Hacked Wordpress Installations

[JohnnyB]

I just led a pants crapping festival when I was in the middle of building a new site this evening and found that it, along with every other Wordpress installation on my server including sites for several different businesses and vast numbers of hours of work, had suddenly been hacked and replaced with some page about the plight of some group on the far side of the world.

Now I've been able to get the pages restored quite quickly after getting support from my hosting service provider (apart from the new one that was this evening's work). They thought it was very possibly just the theme I had chosen for this site that allowed them all to be hacked.

All of my web building has been self-taught and while I consider myself competent I'm certainly not a real pro. This little adrenaline rush has caused me to wonder what kinds of precautions I should be taking with my sites and my hosting that I may not be aware of but which some of you pros out there could enlighten me of.

Cheers.

[maverickstruth]

The most important thing is strong password selection. Most Wordpress hacks are brute force password attacks. Remember, a strong password is one that is long, not necessarily one with special characters and all that crap that people think makes them strong. This xkcd explains it really well: http://xkcd.com/936/

Now, aside from that, the other thing I do on my sites and my clients' sites is to install the limit login attempts plugin to give a further protection against brute force login attempts.

Also, get and use an automatic database backup plugin so you aren't relying on your host to have a backup.

Other things:

Create a second administrator account and delete the first one, so that you don't have a "user 1" in your database. And don't use 'admin' as the username.

Keep your plugins, themes and WP install up-to-date, even on sites that you maybe don't use or actively post on any more. Use only quality plugins and themes from authors with a good reputation and solid support (updates are a good indicator of this, as is a forum presence).

The are the main things that come to mind, but if I think of more, I'll post again. Really the biggest thing is password security.

[Milt Schmidt]

What maverickstruth said.

I'd also suggest using a password manager to make it much easier to use unique/strong passwords everywhere. There's lots to choose from, keepass, keepassx, lastpass, 1password, etc.

Milt

[JohnnyB]

Thanks very much. I'm going to spend the time today to go through and make sure every one of my sites fits with all your recommendations. It was a horrible feeling to see my sites being replaced with their awful message and I do not want to go through that again. I'm just glad I caught it as soon as it happened. All told it was probably sorted within about 45 minutes of being hacked, but it was a pretty uncomfortable first 15-20 before getting the restore process started.

[Rathji]

I recall hearing about this a month+ ago. If it's the same, the issue is in the Apache install that has a exploit being taken advantage of.

Will see if I can find the details, but internet is really bad right now.

text Search for "apache" here: https://www.grc.com/sn/sn-398.txt

and you can find the video here: http://twit.tv/show/security-now/398

If you are not running apache, then obviously disregard!

[Rathji]

I recall hearing about this a month+ ago. If it's the same, the issue is in the Apache install that has a exploit being taken advantage of.

Will see if I can find the details, but internet is really bad right now.

text Search for "apache" here: https://www.grc.com/sn/sn-398.txt

and you can find the video here: http://twit.tv/show/security-now/398

If you are not running apache, then obviously disregard!

[FanIn80]

Quote:

Originally Posted by maverickstruth

The most important thing is strong password selection. Most Wordpress hacks are brute force password attacks. Remember, a strong password is one that is long, not necessarily one with special characters and all that crap that people think makes them strong. This xkcd explains it really well: http://xkcd.com/936/

Now, aside from that, the other thing I do on my sites and my clients' sites is to install the limit login attempts plugin to give a further protection against brute force login attempts.

Also, get and use an automatic database backup plugin so you aren't relying on your host to have a backup.

Other things:

Create a second administrator account and delete the first one, so that you don't have a "user 1" in your database. And don't use 'admin' as the username.

Keep your plugins, themes and WP install up-to-date, even on sites that you maybe don't use or actively post on any more. Use only quality plugins and themes from authors with a good reputation and solid support (updates are a good indicator of this, as is a forum presence).

The are the main things that come to mind, but if I think of more, I'll post again. Really the biggest thing is password security.

Just to touch on what maverickstruth said about long passwords, what I typically do is look around my office and build a password out of things I see. It might sound silly, but it helps with having to remember the passwords you don't use very often. In addition, "thereisaclipboardonmywall" is easy to type, easy to remember and a lot harder to brute force than "iginla12" is.

[sclitheroe]

Quote:

Originally Posted by FanIn80

In addition, "thereisaclipboardonmywall" is easy to type, easy to remember and a lot harder to brute force than "iginla12" is.

No amount of complexity in terms of length or non-obviousness would be necessary if people would get serious about account lockouts on failed attempts. Three failed attempts and the account locks for 20 minutes, along with email notification of the failed attempts, is enough to essentially guarantee the safety of even a 4 character PIN. Tack on the whatever equivalent of fail2ban you need for your particular app (eg. configured for 9 failed attempts and then you IP is banned from logging in until reset), and you are basically guaranteed nobody is brute forcing your password.

Boggles my mind that people/sites won't adopt this methodology.

Probably a moot point once two-factor authentication becomes more widespread, but still..

[sclitheroe]

Speaking of brute force, here's a great article on the perils of allowing crackers to get an offline copy of your password database (circumventing all suggestions posted here unfortunately).

An eye opening read on current techniques and computational power/efficiency

http://arstechnica.com/security/2013...our-passwords/

[JohnnyB]

Quote:

Originally Posted by sclitheroe

Speaking of brute force, here's a great article on the perils of allowing crackers to get an offline copy of your password database (circumventing all suggestions posted here unfortunately).

An eye opening read on current techniques and computational power/efficiency

http://arstechnica.com/security/2013...our-passwords/

Interesting article for sure.
I generally never use anything that is any reflection of real words in my passwords, but my password when my sites did get hacked was only 8 characters. I don't have any problem remembering random letters and numbers, so I just upped my new passwords to 25+ random letters and numbers. Based on that article, and the fact nobody should care in the least about my sites, I think I should be fairly secure now.

In truth though, I have the feeling that my sites were likely hacked in some other way, as they didn't all have the same password but were hacked at the same time. Also, it was only wordpress installations but none of my other sites.