SitePoint Sponsor

User Tag List

Results 1 to 9 of 9
  1. #1
    SitePoint Member
    Join Date
    Oct 2012
    Posts
    1
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Wordpress security, please help.

    I designed a wordpress site for a high school and although I have left working on it, the person that has taken over has come to me for advice from time to time. This website was my first and it ran for over a year with no problems.

    However, recently my collegue discovered that strange meta tags being displayed when searching for the site on bing and now some pages are being blocked by the work security websense. Going into the ftp and viewing the pages we have discovered this code is being run.

    <snip>
    This is in lots of the pages hidden. My collegue has deleted this code from most of the pages yesterday but has found that it has returned this morning. I also installed Better WP Security and OSE Firewall last week after the problems started. I set up the E-Mail alerts. Only last night between 22:30 last night and 09:00 this morning I have received 915 firewall alerts.

    Example of the E-Mail below:

    nveralm@mars.servers.rbl-mer.misp.co.uk
    08:30 (47 minutes ago)

    to me
    LOGTIME:

    FROM IP: http://whois.domaintools.com/188.65.116.66
    URI:
    METHOD: GET
    USERAGENT:
    REFERRER: N/A


    I have no idea if this is normal or something to be worried about. Really not sure where to go from here? Any advice/help would be greatly appreciated.
    Last edited by TechnoBear; Nov 24, 2012 at 04:45. Reason: Malicious code deleted

  2. #2
    Life is not a malfunction gold trophysilver trophybronze trophy
    TechnoBear's Avatar
    Join Date
    Jun 2011
    Location
    Argyll, Scotland
    Posts
    5,344
    Mentioned
    214 Post(s)
    Tagged
    5 Thread(s)
    Hi ColdAsIce and welcome to the forums.

    I don't use WP, so I can't help directly with that. However, we had a recent thread on a similar theme which might help: http://www.sitepoint.com/forums/show...-s-Been-Hacked!

    If you haven't already done so, then change all the passwords for the site and make sure you use strong passwords.
    Don't be arrogant. Be kind to a koala that thinks it's a bear.

  3. #3
    SitePoint Enthusiast
    Join Date
    Nov 2009
    Posts
    37
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by ColdAsIce View Post
    I designed a wordpress site for a high school and although I have left working on it, the person that has taken over has come to me for advice from time to time. This website was my first and it ran for over a year with no problems..
    What version of wp is it running? Has it been updated to the latest version? If any plugins/mods are used, have they also been updated?

    Hacks often occur because people are running older versions with known vulnerabilities that are exploited by hackers or automated bots.
    phpSiteMinder - website backup and file integrity monitoring.
    Been hacked? phpSiteScanner can help you clean your site up.

  4. #4
    Certified Ethical Hacker silver trophybronze trophy dklynn's Avatar
    Join Date
    Feb 2002
    Location
    Auckland
    Posts
    14,605
    Mentioned
    19 Post(s)
    Tagged
    2 Thread(s)
    Two things:

    1. What CoastWeb said (keep WP updated ... IMMEDIATELY ... OR suffer the consequences).

    2. Be sure to use VERY STRONG passwords for your ADMIN account (WP admin). Now that you've been hacked, be sure that you don't have other accounts with admin permissions. Finally, WHY use admin as the admin's directory name? Security by obfuscation is hardly any security at all but you don't need to make things easier for hackers, either.

    Regards,

    DK
    David K. Lynn - Data Koncepts is a long-time WebHostingBuzz (US/UK)
    Client and (unpaid) WHB Ambassador
    mod_rewrite Tutorial Article (setup, config, test & write
    mod_rewrite regex w/sample code) and Code Generator

  5. #5
    SitePoint Wizard
    Join Date
    Oct 2005
    Posts
    1,771
    Mentioned
    5 Post(s)
    Tagged
    1 Thread(s)
    When hackers get into an account, they often place backdoors in various places so that they can get back in if the original exploit is discovered. There are a number of ways this hosting account could have been compromised. It could occur at the host level, a vulnerability in some software the host is running, the result of the account holder using an insecure password, or an insecure, outdated version of Wordpress or some other type of script running on the account.

    When your account gets hacked, about the only thing you can do is start fresh. Delete all the old files and reinstall with backups you know are clean. Every webmaster should keep his or her own backups. With a database-driven site like Wordpress, you also have to worry about iframes and javascript being embedded into posts by the hacker. You will have to check for that, too, especially in this case where the hacker is embedding HTML into output.

  6. #6
    SitePoint Zealot 2ndmouse's Avatar
    Join Date
    Jan 2007
    Location
    West London
    Posts
    196
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Ditto all of the above. You might also try Wordfence Security. Specially designed for Wordpress sites.

    You can download it here, or search for the plugin in the WP control panel.
    Detect file changes remotely. SimpleSiteAudit is an early
    warning anti-hacker system which sends an alert on detection.

    PHP Find Orphan Files - Finds all the unreferenced files on your site.

  7. #7
    SitePoint Member
    Join Date
    Dec 2012
    Posts
    2
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    wordpress is opensource and easy for hackers to hack u should check tip here wp security techniques.

  8. #8
    SitePoint Enthusiast ideamine's Avatar
    Join Date
    Feb 2012
    Location
    Queen of Arabian Sea
    Posts
    27
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hide your wordpress version (Delete the readme.html too)
    Prevent wordpress directory browsing
    Check the permissions

    Wordfence and Exploit Scanner plugins will be helpful.

  9. #9
    Life is not a malfunction gold trophysilver trophybronze trophy
    TechnoBear's Avatar
    Join Date
    Jun 2011
    Location
    Argyll, Scotland
    Posts
    5,344
    Mentioned
    214 Post(s)
    Tagged
    5 Thread(s)
    As the OP has not returned in over two months, I think we can safely close this thread.

    Thanks to all who took the trouble to respond.
    Don't be arrogant. Be kind to a koala that thinks it's a bear.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •