Welcome to the GoFuckYourself.com - Adult Webmaster Forum forums.

You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content and access many other special features. Registration is fast, simple and absolutely free so please, join our community today!

If you have any problems with the registration process or your account login, please contact us.

Post New Thread Reply

Register GFY Rules Calendar
Go Back   GoFuckYourself.com - Adult Webmaster Forum > >
Discuss what's fucking going on, and which programs are best and worst. One-time "program" announcements from "established" webmasters are allowed.

 
Thread Tools
Old 06-14-2011, 09:36 AM   #1
newB
Confirmed User
 
newB's Avatar
 
Industry Role:
Join Date: Jul 2006
Location: Somewhere between reality and total ape-shit bonkers.
Posts: 2,870
Wordpress security question

Apparently someone has been trying to hack my site, trying to access plugin readme.txt files to get the version of wordpress and shit like that.

I've taken the usual security measures (at least they seem like the reasonable ones to me, but this is my first project with wordpress) such as removing the wp version indicators, adding plugin and theme index files, removing error indicators on login and relocating my login page. So far that seems to be keeping them out, but I'm concerned that it's only a matter of time before they find a way in.

Is there anything else I could do to better protect my site? Also, is this something most wordpress users have to deal with, or have I somehow made a target of myself?

I should add, that all of the questionable hits are coming from a Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90) user agent, but the IP's change daily, so obviously they are using proxies to mask their IP.
__________________

The best Adult Affiliate Programs reviewed and indexed by niche and feature.
Easily find the sponsors that suit your needs.


newB is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-14-2011, 12:28 PM   #2
fris
Too lazy to set a custom title
 
fris's Avatar
 
Industry Role:
Join Date: Aug 2002
Posts: 54,937
i would only allow your ip in the admin block all others out.
__________________
Since 1999: 69 Adult Industry awards for Best Hosting Company and professional excellence.


WP Stuff
fris is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-14-2011, 07:12 PM   #3
PhantomFrog
Registered User
 
Join Date: Jul 2006
Posts: 89
Quote:
Originally Posted by fris View Post
i would only allow your ip in the admin block all others out.
Words of wisdom from the mouths of babes.

Also ... get on the WordPress mailing list ... to keep your eyes open for updates! ... join WP forums ... stay in touch with the buzz.
__________________
PhantomFrog.com....Premium Password Protection
PhantomCart.com....CCBill + Phantom Cart = Clips Store Solution
PhantomFlicks.com .Token-based Clips Store

Last edited by PhantomFrog; 06-14-2011 at 07:15 PM..
PhantomFrog is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-14-2011, 07:38 PM   #4
DangerX !!!
Confirmed User
 
DangerX !!!'s Avatar
 
Industry Role:
Join Date: Feb 2011
Location: La Isla Bonita Power Level: ❤❤❤❤❤❤❤❤❤❤
Posts: 886
"Wordpress" and "Security" are two incompatible meanings. Sorry but as long as it will be developed the way it is now your website and your server are in danger. Good luck though.

http://codex.wordpress.org/Hardening_WordPress
__________________
This is sig area!
DangerX !!! is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-14-2011, 07:44 PM   #5
Kiopa_Matt
Confirmed User
 
Industry Role:
Join Date: Oct 2007
Posts: 1,448
You could always buy xMarkPro (see sig). Next upgrade coming out tomorrow will also contain an automated backup & revert feature for domains (including WP blogs). For example, have your blogs backed up every 3 hours. If someone hacks it, it's the click of a mouse, and it's back online. Plus have your blogs automatically updated when WP releases new versions, ensuring you're always running the most stable version.
__________________
xMarkPro -- Ultimate Blog Network Management
Streamline your marketing operations. Centralize management of domains, pages, Wordpress blogs, sponsors, link codes, media items, sales and traffic statistics, plus more!
Kiopa_Matt is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-14-2011, 07:46 PM   #6
vdbucks
Monger Cash
 
Industry Role:
Join Date: Jul 2010
Posts: 2,772
Quote:
Originally Posted by Kiopa_Matt View Post
You could always buy xMarkPro (see sig). Next upgrade coming out tomorrow will also contain an automated backup & revert feature for domains (including WP blogs). For example, have your blogs backed up every 3 hours. If someone hacks it, it's the click of a mouse, and it's back online. Plus have your blogs automatically updated when WP releases new versions, ensuring you're always running the most stable version.
Well, there's a free plugin that does automated db backups. Emails them, saves them to disk, whatever you prefer. And updating wordpress automatically is a no no.. bad things can happen when you do that.
vdbucks is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-14-2011, 07:50 PM   #7
TheDoc
Too lazy to set a custom title
 
TheDoc's Avatar
 
Industry Role:
Join Date: Jul 2001
Location: Currently Incognito
Posts: 13,827
Lots of things to do with wp...

I've found you can't always block based on IP because some scripts use the ajax in the admin area... thus visiting your site can create a warning.

Give the plugin login lockdown a shot... it masks login errors, can set time out limits on fails, etc.. if someone happens to get to the login screen.

Another thing you can do is protect your wp-login.php with basic user/pass protection to access it. It's not an end all, it's just another step. Drop this into your functions file, and set a user/pass...

Code:
  if ($_SERVER['PHP_SELF'] == "/wp-login.php"){ add_action('init', 'login_init');}
 function login_init(){
  $user = "YOUR-USERNAME";
  $pass = "YOUR-PASSWORD";
   get_option('get_header');
    if($_SERVER['PHP_AUTH_USER'] != $user && $_SERVER['PHP_AUTH_PW'] != $pass){
        header("WWW-Authenticate: Basic realm=\"\"");
        header("HTTP/1.0 401 Unauthorized");
    exit;
   }
 }
__________________
~TheDoc - ICQ7765825
It's all disambiguation
TheDoc is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-15-2011, 04:52 AM   #8
Marquis85
Confirmed User
 
Marquis85's Avatar
 
Industry Role:
Join Date: Apr 2009
Posts: 622
Thanks for asking this question. One of my WP blogs was recently hacked and I'm trying to take all precautions necessary so it doesn't happen again.
__________________
Last 3 months SCORECash ratio: 1:237
Marquis85 is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-15-2011, 05:23 AM   #9
fris
Too lazy to set a custom title
 
fris's Avatar
 
Industry Role:
Join Date: Aug 2002
Posts: 54,937
i wouldnt even let subscribers in the admin area, if you are just using it for a login system so they can comment, i would redirect anyone that you dont want access to wp-admin out of there.
__________________
Since 1999: 69 Adult Industry awards for Best Hosting Company and professional excellence.


WP Stuff
fris is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-15-2011, 10:26 AM   #10
raymor
Confirmed User
 
Join Date: Oct 2002
Posts: 3,745
Quote:
Originally Posted by DangerX !!! View Post
"Wordpress" and "Security" are two incompatible meanings. Sorry but as long as it will be developed the way it is now your website and your server are in danger. Good luck though.

http://codex.wordpress.org/Hardening_WordPress
QFT. The Wordpress developers in general don't understand basic security concepts even
when I explain it to them. I pointed out a significant security flaw repeatedly for over a year and
none of the Wordpress devs could even understand that there was a problem until thousands
of sites were hacked.

Secure, as much as possible, PHP itself. Make sure it's up to date, as PHP has recently started
to such a lot less in terms of security. If you have a version that's a couple years old you may as
well post your FTP password on your front page. One example is "register globals", which is
tied with "running suexec on a dedicated serer" for the stupidest, most damaging thing anyone
has ever done on a web server.
Once it's up to date, make sure the settings are right for reasonable security. fopen_url, for
example, show be off be default, but make sure it is. Disabling a few functions including eval,
exec, and popen will stop most crack scripts, but some legitimate scripts may need to be
adjusted to work in that case. Similarly for an egress firewall, but now we're getting more
into general server security and away from Wordpress.
__________________
For historical display only. This information is not current:
support@bettercgi.com ICQ 7208627
Strongbox - The next generation in site security
Throttlebox - The next generation in bandwidth control
Clonebox - Backup and disaster recovery on steroids
raymor is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Post New Thread Reply
Go Back   GoFuckYourself.com - Adult Webmaster Forum > >

Bookmarks

Tags
security, wordpress



Advertising inquiries - marketing at gfy dot com

Contact Admin - Advertise - GFY Rules - Top

©2000-, AI Media Network Inc



Powered by vBulletin
Copyright © 2000- Jelsoft Enterprises Limited.