Wordpress security, please help.

[ColdAsIce]

I designed a wordpress site for a high school and although I have left working on it, the person that has taken over has come to me for advice from time to time. This website was my first and it ran for over a year with no problems.

However, recently my collegue discovered that strange meta tags being displayed when searching for the site on bing and now some pages are being blocked by the work security websense. Going into the ftp and viewing the pages we have discovered this code is being run.

<snip>
This is in lots of the pages hidden. My collegue has deleted this code from most of the pages yesterday but has found that it has returned this morning. I also installed Better WP Security and OSE Firewall last week after the problems started. I set up the E-Mail alerts. Only last night between 22:30 last night and 09:00 this morning I have received 915 firewall alerts.

Example of the E-Mail below:

nveralm@mars.servers.rbl-mer.misp.co.uk
08:30 (47 minutes ago)

to me
LOGTIME:

FROM IP: http://whois.domaintools.com/188.65.116.66
URI:
METHOD: GET
USERAGENT:
REFERRER: N/A

I have no idea if this is normal or something to be worried about. Really not sure where to go from here? Any advice/help would be greatly appreciated.

[TechnoBear]

Hi ColdAsIce and welcome to the forums.

I don't use WP, so I can't help directly with that. However, we had a recent thread on a similar theme which might help: http://www.sitepoint.com/forums/show...-s-Been-Hacked!

If you haven't already done so, then change all the passwords for the site and make sure you use strong passwords.

[CoastWeb]

I designed a wordpress site for a high school and although I have left working on it, the person that has taken over has come to me for advice from time to time. This website was my first and it ran for over a year with no problems..

What version of wp is it running? Has it been updated to the latest version? If any plugins/mods are used, have they also been updated?

Hacks often occur because people are running older versions with known vulnerabilities that are exploited by hackers or automated bots.

[dklynn]

Two things:

1. What CoastWeb said (keep WP updated ... IMMEDIATELY ... OR suffer the consequences).

2. Be sure to use VERY STRONG passwords for your ADMIN account (WP admin). Now that you've been hacked, be sure that you don't have other accounts with admin permissions. Finally, WHY use admin as the admin's directory name? Security by obfuscation is hardly any security at all but you don't need to make things easier for hackers, either.

Regards,

DK

[cheesedude]

When hackers get into an account, they often place backdoors in various places so that they can get back in if the original exploit is discovered. There are a number of ways this hosting account could have been compromised. It could occur at the host level, a vulnerability in some software the host is running, the result of the account holder using an insecure password, or an insecure, outdated version of Wordpress or some other type of script running on the account.

When your account gets hacked, about the only thing you can do is start fresh. Delete all the old files and reinstall with backups you know are clean. Every webmaster should keep his or her own backups. With a database-driven site like Wordpress, you also have to worry about iframes and javascript being embedded into posts by the hacker. You will have to check for that, too, especially in this case where the hacker is embedding HTML into output.

[2ndmouse]

Ditto all of the above. You might also try Wordfence Security. Specially designed for Wordpress sites.

You can download it here, or search for the plugin in the WP control panel.

[stevpetersonn]

wordpress is opensource and easy for hackers to hack u should check tip here wp security techniques.

[ideamine]

Hide your wordpress version (Delete the readme.html too)
Prevent wordpress directory browsing
Check the permissions

Wordfence and Exploit Scanner plugins will be helpful.

[TechnoBear]

As the OP has not returned in over two months, I think we can safely close this thread.

Thanks to all who took the trouble to respond.