Comments on: Protect WordPress from Hackers – Secure that Beeotch!

By: Peter

Peter — Tue, 03 Aug 2010 18:25:03 +0000

I just came across this now, I installed a plugin called BulletProof security for wordpress. It seems to have halted some attacks as have been a victim from these freaks lately…
Really sucks

By: b-projects

b-projects — Mon, 28 Dec 2009 01:54:02 +0000

i secured my site via captchas. i had problems with the spam bots but i won that race :-)

By: Ruben Abramov

Ruben Abramov — Thu, 17 Dec 2009 20:07:51 +0000

switching to wordpress , i thought i was secure , now i haveto secure all my wordpress sites =/

By: Tradakk

Tradakk — Sun, 06 Dec 2009 20:11:41 +0000

I’m seconding that first advice piece about your password. Seriously, your phone number as a password? Your last name? Pathetic. I got hammered by a ton of emails from eBay the other day because someone hacked my pathetic password that I’d never bothered to change (for the record, it was ‘gooood.’ Yeah, I know. It’s lame.)
Now, though? My password’s 32 characters long, with four letters and one symbol. Take that, hackers!

By: John P.

John P. — Sun, 06 Dec 2009 18:47:46 +0000

Thanks Herbert, I installed that plugin. I’ll add it to this page later after I’ve tested it out a little bit!

John P.

By: Herbert-Jan van Dinther

Herbert-Jan van Dinther — Sat, 05 Dec 2009 10:43:32 +0000

Hi John, I suggest you install this WordPress file monitor plugin http://wordpress.org/extend/plugins/wordpress-file-monitor/ and check and/or change your WordPress Table prefix to something else then the default wp_ if you havent done that already.

By: Michael VanDeMar

Michael VanDeMar — Fri, 04 Dec 2009 14:51:15 +0000

John, do you know how to run queries against the database? If so, I would try these two:

SELECT * FROM wp_usermeta where meta_value like ‘%administrator%’;
SELECT * FROM wp_usermeta where meta_value like ‘%script%’;

If you changed the default table prefix when you installed WordPress (usually done if you want to install more than one WordPress into the same database), then you will need to change wp_usermeta to whatever that is. The first query will show you how many accounts there are with administrator privileges… you can see what the usernames are for each account by matching up the user_id fields with the ID field in the wp-users table. The second query will show you if any of the display names for your users contain suspicious code, from having a tag embedded in them.

Also, look inside WP’s index.php. See if any extra code has been added to it (download a fresh copy and compare the two).

If you don’t find anything with either of those, then the next place I would look would be for files that were dropped on the server as backdoors. Unfortunately, those can be very hard to track down.

By: John P.

John P. — Fri, 04 Dec 2009 07:54:54 +0000

Thanks Michael! I just did the auto-upgrade function and yes, I’ve been dealing with this for weeks. I keep finding the code and deleting it, and I can’t figure out how they are getting into the site considering everything else I’ve done.

I did go into the Google Webmaster Tools and already request that they not de-index me, though if it reoccurs and I don’t catch it quickly enough when they check again they’ll likely do it. So I’m pretty nervous about it.

This kind of thing really sucks for someone in my position. I’m just good enough to hack some PHP and operate the blog on a day to day basis, but not good enough to deal with emergency situations like database backups and restores, etc.

GRRR!!!

John

By: Michael VanDeMar

Michael VanDeMar — Fri, 04 Dec 2009 03:57:41 +0000

John, when you upgraded, did you do complete wipe and resintalls? Or did you just upgrade the files? It’s possible that the hackers got in while you had an earlier version installed (afaik everything up to and including WP 2.8.4 was vulnerable), and it just went undetected (might not even have been exploited) until recently. If this is the case then just upgrading won’t help. I wrote up a piece a while ago on how to completely clean your WP install:

http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/

but even if you do that, with some exploits you need to be careful because they might have left a back door in the database itself.

Sorry you got hacked, I know it sucks. Been through it a few times. One thing I would suggest for after it’s cleaned… you can probably cut the ban time from Google (or possibly head it off altogether, since you are still fully indexed as of right now) by doing a reinclusion request through the Google Webmaster Tools utility. You would have to sign up and register your site if you haven’t already, but it’s relatively painless to do.

Good luck. :)

By: Eve

Eve — Fri, 04 Dec 2009 02:35:01 +0000

Great article, I am off to install the plugins and check my files! Thanks.

By: John P.

John P. — Thu, 03 Dec 2009 23:19:06 +0000

I don’t know how they did it. The DEFCON keeps the server itself hardened, but if you have a weakness in the WordPress stuff they can’t protect against that. This is why doing all of these things is very important.

I suspected it was a problem with the permissions I had on a couple of directories at first. I used WP Security Scan to correct those. Then it happened again! So I just changed my passwords for WordPress and even for my FTP.

I’ll be keeping a very close eye on it for a while, and probably also get Jad (our Woopra server magician) to take a look at it too. If I determine what is going on I’ll update everyone so that you can take preventative measures.

John P.

By: Robert Geczi

Robert Geczi — Thu, 03 Dec 2009 23:18:07 +0000

If the Pentagon can’t keep hackers and troublemakers off of their servers and setups, how can we? I remember hearing breaches at various places such as the Pentagon, and so on.

Not good at all.

By: John P.

John P. — Thu, 03 Dec 2009 23:15:50 +0000

I know! It’s reee-diculous. :-) Oh, and it says “AT LEAST” 30 days!

John P.

By: Sleenie

Sleenie — Thu, 03 Dec 2009 22:59:43 +0000

I had major problems during November and lost 10 WordPress sites. Yes, I keep them updated but they managed to get into my databases and eventually infected all my accounts on one server. it was a nightmare. I had backups but it seems that the infection was there for at least a month as all of my backups were infected also. Had to nuke my account and rebuild! Thanks for the tips. i will definitely add them to my arsenal.

By: Lisa Marie Mary

Lisa Marie Mary — Thu, 03 Dec 2009 22:21:28 +0000

Thirty days??? Because of some bastard spammer?? Damn!!! That royally sucks….

Now I gotta go back and read the rest of the post – that part right there just RILED me UP!!!

By: Zig Baird

Zig Baird — Thu, 03 Dec 2009 21:02:53 +0000

John – how the heck did they get past your DEFCON 1 security? Keep me in the loop if you find out. I’d like to know what to fix.