A warning to secure your clients' Wordpress sites

Definitely a mistake most people will make. I recommend using the password creation that Hostgator does for you (for those who use HG). I hope you quickly recover from this I hope it doesn't happen again!

That sounds like a nightmare! I feel your pain. I have had it happen, though not to the extent you have. But yes, never use the same passwords.

Also, don't let your FTP client program save your passwords. I had a few sites compromised that way too.

IAN, I'm guessing this would come down to the HOST being used, right? If that's the case, what web host do you use?

IAN's fixes are at a stronger level but also require more technical expertise. Here are some fixes you can do that don't require a high programming IQ:

Go into your hosting control panel and delete the "admin" login. You can't do this from inside Wordpress. Google how to do this for your host.

Create a new one that nobody will have an easy time guessing. Don't use "support", "test", anything typical. Don't use your name, either.

Make your password alpha-numeric, and include a symbol in there somewhere. That alone makes it far more difficult to crack.

Finally, install and set up the "Limit Login Attempts" plugin. People get so many chances to log in, after which they're locked out for 24 hours. After a week, check the stats--you'll be amazed how many people are trying to get into your site. This blocks brute force attempts, in which a program tries password combinations over and over in an attempt to stumble on the right one and get in.

Here's a starter guide - which I'm sure the mods will delete since it links back to my company site. I've typed all this out before on the forum, but frankly I don't feel like searching through 1,000 posts to quote it again.

Securing Wordpress - A Definitive guide to Wordpress Security Tips—LiquiLayer Technologies – Web Hosting & Solutions

It's a good start, but is not the "end all be all" for securing Wordpress.

EDIT: I also can't reiterate enough: password protect the wp-admin directory.

Hey plainwords,

I'm sorry to hear about your recent vulnerability issues. Though you are on the right track, I agree with everyone that you are still extremely vulnerable to many attacks.

Jason's words were very wise, and hopefully I can make it even easier for you!

The first thing you can do is install a Security plugin for Wordpress, which will cover all of the areas every has previously mentioned + more! I would HIGHLY suggest Better WP Security by Bit51. Better Wordpress Security will secure you from 99% of attacks. (leaving out advanced hacks of course, but unless you've pissed off some russian hackers or you have an open trail to a bank account, you should be pretty safe! :p) They have an option to do a 'one click activation' which will automatically secure and modify all files and areas other than those more detailed which you might want to take a day sometime to learn about. (server side issues, along with core wordpress coding and structure.) BEFORE you install this plugin though, make a backup of your site just in case the install goes wrong and messes with your site! I've never heard this happening before from this plugin, and I personally think it is impossible due to the skill of the developers.... but this is Wordpress.... and well, shit happens.

I'm sure you will click on the link and see what it offers, but to make it simpler and to show off my uncanny ability to click ctrl+c and ctrl+v, here are it's features!

Obscure
As most WordPress attacks are a result of plugin vulnerabilities, weak passwords, and obsolete software. Better WP Security will hide the places those vulnerabilities live keeping an attacker from learning too much about your site and keeping them away from sensitive areas like login, admin, etc.

Remove the meta "Generator" tag
Change the urls for WordPress dashboard including login, admin, and more
Completely turn off the ability to login for a given time period (away mode)
Remove theme, plugin, and core update notifications from users who do not have permission to update them
Remove Windows Live Write header information
Remove RSD header information
Rename "admin" account
Change the ID on the user with ID 1
Change the WordPress database table prefix
Change wp-content path
Removes login error messages
Display a random version number to non administrative users anywhere version is used


Protect
Just hiding parts of your site is helpful but won't stop everything. After we hide sensitive areas of the sites we'll protect it by blocking users that shouldn't be there and increasing the security of passwords and other vital information.

Scan your site to instantly tell where vulnerabilities are and fix them in seconds
Ban troublesome bots and other hosts
Ban troublesome user agents
Prevent brute force attacks by banning hosts and users with too many invalid login attempts
Strengthen server security
Enforce strong passwords for all accounts of a configurable minimum role
Force SSL for admin pages (on supporting servers)
Force SSL for any page or post (on supporting servers)
Turn off file editing from within WordPress admin area
Detect and block numerous attacks to your filesystem and database


Detect
Should all the protection fail Better WP Security will still monitor your site and report attempts to scan it (automatically blocking suspicious users) as well as any changes to the filesystem that might indicate a compromise.

Detect bots and other attempts to search for vulnerabilities
Monitor filesystem for unauthorized changes


Recover
Finally, should the worst happen Better WP Security will make regular backups of your WordPress database (should you choose to do so) allowing you to get back online quickly in the event someone should compromise your site.

Create and email database backups on a customizable schedule


Other Benefits
Make it easier for users to log into a site by giving them login and admin URLs that make more sense to someone not accustomed to WordPress
Detect hidden 404 errors on your site that can affect your SEO such as bad links, missing images, etc.


Compatibility
Works on multi-site (network) and single site installations
Works with Apache, LiteSpeed or NGINX (NGINX will require you to manually edit your virtual host configuration)
Some features can be problematic if you don't have enough RAM to support them. All my testing servers allocate 128MB to WordPress and usually don't have any other plugins installed. I have seen issues with file check and database backups failing on servers with 64MB or less of RAM, particularly if there are many other plugins being used.



Other than installing that plugin, getting used to creating secure passwords is a very healthy habit, generally speaking. As Jason mentioned, you can use a slew or string of keys, numbers, and symbols to make things unique. If you're worried about forgetting them, especially if you have many to memorize, try this.

Whatever you are creating the password for, find some natural association your brain makes with the subject. Association is a very strong security practice, because unless the potential enemy knows you entirely, and has done a complete psych evaluation on you, they will be completely out of the loop. (and even if they did... lol, good luck to them!) Everyone's mind associates things differently based from societal teachings, along with personal understanding and experience. For example:

You are creating a password for a client who owns a puppy store. You love puppies. When you were a child, you used to play with your neighbors puppy, who had the cutest red collar and bell. Whenever you were outside, you heard that bell from across the street, and knew that puppy was there to play. Now a days, every time you walk into a puppy store or see a puppy, for some reason that red collar and bell thinks you. 99% of the time, you probably don't even realize it, or you just ignore it and not think anything of it. But it's there, it's in all of us.

Remember that red collar and bell, and use it to your advantage. Now the words 'redcollarbell' might be unique, and noone will really associate it other than you... but you need to encrypt it. One example, for instance, is to match the written enunciation with your speech. Say, 'redcollarbell'. Personally, I enunciate the words like this: 'reDcoLLarbeLL'. Most probably will, but again, it really depends on your personal experience, accent, etc.

Now that you have your enunciated written version, add a few extra characters to make it more unique and encrypted. Maybe you remember you were 11 years old when you played with that dog. Maybe the puppy was 6 months old then (and is still 6 months old in your head).

reDcoLLarbeLL116

Did you think that puppy was awesome? HECK YEAH YOU DID!

reDcoLLarbeLL116!

^^^^^^^
I don't know about you, but I don't think that can be traced to you in anyway, and even the most sophisticated crackers will have a tough shot at that. (granted all of your other vulnerabilities aren't so vulnerable anymore.)

Memorization wise, that will be simple. It may not make sense, but it will come in a very short amount of time. You won't need to think about those questions to yourself, it will just naturally flow, accessing the archive of your brain naturally. The more you do it, the more your brain becomes used to accessing that kind of information and things will be second nature. Some of my passwords go 30+ keys long, all randomly structured, and they just type themselves when needed.


Anyway, I hope I helped some. Sorry for the inadvertent psychological/brain exercise lesson. It will help if you enable yourself though, I promise!


Luke

If you tighten up mod security, it'll require ftp pw to change or update any plugins or themes. This will mitigate most of the php injections, but be forewarned... it makes doing the simple modifications you're used a PITA.

I've never had a site hacked knock on wood.... but I have had a ton of other issues.

I moved my sites (the WP ones anyway) over to WP Engine managed cloud hosting and I could not be happier with the service.

They provide several layers of security for WP because thats all they do.

Worth checking them out. There are a few other managed WP hosting services as well but I've only used the WP Engine. But I hear Page.ly is a good one as well.

AAAAAAND one of mine got hacked yesterday. Not through the regular channels...through the wiki plugin I installed a year and a half ago so others could build content for it!

When it's back up, I'll be uninstalling the plugin...not cool.

My webiste got hacked again...

All of the known Wordpress security plug-ins are installed, all website configurations and tune-ups are done, personal computer is running fine… but my website/blog got hacked again! Why? Am I doing something wrong? Is something missing? Where is the problem?

Here is a little security advice for Internet marketers…the problem is your misunderstanding of what security is. Information and computer security is a state/status (ex.: of a website) that needs to be achieved and maintained continuously. It is achieved by implementing a set of secure practices such as configurations (ex. plug-ins, add-ons, etc.), maintenance and processes (ex. password change). And that’s where most of us stop. We forget to continue keeping it secure. We change code and configurations, install new plug-ins and add-ons and forget to check if it is still secure.

read more here : My website got hacked again? | Security | ITadvices.com

and here : Security advice for WordPress plug-in use | ITadvices.com

good luck

I have a client who allows his browser (chrome or IE) to save his user name and password for accessing his sites. Should I advise against this?

plainwords,

I'm sorry to hear about your issues.....

You have to keep in mind, the problem is FTP not with WordPress... In all cases..... Just say no to FTP...

Here is why.... FTP sends EVERYTHING in clear text... Including your username and password...

So, having a "strong" password means nothing... The hackers can see it...

When you connect to an FTP server, it makes various "hops" sending your data through various servers over the Internet...

All a hacker has to do is have a "packet sniffer" attached to one of those servers... Once they have your user name and password, they have free reign on your FTP account... If you use one FTP account for all your clients (a huge no-no), they have free reign...

If you must use FTP, use secure FTP. You can read more about it here.

I hope you get everything up and running...

All The Best,

Rich Beck BCIP, MCSD, MCIS

What can a guy that is just trying to figure out how to build his website on WP do? Is there a plug in I can download that will help prevent? I don't even know how I would recover. CrapeMytleGuy