Security Plugins - over and above Bulletproof security

Hi all,

I had an unfortunate hacking incident come to light today, and I can't believe how little I knew about the vunerabilities of WP. Yes I know you probably all know about it, but I must admit I'm now in a state of stress and confusion over the plethora of security plugins out there.

I've done the usual, updated WP and all my plugins and got rid of all the folders of things I'd uploaded to try then just never bothered to delete (yes I know... I hang my head in shame now I'm aware)... and started looking for plugins.

Soooo... I followed the info on https://premium.wpmudev.org/blog/wordpress-security-101-8-tips-tricks-and-tweaks-to-secure-your-wordpress-website/ which was mentioned on another thread - and I installed the Bulletproof security plugin.

All the other plugins mentioned tho, are not tested with the newest version of WP and I've had enought of a panicky day without installing one and my site disappearing.

As I don't really understand whats the Bullet Proof security actually does... (I'm sorry I've read it yes I know it does great things for the htaccess files but I'm still non the wiser)... are there any other MUST HAVES that I nned to put on this website, and also all my other WP sites?

What do you guys install before you do absolutely anything on a site build to get your security covered?

As usual, any help at all would be greatfully received... as I'm feeling awfully lost and bewildered right now.

BTW - after the wordpress update my multisite dashboard is now so different I'm confused there too.... so am I right in thinking I can;t now just upload a plugin on an individual site, it have to be done at the network admin level? If so do I now need to do the set-up of those plugins AGAIN on my other sites on the network? Sooooooo confused...

  • DavidM

    Hi roobarb,

    Ouch, sorry you came across a hacking situation, I think nearly all of us around here have been exposed to one or more hacks at some time or other.

    I've heard some great things about Bullet Proof security, so I'd say you're off to a great start with that. One other thing I notice that article didn't seem to mention, you can change your WordPress database to have prefix other than wp_. That may help a bit with security.

    There's also the following page scanner from AVG. It's not WordPress specific, but I imagine it could help.
    http://www.avg.com.au/resources/web-page-scanner/

    I'd also recommend keeping an eye on the following site for updated vulnerabilities:
    http://www.wordpressexploit.com/

    I'll tag some of the other guys over here as well to see if they have some thoughts to share.

    -David

  • roobarb

    HELP!!!!!

    I went to bed last night and appart from things running a bit slower than usual, it was all well.

    I've this morning had a call form the server company who tell me I have a looping script... see the quotes

    We have conducted a thorough investigation which showed that one of your scripts loops and spawns too many processes. The script that loops (i.e. references itself) is:

    /home/lightofs/public_html/wp-content/themes/index.php

    For additional information please review the server logs below:

    184.154.229.14 - - [19/Dec/2011:15:33:52 -0600] "GET /evolutionary-intuition/wp-content/themes/index.php HTTP/1.1" 301 5 "-" "PHP/5.2.17"
    184.154.229.14 - - [19/Dec/2011:15:33:52 -0600] "GET /evolutionary-intuition/wp-content/themes/index.php HTTP/1.1" 301 5 "-" "PHP/5.2.17"
    184.154.229.14 - - [19/Dec/2011:15:33:52 -0600] "GET /evolutionary-intuition/wp-content/themes/index.php HTTP/1.1" 301 5 "-" "PHP/5.2.17"
    184.154.229.14 - - [19/Dec/2011:15:33:52 -0600] "GET /evolutionary-intuition/wp-content/themes/index.php HTTP/1.1" 301 5 "-" "PHP/5.2.17"
    184.154.229.14 - - [19/Dec/2011:15:33:52 -0600] "GET /evolutionary-intuition/wp-content/themes/index.php HTTP/1.1" 301 5 "-" "PHP/5.2.17"
    184.154.229.14 - - [19/Dec/2011:15:33:52 -0600] "GET /evolutionary-intuition/wp-content/themes/index.php HTTP/1.1" 301 5 "-" "PHP/5.2.17"
    184.154.229.14 - - [19/Dec/2011:15:33:52 -0600] "GET /evolutionary-intuition/wp-content/themes/index.php HTTP/1.1" 301 5 "-" "PHP/5.2.17"
    184.154.229.14 - - [19/Dec/2011:15:33:52 -0600] "GET /evolutionary-intuition/wp-content/themes/index.php HTTP/1.1" 301 5 "-" "PHP/5.2.17"
    184.154.229.14 - - [19/Dec/2011:15:33:53 -0600] "GET /evolutionary-intuition/wp-content/themes/index.php HTTP/1.1" 301 5 "-" "PHP/5.2.17"
    184.154.229.14 - - [19/Dec/2011:15:33:53 -0600] "GET /evolutionary-intuition/wp-content/themes/index.php HTTP/1.1" 301 5 "-" "PHP/5.2.17"
    184.154.229.14 - - [19/Dec/2011:15:33:53 -0600] "GET /evolutionary-intuition/wp-content/themes/index.php HTTP/1.1" 301 5 "-" "PHP/5.2.17"
    184.154.229.14 - - [19/Dec/2011:15:33:53 -0600] "GET /evolutionary-intuition/wp-content/themes/index.php HTTP/1.1" 301 5 "-" "PHP/5.2.17"
    184.154.229.14 - - [19/Dec/2011:15:33:53 -0600] "GET /evolutionary-intuition/wp-content/themes/index.php HTTP/1.1" 301 5 "-" "PHP/5.2.17"
    184.154.229.14 - - [19/Dec/2011:15:33:53 -0600] "GET /evolutionary-intuition/wp-content/themes/index.php HTTP/1.1" 301 5 "-" "PHP/5.2.17"
    184.154.229.14 - - [19/Dec/2011:15:33:53 -0600] "GET /evolutionary-intuition/wp-content/themes/index.php HTTP/1.1" 301 5 "-" "PHP/5.2.17"
    184.154.229.14 - - [19/Dec/2011:15:33:53 -0600] "GET /evolutionary-intuition/wp-content/themes/index.php HTTP/1.1" 301 5 "-" "PHP/5.2.17"
    184.154.229.14 - - [19/Dec/2011:15:33:54 -0600] "GET /evolutionary-intuition/wp-content/themes/index.php HTTP/1.1" 301 5 "-" "PHP/5.2.17"
    184.154.229.14 - - [19/Dec/2011:15:33:54 -0600] "GET /evolutionary-intuition/wp-content/themes/index.php HTTP/1.1" 301 5 "-" "PHP/5.2.17"
    184.154.229.14 - - [19/Dec/2011:15:33:54 -0600] "GET /evolutionary-intuition/wp-content/themes/index.php HTTP/1.1" 301 5 "-" "PHP/5.2.17"
    184.154.229.14 - - [19/Dec/2011:15:33:54 -0600] "GET /evolutionary-intuition/wp-content/themes/index.php HTTP/1.1" 301 5 "-" "PHP/5.2.17"
    184.154.229.14 - - [19/Dec/2011:15:33:54 -0600] "GET /evolutionary-intuition/wp-content/themes/index.php HTTP/1.1" 301 5 "-" "PHP/5.2.17"
    184.154.229.14 - - [19/Dec/2011:15:33:54 -0600] "GET /evolutionary-intuition/wp-content/themes/index.php HTTP/1.1" 301 5 "-" "PHP/5.2.17"
    184.154.229.14 - - [19/Dec/2011:15:33:54 -0600] "GET /evolutionary-intuition/wp-content/themes/index.php HTTP/1.1" 301 5 "-" "PHP/5.2.17"
    184.154.229.14 - - [19/Dec/2011:15:33:54 -0600] "GET /evolutionary-intuition/wp-content/themes/index.php HTTP/1.1" 301 5 "-" "PHP/5.2.17"
    184.154.229.14 - - [19/Dec/2011:15:33:55 -0600] "GET /evolutionary-intuition/wp-content/themes/index.php HTTP/1.1" 301 5 "-" "PHP/5.2.17"
    184.154.229.14 - - [19/Dec/2011:15:33:55 -0600] "GET /evolutionary-intuition/wp-content/themes/index.php HTTP/1.1" 301 5 "-" "PHP/5.2.17"
    184.154.229.14 - - [19/Dec/2011:15:33:55 -0600] "GET /evolutionary-intuition/wp-content/themes/index.php HTTP/1.1" 301 5 "-" "PHP/5.2.17"
    184.154.229.14 - - [19/Dec/2011:15:33:55 -0600] "GET /evolutionary-intuition/wp-content/themes/index.php HTTP/1.1" 301 5 "-" "PHP/5.2.17"
    184.154.229.14 - - [19/Dec/2011:15:33:55 -0600] "GET /evolutionary-intuition/wp-content/themes/index.php HTTP/1.1" 301 5 "-" "PHP/5.2.17"
    184.154.229.14 - - [19/Dec/2011:15:33:55 -0600] "GET /evolutionary-intuition/wp-content/themes/index.php HTTP/1.1" 301 5 "-" "PHP/5.2.17"
    184.154.229.14 - - [19/Dec/2011:15:33:55 -0600] "GET /evolutionary-intuition/wp-content/themes/index.php HTTP/1.1" 301 5 "-" "PHP/5.2.17"
    184.154.229.14 - - [19/Dec/2011:15:33:55 -0600] "GET /evolutionary-intuition/wp-content/themes/index.php HTTP/1.1" 301 5 "-" "PHP/5.2.17"
    184.154.229.14 - - [19/Dec/2011:15:33:55 -0600] "GET /evolutionary-intuition/wp-content/themes/index.php HTTP/1.1" 301 5 "-" "PHP/5.2.17"

    Where on earth do I start with this one????

    This /evolutionary-intuition/ is a sub site on the network BTW.

    Any ideas where to begin? I feel sooooooo bewildered when these things happen.

  • roobarb

    UPDATE : I think this one is going to be way too complicated for me to fix. I did so much yesterday with updates to try and get rid of the hacking issue, and then adding in this security plugin, I can't even identify which bit caused the problem.

    I've network deactivated the Bullet Proof update, and its not reloaded the images on the Sub Site, so there is something much squiffier going on. To keep the hosting company off my back I've archived the sub site for now.

    I think I'll have to go for a fresh install and see if I can copy over what I've got - I assume its wordpress export I need.

    What a nightmare

    Thanks for all your support.

  • Philip John

    Hiya!

    Bummer you've been hacked... fourth instance I've heard of in the last two weeks. Maybe it's the season for it!

    Here's what I recommend;

    1. Lock your site down (this will stop the symptons of the hacking getting out anywhere by adding these lines to the top of your .htaccess;

    ErrorDocument 503 "Our website is temporarily closed for maintenance. It should reopen by..."
    RewriteEngine On
    # TO ALLOW YOURSELF TO VISIT THE SITE, CHANGE 111 222 333 444 TO YOUR IP ADDRESS.
    RewriteCond %{REMOTE_ADDR} !^111\.222\.333\.444$
    RewriteRule .* - [R=503,L]

    Important: Note the bit about changing the IP address. Get yours from myipaddress.com

    2. Download a copy of these files and folders to a folder on your PC;
    - wp-admin
    - wp-includes
    - all files in the root (i.e. wp-config.php and those around it)

    3. Download and unzip a fresh copy of WordPress (the same version as the one you are running).

    4. Download and install DiffMerge

    5. Open DiffMerge and go to File > Open Folder Diff. In the first box select the folder where you unzipped the fresh copy of WordPress. In the second box select the folder where you download to in step 2.

    6. DiffMerge will tell you what's different, highlighting where the hackers may have injected malicious code. Identify any additional files that shouldn't be there or additional, suspicious code. Provide screenshots and we can help with that.

    7. Once you've ironed out any malicious code, install WP Security Scan. Use it to back up your database and then fix anything it warns you about.

    8. Install WordPress Firewall 2 which will help prevent future attacks.

    9. Remove the lines you added to .htaccess in step 1

    Shout if you need any further guidance.

    Thanks,
    Phil

  • Philip John

    Oh, I should mention: if step 6 doesn't show anything significant it may be that the hack is elsewhere. In fact, I think we've already identified where it is....

    We have conducted a thorough investigation which showed that one of your scripts loops and spawns too many processes. The script that loops (i.e. references itself) is:
    /home/lightofs/public_html/wp-content/themes/index.php

    That file, by default, contains this;

    <?php
    // Silence is golden.
    ?>

    ...which doesn't actually *do* anything so it sounds like the hacking is based around that file.

    Open up that file and if it contains anything other than the default I've pasted above, delete it and upload the default version using a fresh copy of WP.

    Thanks

  • roobarb

    Thanks Phil,

    You're a star.

    Yesterday one of the things I did was to upload BulletProof security, but its now showing all sorts of errors - so I deactivated it for now.

    The .htaccess that I have though is theirs now...see attached, so not sure if I should be using this - or is there a default one I can use.

    FYI - I've now got 3.3 installed, and I've archived the other sub sites I had on there till I know whats happening.

    I'm going to go through what you've suggested, although I stongly feel I've lost this battle already .

    I can't thank you enough for the help. I'll keep you posted.

  • Mason

    Phil's provided a great walkthrough for getting things back in shape.

    Most commonly, WordPress hacks happen because of insecure file permissions, products downloaded from unsafe sources, or accessing the site via unsecured FTP.

    If your hosting environment is set up properly to keep your particular area safe (and it should be) then keeping your file permissions locked down - particularly wp-config. Here's some of what I use in the htaccess file:

    # protect wpconfig.php
    <Files wp-config.php>
    order allow,deny
    deny from all
    </Files>
    
    # disable directory browsing
    Options All -Indexes

    Make sure your file permissions are all set to 644 and folder to 755. Then, anytime you're accessing the site, it's best to use SFTP rather than regular FTP. Your host provider may have to activate this for you, but there shouldn't be an additional charge for it.

    Getting hacked definitely sucks. Good thing is to learn from it and prevent it in the future. Let us know if you need anything further.