SitePoint Sponsor

User Tag List

Page 1 of 2 12 LastLast
Results 1 to 25 of 29
  1. #1
    SitePoint Guru
    Join Date
    Jan 2007
    Posts
    967
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)

    Wordpress Security

    Recently two sites I've built on Wordpress were hacked. Cleaning these sites is no picnic. There are numerous blog entries on securing WordPress. Though they all say different things which makes me think that there is no consensus/best practice on how to do this.

    Are there other platforms that are more secure?
    Do you have a successful formula for securing WordPress installs?

    I used to use a CMS that I built myself. It doesn't have all the bells and whistles that WordPress has, but it is easy to configure and does most of what I need it to do. I've set up over 200 sites with it, and it never got hacked. Security through obscurity...

  2. #2
    SitePoint Wizard
    Join Date
    Oct 2005
    Posts
    1,832
    Mentioned
    5 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by eruna View Post
    Recently two sites I've built on Wordpress were hacked.
    Welcome to the club.

    Quote Originally Posted by eruna View Post
    Cleaning these sites is no picnic.
    It takes a little time, but it isn't too bad. It's more a personal violation, almost like getting your home burglarized I would imagine.

    General tips for other hacking victims who may read this: Delete all files under your web root folder (for your main site and any addon sites because hackers like to hide backdoors to regain access if the main access point is found), restore them with copies you know are clean, and check the posts table for any iframes or javascript hackers may have embedded in posts. Check your users table to make sure no unauthorized users were added. Also, change all your passwords, especially your database passwords and if you want to go further your hosting control panel password as well.

    Quote Originally Posted by eruna View Post
    There are numerous blog entries on securing WordPress. Though they all say different things which makes me think that there is no consensus/best practice on how to do this.
    I can't speak about any so-called security plugins because I haven't used them, but I would think that if it were possible to make Wordpress more secure other than the vulnerabilities as the result of coding errors, that the Wordpress folks would have already incorporated them.

    Have you determined that the vulnerability was in Wordpress and not in another area? Were you using an outdated version of Wordpress? That is usually the case when someone gets hacked, as it was in my case.

    Quote Originally Posted by eruna View Post
    Are there other platforms that are more secure?
    Do you have a successful formula for securing WordPress installs?
    I had an outdated Joomla installation hacked that I was just using for evaluation purposes and forgot about. There is currently a security alert on Drupal. You can read Wordpress' recommendations if you haven't already.

    http://codex.wordpress.org/Hardening_WordPress

    Quote Originally Posted by eruna View Post
    I used to use a CMS that I built myself. It doesn't have all the bells and whistles that WordPress has, but it is easy to configure and does most of what I need it to do. I've set up over 200 sites with it, and it never got hacked. Security through obscurity...
    I have never had any of my own code hacked, either, but Wordpress is much more complicated than anything I have done. Open source is a double-edged sword. You get thousands of hours of work writing code provided for free, but hackers also have access to that code. And because open source scripts are used by a lot of people, if a vulnerability is found hackers are quick to take advantage of it because of the large scale damage they can do.

    Getting hacked is one of the risks of using open source and if the risk is too great it is best to write your own code.

  3. #3
    phpLD Fanatic bronze trophy dvduval's Avatar
    Join Date
    Mar 2002
    Location
    Silicon Valley
    Posts
    3,626
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)
    Do a little search of Sitepoint for "wordpress" and "hacked" and it is pretty obvious the track record is not good. I don't use wordpress unless the customer insists, and if I do they absolutely must be on a payment plan that involves paying me to keep their blog updated.

  4. #4
    SitePoint Wizard bronze trophy
    Join Date
    Oct 2001
    Location
    Vancouver BC Canada
    Posts
    2,030
    Mentioned
    5 Post(s)
    Tagged
    0 Thread(s)
    Yes Wordpress does have a poor record on security and to make matters worse, there are many WP sites that have gone un-patched which leaves them and any other site on their serve vulnerable to attack.

    Last week I saw the aftermath first hand of one such hack where the hackers got into a shared hosting account via an un-updated WP site and then hacked other sites on the server. One site that was hacked was a Drupal site under my care but the fix was simple. After the server was secured I replace the file system, leaving my themes and website 'sites' directories alone. We scanned the 'sites' directory and removed the one file the hackers dropped in, sent Google a request to rescan it and we were back up and running. I had a monster headache at the end of the day but we came through relatively unscathed. I don't know the status of the WP site.

    So far, that's the only Drupal site I've had hacked in six years and in this case it was the result of being on shared hosting with a vulnerable site and not the fault of Drupal itself.

    Any CMS will be vulnerable, the way to guard against it is to find a CMS with an active security team and do security updates as soon as they come in. I receive emails from every site I manage when updates are available.

    Andrew
    Andrew Wasson | www.lunadesign.org
    Principal / Internet Development

  5. #5
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,809
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    The WordPress plugin from http://bit51.com/software/better-wp-security/ allows you to apply a large range of security measures to your Wordpress site and also logs when anything happens that might be considered to be an attempt to breach security.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  6. #6
    SitePoint Guru
    Join Date
    Jan 2007
    Posts
    967
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Both hacked sites were completely up to date. One was also on a server with Magento It could have come from there.
    One of the sites had a handful of plugins which could be responsible for the vulnerability. I'm experimenting by turning off all the plugins and adding them back in one by one a week a part. This is not a very graceful solution because the plugins perform important functions on the site.
    Are there any CMS systems that are more secure than Wordpress with a similar weight?

  7. #7
    SitePoint Wizard bronze trophy
    Join Date
    Oct 2001
    Location
    Vancouver BC Canada
    Posts
    2,030
    Mentioned
    5 Post(s)
    Tagged
    0 Thread(s)
    What sort of hack occurred? Was it a mainpage rewrite hack, malware hack or something else?

    Is it possible that the server was hacked rather than the WordPress site being hacked?
    Andrew Wasson | www.lunadesign.org
    Principal / Internet Development

  8. #8
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,809
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    This is certainly starting to sound like it is more likely a server hack rather than WordPress. With the better_wp_security plugin installed WordPress is as secure as anything you are likely to find.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  9. #9
    Community Advisor ULTiMATE's Avatar
    Join Date
    Aug 2003
    Location
    Bristol, United Kingdom
    Posts
    2,160
    Mentioned
    46 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by eruna View Post
    Are there other platforms that are more secure?
    There are numerous platforms that are more secure than WordPress. WP has a poor track record for security issues, and although that is to be expected due to its popularity with entry-level developers a number of these bugs tend to be from poor security practices in the code and issues with PHP.

    If it's a genuine problem for you I would move to a real CMS, something like Concrete5 or Drupal if you are limited to PHP. Otherwise, there are a number of good Ruby and Python solutions, as well as .NET solutions in Umbraco.

  10. #10
    Gre aus'm Pott gold trophysilver trophybronze trophy
    Pullo's Avatar
    Join Date
    Jun 2007
    Location
    Germany
    Posts
    5,938
    Mentioned
    214 Post(s)
    Tagged
    12 Thread(s)
    Off Topic:

    Quote Originally Posted by ULTiMATE View Post
    Otherwise, there are a number of good Ruby and Python solutions, as well as .NET solutions in Umbraco.
    Do you have any experience with anything written in Ruby? Is there a Ruby-based CMS you could recommend?

  11. #11
    Community Advisor ULTiMATE's Avatar
    Join Date
    Aug 2003
    Location
    Bristol, United Kingdom
    Posts
    2,160
    Mentioned
    46 Post(s)
    Tagged
    0 Thread(s)
    Off Topic:


    Quote Originally Posted by Pullo View Post
    Do you have any experience with anything written in Ruby? Is there a Ruby-based CMS you could recommend?
    I'm not a huge fan of the Rails community, so any work I've done with Rails has been done with a solemn look on my face. It's a nice language, but it's not as polished as Python and nowhere near as usable as PHP.

    If I were to recommend a Ruby CMS it would have to be Refinery CMS. It's a decent CMS and if you're using Ruby it's the best choice you've got. Despite all its feather-flashing, the Ruby community is yet to develop a killer script, or even a renowned forum or blog script, let alone a top-of-the-class CMS.

    If platform and language weren't a problem I'd always back .NET over any other language. Python and Django in particular has some fantastic scripts, but its enterprise offerings and Umbraco in the open-source world makes .NET just far more proven to handle websites and be good to develop on.

  12. #12
    Gre aus'm Pott gold trophysilver trophybronze trophy
    Pullo's Avatar
    Join Date
    Jun 2007
    Location
    Germany
    Posts
    5,938
    Mentioned
    214 Post(s)
    Tagged
    12 Thread(s)
    Off Topic:

    Thanks ULTiMATE. I'll have a look at Refinery. I found a good write up of it on Ruby Source

  13. #13
    SitePoint Wizard silver trophybronze trophy asp_funda's Avatar
    Join Date
    Jun 2003
    Location
    ether
    Posts
    4,497
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Off Topic:


    Quote Originally Posted by ULTiMATE View Post
    I'm not a huge fan of the Rails community, so any work I've done with Rails has been done with a solemn look on my face. It's a nice language, but it's not as polished as Python and nowhere near as usable as PHP.
    Rails != Ruby & Ruby is a language, Rails isn't.
    Our lives teach us who we are.
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Me - Photo Blog - Personal Blog - Dev Blog
    iG:Syntax Hiliter -- Colourize your code in WordPress!!

  14. #14
    SitePoint Wizard silver trophybronze trophy asp_funda's Avatar
    Join Date
    Jun 2003
    Location
    ether
    Posts
    4,497
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    In my experience, a WordPress site gets hacked on application level because either its an older version (with a public security flaw that has been fixed in newer version) or because of a flaw in a plugin or theme. Since plugins and themes are just PHP scripts & can do pretty much what they want, can't say the security flaws are WordPress' fault. If it was so bad at security, it wouldn't be running on a platform like wordpress.com, now would it?

    Now how you can avoid the nastiness of getting hacked, here's what I advise:

    1. If you haven't already, go through http://codex.wordpress.org/Hardening_WordPress
    2. Keep your WordPress install updated.
    3. Install plugins only from the official plugin repo on wordpress.org. If you have to source your plugins from elsewhere, don't take them on faith, you don't know what's in the code unless you go through it. Bad programmers can be anywhere, even on some sites which sell "premium" plugins. I've seen some yucky code even on plugins being sold for $30+.
    4. #3 is valid for themes as well, unless you make your own. I've actually seen some shady sites offering downloads of some popular free themes. What I found out was that those themes had been altered and adware/malware added to them.


    Follow these and you should be ok.
    Our lives teach us who we are.
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Me - Photo Blog - Personal Blog - Dev Blog
    iG:Syntax Hiliter -- Colourize your code in WordPress!!

  15. #15
    SitePoint Wizard bronze trophy
    Join Date
    Oct 2001
    Location
    Vancouver BC Canada
    Posts
    2,030
    Mentioned
    5 Post(s)
    Tagged
    0 Thread(s)
    Yeah, I think the problem with WP security is that with the low barrier to entry, WP has produced a lot of "chop-shop" developers who couldn't care less about what happens after the site leaves their shop and the result is a massive number of sites that just don't get maintained or updated. The owners figure the site is good to go and don't know anything about the needs to maintain them.

    Edit: That said, I'm pretty sure the OP's server was hacked and this instance was probably not because of a WP vulnerability. I have heard some mention of a WP/jQuery injection issue but only rumor and no specifics I could substantiate. Just a frustrated web host complaining about it.
    Andrew Wasson | www.lunadesign.org
    Principal / Internet Development

  16. #16
    Community Advisor ULTiMATE's Avatar
    Join Date
    Aug 2003
    Location
    Bristol, United Kingdom
    Posts
    2,160
    Mentioned
    46 Post(s)
    Tagged
    0 Thread(s)
    Off Topic:


    Quote Originally Posted by asp_funda View Post
    Rails != Ruby & Ruby is a language, Rails isn't.
    Words cannot describe my shame.

  17. #17
    SitePoint Wizard silver trophybronze trophy asp_funda's Avatar
    Join Date
    Jun 2003
    Location
    ether
    Posts
    4,497
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Off Topic:


    Quote Originally Posted by ULTiMATE View Post
    Words cannot describe my shame.
    lol
    Our lives teach us who we are.
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Me - Photo Blog - Personal Blog - Dev Blog
    iG:Syntax Hiliter -- Colourize your code in WordPress!!

  18. #18
    SitePoint Wizard silver trophybronze trophy asp_funda's Avatar
    Join Date
    Jun 2003
    Location
    ether
    Posts
    4,497
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by awasson View Post
    Yeah, I think the problem with WP security is that with the low barrier to entry, WP has produced a lot of "chop-shop" developers who couldn't care less about what happens after the site leaves their shop and the result is a massive number of sites that just don't get maintained or updated. The owners figure the site is good to go and don't know anything about the needs to maintain them.
    I don't see how is that a problem with WordPress' security? That is a problem with the site's security which employed such developer(s) & such a security problem can happen whether WordPress is being used or not.

    WordPress' ease of use can't be held against it as its security flaw.
    Our lives teach us who we are.
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Me - Photo Blog - Personal Blog - Dev Blog
    iG:Syntax Hiliter -- Colourize your code in WordPress!!

  19. #19
    SitePoint Wizard bronze trophy
    Join Date
    Oct 2001
    Location
    Vancouver BC Canada
    Posts
    2,030
    Mentioned
    5 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by asp_funda View Post
    I don't see how is that a problem with WordPress' security? That is a problem with the site's security which employed such developer(s) & such a security problem can happen whether WordPress is being used or not.

    WordPress' ease of use can't be held against it as its security flaw.
    Well, it's not just that the sites aren't being patched, it's that historically WP has had more vulnerabilities AND many vulnerable sites aren't being patched.

    You might not see that as being fair but hackers don't care about the why, they just use the vulnerability and go about their business.
    Andrew Wasson | www.lunadesign.org
    Principal / Internet Development

  20. #20
    SitePoint Member
    Join Date
    Mar 2007
    Posts
    2
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    40+ WordPress Security Plugins – Keep Your Property Secure, <snip/>
    Last edited by Mittineague; Apr 17, 2013 at 12:36. Reason: please read the FAQ

  21. #21
    SitePoint Wizard bronze trophy
    Join Date
    Oct 2001
    Location
    Vancouver BC Canada
    Posts
    2,030
    Mentioned
    5 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by lyw0301 View Post
    40+ WordPress Security Plugins – Keep Your Property Secure, <snip/>
    If the core is secure, all you should have to do is keep it updated. The question is why should you have to install one or more of 40+ plugins to keep your site secure?
    Last edited by Mittineague; Apr 17, 2013 at 12:37. Reason: fixing quote
    Andrew Wasson | www.lunadesign.org
    Principal / Internet Development

  22. #22
    SitePoint Wizard bronze trophy
    Join Date
    Jul 2006
    Location
    Augusta, Georgia, United States
    Posts
    4,147
    Mentioned
    16 Post(s)
    Tagged
    3 Thread(s)
    Quote Originally Posted by asp_funda
    I don't see how is that a problem with WordPress' security? That is a problem with the site's security which employed such developer(s) & such a security problem can happen whether WordPress is being used or not.
    When people build WP sites they don't expect nor intend to spend 100s of hours fixing core vulnerabilities. Not to mention the vulnerabilities of the slew of plugins in existense that someone might recommend as a "quick solution" to what would otherwise be a very complex and time involved problem to solve. I don't really deal with nor support WP myself but this tends to be the mentality I see. Not to mention the majority of audience for WP is web designers that are in over their head and vigilant bloggers. Also, naturally as the number of plugins increases the security of a site decreases unless each time the code is audited for security. It so no secret that WP itself *mostly attracts amatuer programmers or worst designers who know enough to be dangerous.

    So when using the system and various plugins that are not especially well known security vulnerabilities and amatuer mistakes/overlooks are something you kind of have come to peace with. For a small business or whatever it really isn't all that much of a deal if it a site gets hacked or I probably should say the pricing benefit out-weighs any potential of a vulnerability being exposed. That can really be said for most open source CMS systems. Though the cost of using an open source CMS pales in comparison to custom development. When you compare the cost of using an open source CMS that could have potential security vulnerabilities to custom software development the risk of a vulnerability being exposed is accepted over the high cost of custom development.

    There is a reason why WP sites are pretty cheap to build because they are easy to get up and running quickly. Though that in no way means they are secure or the person building them would even know the first steps to take to do so. Realistically though the WP core is probably more secure than most custom sites out there considering it has been though years of refinement. The problematic areas are really when it comes to external code being added to the site of an unknown origin that probably has not been audited. The great thing about an open source community is that EVERYONE can contribute code and bad thing about an open source community is that EVERYONE can contribute code. With so people contributing plugins and what not on a popular platform like WP or any other for that matter it is not nearly possible to audit them all. That is really where the majority or security and performance problems lie not in the core platform itself. That goes for WP and any other open source, community driven system out there whether it be Joomla, Drupal, etc.

    I will say that probably in 99% of cases unless you are dealing with a very experienced software company with huge budget that a popular open source system CORE platform is more secure than most other things out there. The more popular something is naturally the more refinement and testing it has probably been though resulting in many of the initial vulnerabilities being worked out over time. Though that doesn't stop an open source contributor from making one or two stupid moves in a module or plugin, contributing the code and bringing down countless sites that might use the code.
    The only code I hate more than my own is everyone else's.

  23. #23
    SitePoint Enthusiast
    Join Date
    Dec 2009
    Posts
    48
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    few things to remove the virus

    update the wordpress theme

    your hosting may have the backup so call them and them to put the back up from before 8 days

    .htaccess have to be protected. add a code to .htaccess so no one can hack or spam your website

    block admin panel of your website using robot.txt as well as use very difficult password for your admin
    Affordable and professional WordPress Developer

    and expert Joomla Developer Hire now for your next website

  24. #24
    Non-Member
    Join Date
    May 2013
    Posts
    1
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    For the security following these:

    *removing the admin username
    *update your wp-config.php keys
    *manually install Wordpress
    *use a better password
    Last edited by ScallioXTX; Jun 3, 2013 at 01:09. Reason: No advertising please

  25. #25
    SitePoint Member
    Join Date
    Jun 2013
    Posts
    12
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I'm using Better WP Security plugin with all of my WordPress installations. It allow me to ban all those ips which are trying to login. And I find that there are hundreds and thousands of tries to login to WordPress. After installing this plugin I can now block these ips automatically and can get automatic DB backups to my Email.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •