Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register

Quick Links


Categories

In this Discussion

Protecting yourself against Wordpress hackers - Page 2
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Protecting yourself against Wordpress hackers

2

Comments

  • rds100rds100 Member
    edited April 2013

    @budingyun I don't know what LF_BOGON is but if it is what i think it is - you can safely remove it. It's 2013, there is almost no bogon (i.e. unallocaeted) ipv4 address space lest.

  • budingyunbudingyun Member

    @rds100 said: I don't know what LF_BOGON is but if it is what i think it is - you can safely remove it. It's 2013, there is almost no bogon (i.e. unallocaeted) ipv4 address space lest.

    Thank you for the tips. :D

  • marcmmarcm Member

    @jhadley -> Protecting yourself against Wordpress hackers -> Just use Drupal instead.

    image

  • KrisKris Member

    @dnwk said: Is there a way in wordpress to only allow login using OpenID?

    Not quite, but I enjoy Authy. Free two-factor authentication for products (thanks Rage4) and has a WordPress plugin, takes minutes to setup.

    Smartphone apps similar to an RSA SecurID, or upgrade to their free Basic plan to get SMS texts for basic cell phones to login to your blog.

    Instant free two-factor authentication.

    I personally just implemented & tweaked mod_security rules sent by LiquidWeb, that will block the IP after a few failed attempts.

    Takes a minute to add the rule to modsec2.user.conf, another to modify modsec2.conf (for stronger filtering) , and a second or two to create / chmod the directory settings used by ASL rules.

  • ElliotJElliotJ Member

    I'm using something similar to what @Kris suggested on Gatsby. Albeit using Google's two factor authentication.

    Hand vetting plugins and themes also greatly helps in preventing this sort of crap.

  • FRCoreyFRCorey Member

    One thing I recommended to wordpress and they shot me down was random directory names per install for themes and plugins. It ends the ability to use a search engine to locate wordpress installs and go straight to a compromised plugin. IE every wordpress install would be different.

  • KrisKris Member

    @FRCorey said: E every wordpress install would be different.

    Pretty sure you can do this with plugins and re-name them as you like, and just make sure Indexing is off / pop an index.php in there so names aren't revealed.

    Would be good to have the ability to be able to re-name the wp-plugins/ and wp-themes/ directory to something you'd like, and just set it as a flag in config.php.

    Not perfect as some would probably echo their location within the page, but it would avoid an easy sweep through Google / harvesting to exploit as you've mentioned.

    In the meantime, mod_security, Authy and renaming plugin-directories (have to re-enable them) is working quite well for me.

  • ErawanArifNugrohoErawanArifNugroho Member

    oh well, can someone access my wp-admin?
    I'm lost

  • KrisKris Member

    @ErawanArifNugroho said: wp-admin

    Just .htpasswd protect that.

    Layers of security are good when it comes to these things.

    I like to think of security on WP as venn diagrams, each helps in some ways.

  • WintereiseWintereise Member

    @Benedikt said: `if ( $request_method !~ ^(GET|HEAD|POST)$ ) {

    Use limit_except (Examples here: http://wiki.nginx.org/HttpCoreModule) because if, as Igor says, is evil.

    http://wiki.nginx.org/IfIsEvil

  • mikhomikho Member, Host Rep

    @marcm said: @jhadley -> Protecting yourself against Wordpress hackers -> Just use Drupal instead.

    image

  • jhjh Member

    @MikHo preventing a data leak

  • ErawanArifNugrohoErawanArifNugroho Member

    @Kris said: Just .htpasswd protect that.

    I have tried it, but some tutorial which is for Apache, not working for Nginx.
    For example, deny all ip except one to pass.

    I can only use whitelisting from the Nginx conf files :)

  • mikhomikho Member, Host Rep

    location /wp-admin { # block one workstation deny 192.168.1.1; # allow anyone in 192.168.1.0/24 allow 192.168.1.0/24; # drop rest of the world deny all;
    }

    something like that?

    disclaimer: most of it is a copy/paste from the interwebs

  • superpilesossuperpilesos Member
    edited April 2013

    They started spamming to aol and yahoo now. before was just russian addresses. they create php files with obfuscated mailing code, either mail() or using sockets with smtp. then they POST to the php files commands from bots/openproxies

  • Makkesk8Makkesk8 Member

    Igot the best solution!!

    Don`t use wp -.-

  • superpilesossuperpilesos Member

    @Makkesk8 said: Igot the best solution!!

    Don`t use wp -.-

    It's hard when you sell shared hosting and 80% use wp

  • connercgconnercg Member

    75% of the accounts on my shared server are WP... :/

  • rds100rds100 Member

    It could be worse. They could be running Joomla.

  • MunMun Member

    @rds100 said: It could be worse. They could be running ...

    drupal

  • marcmmarcm Member
    edited April 2013

    @rds100 said: It could be worse. They could be running Joomla.

    @Mun said: @rds100 said: It could be worse. They could be running ...

    @Mun said: drupal

    @Mun - I was joking earlier when I recommended Drupal. I have a few years of experience with Drupal and I hate it. It's horrible, it takes forever to set up a web site and every time you add a new feature or fix something, two or three other things break in return. Drupal is a nightmare, the community is horrible and the Drupal Association is corrupt and rotten to the core. And the Obama administration spent 8 million dollars to redo the whitehouse.gov website in Drupal. It's kind of expensive for a free CMS.

    http://buytaert.net/whitehouse-gov-using-drupal

  • MunMun Member

    I like everyone here hates wordpress, but to tell you the truth it is actually rather nice. It is clean / and lean by most regards. Yes there are some certain things that are iffy, but there massive plugin base usually have a fix.

  • jhjh Member

    @Mun said: I like everyone here hates wordpress, but to tell you the truth it is actually rather nice. It is clean / and lean by most regards. Yes there are some certain things that are iffy, but there massive plugin base usually have a fix.

    I'll openly admit I use and like WP as long as it's not overloaded with terrible plugins.

  • budingyunbudingyun Member

    I'm using wp with just one plugin. :D

  • djvdorpdjvdorp Member
    edited April 2013

    [azonenberg] wordpress is an unauthenticated remote shell that, as a useful side feature, also contains a blog

    http://www.bash.org/?949214

    DISCLAIMER: Just trollin. Wordpress is nice.

  • bnmklbnmkl Member
    edited April 2013

    http://www.bash.org/?top

    Khassaki - HI EVERYBODY!!!!!!!!!!
Judge-Mental - try pressing the the Caps Lock key
Khassaki - O THANKS!!! ITS SO MUCH EASIER TO WRITE NOW!!!!!!!
Judge-Mental - fuck me

    Haha.

  • AbdussamadAbdussamad Member

    I wrote a guide on using fail2ban to stop bruteforce/dictionary attacks on WordPress installations:

    http://abdussamad.com/archives/616-Stop-Brute-Force-WordPress-Login-Attempts-with-Fail2Ban.html

  • bdtechbdtech Member
    edited April 2013

    Brute force is easy, limit logins plugin.

    However the latest attacks are only using an IP once making blocking an individual IP on failed login pointless

  • MunMun Member

    @bnmkl that made me giggle :)

  • pubcrawlerpubcrawler Banned

    Wordpress is a disease.

Sign In or Register to comment.