Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Protecting yourself against Wordpress hackers
New on LowEndTalk? Please Register and read our Community Rules.

Protecting yourself against Wordpress hackers

jhjh Member
edited April 2013 in General

I'm sure most of you know about the recent Wordpress hacks.

I found a few lists and collated .htaccess content. Hope it helps someone - just copy/paste into your .htaccess if you use Apache or otherwise adapt for Nginx etc.

No guarantees this'll help etc., but hopefully it'll reduce the chances.

http://www.sysadmin.co.uk/wp-block.txt

«13

Comments

  • jarjar Provider

    Nice. Cloudflare also seems pretty confident in their ability to deflect a good percentage of it. I've given them the opportunity to impress me.

    "Note that Romania has laws agains all the illegal activities just like US, including copyright. Is not the Dracula's country or no man's land as you thought." - Random email from someone I don't know, about nothing I've done or said

  • Try this :
    http://www.ilmuserver.com/knowledgebase.php?article=4

    Well, it's indonesian language there, but .htaccess written clear there.

    "I Always Happy ! The Secret Is, When Something Bad Happens, I Always Yell : Eeee... Macarena !!" :D

  • Do you mean hackers by bruteforcing passwords and so?
    Or you mean by vulnerabilities

    And TBH I am not informed about that hacks :S

  • MunMun Member

    They are attacking a single user name "admin", so remove admin in mysql after making a backup.

  • jhjh Member

    @Mun said: They are attacking a single user name "admin", so remove admin in mysql after making a backup.

    Not what I heard.

  • MunMun Member

    "There is currently a significant attack being launched at a large number of WordPress blogs across the Internet. The attacker is brute force attacking the WordPress administrative portals, using the username "admin" and trying thousands of passwords."

    as per: http://blog.cloudflare.com/

  • BenediktBenedikt Member
    edited April 2013

    Good way to protect it with NGINX (credits to whoever did this, I don't have the source anymore):

    `if ( $request_method !~ ^(GET|HEAD|POST)$ ) {
    return 444;
    }

    location ~ /(.|wp-config.php|liesmich.html|readme.html) {
    return 444;
    }

    location ~ ^/(\d+)/$ {
    return 301 /?p=$1;
    }

    location = /wp-login.php {
    auth_basic "Restricted";
    auth_basic_user_file /etc/nginx/htpasswd;
    include fastcgi_params;
    fastcgi_index index.php;
    fastcgi_pass 127.0.0.1:9000;
    fastcgi_split_path_info ^(.+.php)(/.+)$;
    }`

  • Just block all access to wp-admin - problem solved.

  • jarjar Provider

    @MartinD said: Just block all access to wp-admin - problem solved.

    That's like not sailing in a storm. Where's your sense of adventure!?

    "Note that Romania has laws agains all the illegal activities just like US, including copyright. Is not the Dracula's country or no man's land as you thought." - Random email from someone I don't know, about nothing I've done or said

  • jhjh Member

    @Mun said: "There is currently a significant attack being launched at a large number of WordPress blogs across the Internet. The attacker is brute force attacking the WordPress administrative portals, using the username "admin" and trying thousands of passwords."

    I saw a list of usernames/passwords earlier and they weren't all admin. Possibly multiple groups trying...

    @MartinD said: Just block all access to wp-admin - problem solved.

    There needs to be some access control - you can't just block it completely. If you don't have a static IP, it's a useful list.

  • http://bit51.com/software/better-wp-security/

    Suppose this is considered cheating or lazy.

    Catch me over at Primary DNS. If you want to chat I am done with this cesspool.

  • MunMun Member

    anyone put up a small wordpress install on a vps and have admin and pass as the setup and see what they are changing?

  • marcmmarcm Member

    @jhadley - I have found it much more convenient to simply add an additional layer of protection using a .htpasswd file. Of course, we're using Nginx so we could call that file anything. I'd recommend the same for you since it's easier than keeping track and adding new IP addresses to that list.

  • Try this free service by IP2Location perhaps?
    http://www.ip2location.com/free/visitor-blocker

    I'm here to collect your heart

  • MunMun Member

    @DalComp said: Try this free service by IP2Location perhaps?

    http://www.ip2location.com/free/visitor-blocker

    sadly it is a botnet, so they are located everywhere. Meaning there would still be some applicable terminals hitting it.

  • dnwkdnwk Member

    Is there a way in wordpress to only allow login using OpenID?

    Designers: www.linkun.info

  • sadly it is a botnet, so they are located everywhere. Meaning there would still be some applicable terminals hitting it.

    Still quite useful list of IPs, if you decide a certain country possess greater risk.

    I'm here to collect your heart

  • SyedSyed Member

    I go the opposite route and whitelist instead.

    Much easier(at least for me, since I have a static IP, and so does the person I work with).

  • I've had good luck with the Wordfence Security plugin --

    http://wordpress.org/extend/plugins/wordfence/

    I have it temporarily block any IP who has multiple login failures, temporarily. YMMV

  • +1 for wordfence

    Check my blog for more cool *nix tips & tricks!

  • gqservgqserv Member
    edited April 2013

    one way is enable http auth on admin.php through .htaccess or nginx host file.

    we also set this cron daily job that blocks spam ips on our proxy gateway.

    http://bash.cyberciti.biz/web-server/nginx-shell-script-to-block-spamhaus-lasso-drop-spam-ip-address/

  • twaintwain Member

    @jhadley - would you think it would be beneficial to blacklist these IP's via iptables as well?

  • rds100rds100 Member
    edited April 2013

    @twain blacklisting thousands of IPs via iptables is a good way to make your server very slow.
    Better use ip route add blackhole x.x.x.x

    Or:


    for i in cat badips.txt ; do
    ip route add blackhole $i
    done

    -

  • superpilesossuperpilesos Member
    edited April 2013

    Force https for wp-login.php. they don't attempt to bruteforce https.

  • twaintwain Member

    @rds100 - OK cool that does sound like a better way.. you're missing some backticks on the for loop no?

  • wordfence works good, also i have blocked many ips on the .htaccess

    Nothing for the moment

  • rds100rds100 Member
    edited April 2013

    @twain said: @rds100 - OK cool that does sound like a better way.. you're missing some backticks on the for loop no?

    Yes, they got missing somehow, i'll edit it now.
    Hmm no, the backticks are there, but vanilla is eating them. Even PRE doesn't help it seems.
    Does anyone have an idea how to display the backticks?

    -

  • budingyunbudingyun Member
    edited April 2013

    I'm enabling this option LF_DSHIELD, LF_SPAMHAUS, LF_SPAMHAUS_EXTENDED, LF_TOR, LF_BOGON in CSF and the SSH bruteforce attempt drastically reduced. :D

Sign In or Register to comment.