staging server, and a CDN if you serve lots of images or other media. Even without the CDN, I've found it speeds up site delivery by a great deal.

    Unlike a generic LAMP platform it doesn't have things like a mail server or other exposed command-line apps, so it's less tempting as a target for people who want to turn your WP install into a spam factory. They also test 3rd-party plugins and maintain a whitelist, and also auto-upgrade your WP setup to the latest version. They use SFTP for file transfer, which is encrypted end-to-end, and you can use an SSL certificate to secure the login screens if you want more security.

    There are other hosted WP options like Page.ly and WordPress.com themselves (you can get a custom domain fairly easily).

    If you still want to go the generic hosting route, this WP Codex article is a must-read:

    http://codex.wordpress.org/Hardening_WordPress
     
  18. MacDawg macrumors P6

    MacDawg

    Joined:
    Mar 20, 2004
    Location:
    "Between the Hedges"
    #18
    I use the free version of WordFence on my sites and it has been helpful
    Unbeknownst to me, my main site was receiving numerous login attempts and Wordfence has identified them and banned them
    I used 1Password to change my password as a result and I feel a little better about it

    I don't have anything of any significance on my site, but it is still irritating

    I don't understand the bad guys
    If they are smart enough to hack, they are smart enough to earn a living legitimately, without creating havoc for the innocents
    The mentality is lost on me

    *I use Hostmonster
     
  19. seamer macrumors 6502

    seamer

    Joined:
    Jul 24, 2009
    #19
    Guys,

    It's not that your site is significant. It's that you're unpatched enough that simple exploits can get in, that makes you tasty targets for bots. If you go unpatched for a long time, your site is considered a zombie (unmaintained, nobody cares about it, the owner forgot about it or doesn't even know it's there (in cases of a personnel changeover in an office)). They won't vandalise you because it means they can come back later when the broken credentials allow root access to the server (privilege escalation). Sometimes you're found via a simple Google Dork because of your software version.

    Further, your app may be light in terms of traffic, but once your credentials are "verified" they get tagged in a large database as useful. So if your account name is matched to a non-related site, you know what password they will start working with? The one that already unlocked your app, because too many people re-use passwords. Your super mega ultra fancy password of 49 characters means pretty much nothing if you're using it all over the place.

    Disclaimer: Post is heavily generalized. Infosec isn't my main sphere, but I keep an eye on it.
     
  20. patent10021 thread starter macrumors 68020

    patent10021

    Joined:
    Apr 23, 2004
    #20
    This. It's not WP or Godaddy etc. It tends to happen if you leave plugins or WP not updated for a while since bots look for older versions with vulnerabilities and generic admin login names etc. Since I've kept everything up to date and use only 1 obscure login plus use WordFence for IP blacklisting I haven't had any issues.
     

Share This Page