DOTW: Security stories! Have you been hacked? Any security questions? (Participation = 3+ Points)

Hey everyone, it’s that time of the week! A new DOTW. One of our blog writers is working on a security-related post and thought it would be interesting to hear some security stories from you all. Any victims of hacking out there?

Of course, if you have any questions about WordPress security please do include those too and we’ll try to answer as many as we can in the blog post!

Without further ado...

1. Has your site ever been hacked? What happened, why, and how'd it get fixed?
2. What security concerns or questions do you have about WordPress, plugins, and themes?
3. What security tips do you have for WordPress beginners? (Bonus +3 Hero Points)

Have something else security related you want to add? Please do!

We’ll be sure to share a link to the post here once it is published, in-case you don’t already follow our blog :wink:

--------------------------

-At least one comment = 3 Hero Points(must participate within 7 days of thread post date)
-Providing at least one tip for question #3 = 3 more Hero Points (must provide within 7 days of thread post date)
-DOTW = Discussion of the Week
-Last DOTW: BILLING CLIENTS! HOSTING AND THIRD PARTY BILLING SERVICES

  • djohns

    I've not had a site hacked (yet), but about 3 years ago a friend asked me to look at her site. Code had been injected, that remembered admins & members IPs and for them would display the usual content. For visitors, however, it would inject garbage ads.

    By scanning with Sucuri and using its results to search online I was able to figure out roughly what was the problem, delete all files that weren't core WordPress, update WordPress then redownload & reinstall the few plugins she had (it is a fairly simple site).

    I then installed WordFence. Until then she had no security running AT ALL. At various times I've banned particular IPs but she did not want to pay for the premium version that would have allowed bans by country. I also set up auto backups for her. And set up comments so that anyone who wanted to comment, had to 1) provide a valid email address and 2) be moderated. I also set her site to update WordPress automatically, with Rollback plugin installed in case of problems with a newer version.

    Knock on wood, 3 years later no further problems.

    I am a bit worried that she hasn't wanted to upgrade her theme. It is no longer maintained and although a newer, similar theme from the same company is available for free, she does not want to take the time to move things to a newer theme.

    I use the Hub here to update things for her - otherwise I'd not have the time to keep tabs on her site. So far not a hitch.

    Now if only she would dump GoDaddy...

  • David

    Ok so 3 weeks ago this took me out, I dont know how but it got in and took out every WP install on one of my servers... fortunately with my Hosts support and a lot of grunt I got my sites cleaned and all back up overnight without any clients screaming at me nor much downtime but I didnt get much sleep...

    It's the first time in 8yrs I've been hacked, it hurt and I suspect I know where it came from but cant be 100% sure.

    The learning and tips:
    Be diligent with your backups and make sure they work
    Put Wordfence on every WP install (until Defender gets a firewall)
    Hound the WPMU guys (and still hounding) to fix Defender alternative login Page and 404 redirects
    Check the PHP version of every site is upto date and if not at least 7 sort it.
    Check everything else is upto date
    Setup Managed Backups and Automate
    Take a Duplicator copy of each site (in case excrement and fan connect and all else fails)
    Move risky clients or those without maintenance contracts with me to a separate server
    Lock down wherever you can and minimise the site admins and INSIST on strong passwords
    Add simple recapctha to sites wherever possible.

    Ditch clients that won't pay at least half yearly maintenance and strongly discourage anything less than quarterly maintenance. (i now make maintenance mandatory if I built and host the site)

    Treat everything as suspicious online and I mean everything and dont let clients/customers upload Themes....

  • DigitalPowerups

    I had a site I was working on as a side project. I had to reset the password for some reason and to be quick about it I did a very weak password. I got busy with other things for a couple months and when I had gotten back to the site I noticed that a post had been published. The post was all about a service that would write papers and do your homework for you for a small fee, with a couple links to the site.

    Other than the post, they did nothing malicious. I reached out to the company on twitter and surprise, they never responded. LOL

  • James Morris

    Great topic @TyePo!

    1. Has your site ever been hacked? What happened, why, and how'd it get fixed?

    Yes, but it was so long ago I cannot recall the details and I'm 99% sure it wasn't on a WordPress site. Perhaps another platform I was using way back in the day. Of course, it meant a lot of manual cleanup work which lead me to becoming p@r@n0!d about security.

    2. What security concerns or questions do you have about WordPress, plugins, and themes?

    The only 100% secure site is one hosting on your home computer behind a double firewall and no public access. It's the nature of the beast. So, it's always a concern. You take precautions, monitor and do the best you can.

    3. What security tips do you have for WordPress beginners?

    - Make sure your backups have backups. There is no such thing as a too p@r@n0!d backup strategy if your site is mission critical. Daily, weekly, monthly, on-site, off-site, redundant cloud... If you can manage it, do it!
    - Give your users only as much permission as absolutely necessary. https://wordpress.org/plugins/user-role-editor/ is a great tool for managing this.
    - Do not host on a platform that uses an outdated version of the server stack (Apache/NGINX, PHP, MySQL). If the host cannot provide modern versions of the hosting stack, security is not a concern to them.
    - Don't host on a platform that requires loose permissions (777 folders/666 files). Permissions should be able to be run at 705 for folders and 604 for files when the server is configured correctly.
    - Do not run old, unsupported versions of the WordPress core, plugins and themes unless you can maintain the code yourself.
    - Run plugins like Defender and Sucuri to ensure your site is locked down.
    - Regularly audit your site and run it through any one of the many free tools online to check for malicious code or possible vulnerabilities, like https://wpscans.com/
    - Subscribe to vulnerability newsletters and keep an eye out for anything you have on installed on your site. https://wpvulndb.com/
    - Take the time to do your own research and learn. There are tons of great articles out there that will help you get started. Like this one -> https://premium.wpmudev.org/blog/ultimate-wordpress-security-checklist/
    - Enforce 2FA and teach your users/clients why this will save them time and money
    - When appropriate, use services like Cloudflare to help mitigate some of the load and outsource some of the security measures

    There's much more you *can* do. And books have been written about this. But the above is a starting point.

    If your site is mission critical (meaning your bread and butter), it's imperative that you develop a solid security strategy and be diligent in it. Security is one area where you cannot set it and forget it. You must be proactive. As daunting as this sounds, with some initial research, you can actually make this quite manageable.

    Cheers!

    James Morris

  • Fabio Fava

    Yet another great topic, surely a top-five topic when concerning WordPress.

    1. Has your site ever been hacked? What happened, why, and how'd it get fixed?

    Not until this moment, and I see a lot of attempts in a daily basis, on my 7-Networks, 12-Sites Multi Network Environment. Each Networks's Defender Pro collects Banned IP's, that I consolidate once a week or two in a single Defender Banned IP's list. I merge it all using BBEdit, that provides the right tools to do that for a fair license price and for the moment I have about 7.000 Banned IP's list.

    But since I've started my personal WordPress Site (my personal site that is still there, firmly and safe as far as I can see after 2 years), Security was probably my first concerning. I've started that site and Wordfence was the very first plugin I had installed and configured properly, and very soon realized that any WordPress site will much likely suffer attacks attempts - automatically by bots I assume, and probably in a daily basis - as soon as they are crowled by Google Bots.

    Then I discovered WPMU DEV, and today I use only Defender to protect my Multi Network Platform. It brings all the stuff I need, isn't heavy to the server, and keeps the thing protected if you configure correctly it's (quite easy) options, keeps regular scans, and play smart. I also consolidate that Banned IP's for all networks, so the same attackers won't succeed on every site of my network.

    2. What security concerns or questions do you have about WordPress, plugins, and themes?

    To avoid these problems I have curated a 300 Plugin, Single Theme Platform. One single WordPress install, virtually infinite websites on 6 of my 7 actual networks (and others may come). I always wait a couple days to Update/Upgrade WordPress Core (unless is a security fix only, that I tend to do without thinking too much - customer's data is Diamond and GDPR is here to stay.

    3. What security tips do you have for WordPress beginners? (Bonus +3 Hero Points)

    First things first. Install WordPress, write a .htaccess and wp-config.php files. I can say without missing that at least 50% of your problems will come with poor hosting. Better you want your site to perform, better your server must be. I found peace when I set a good hosting - at Cloudways - and don't plan to move away.

    So, starting from a Solid Hosted Server, you will start with Security: when information is your most valuable asset, you have to protect it even before start placing any content. Then get Smush to compress your images and I also recommend a good Cache Plugin - I recomend WP Rocket - to have your site's speed improved.

    Have something else security related you want to add? Please do!

    I dream about the moments when Defender will:

    1st) Share a single Banned IP's list amont all Networks on a Multi Network Install; and also an option to

    2nd) Share a Global Banned IP's list on WPMU DEV's Servers, shared worldwide: as a choice of the Admin (Local or Global Banned IP's List).

    Thank you once more for this opportunity, and I hope this week I can get a Hi-6 :wink:

  • Manuel

    3. What security tips do you have for WordPress beginners? (Bonus +3 Hero Points)

    I am still using Shared Servers as it suits my purpose for now. But I am using localhost from my server for my websites, or so I think I am...:flushed:
    Good advice to read, digest and keep here!

    1. Has your site ever been hacked? What happened, why, and how'd it get fixed?

    Yet it is worth to point out that only this week I almost lost my computer desktop as it was left switched on, with some 4 wpmu dev windows + another two; vulnerable for about 24 hours resulted in blue screens due to being hacked by Bing’s ip.:grimacing:
    Managed to go past the script, restore the computer, nothing lost, touch wood.
    Here is a link to these who do not know about this :japanese_ogre:. https://blog.sucuri.net/2016/09/hacking-wordpress-sites-shared-servers.html

    3. What security tips do you have for WordPress beginners? (Bonus +3 Hero Points)

    My advice in general all the above and making sure/check that you shut your computer up and do not rely on ''Cortana and less on Bing'' to remind you, or to switch it off for you with ''screens''.
    Cheers

  • Eduardo Felix

    Hello everyone, on several sites that I manage, comes the files: wp-vcd.php, wp-tmp.php and wp-feed.php.

    Defender daily reports changes and inclusion of files in the core of wordpress, informing that these files are where they should not be.

    These files make the visitor redirect to infected sites.

    I do not know what to do to prevent ... is someone else having this same problem?

    Note: I use a digitalocean vps and serverpilot.io to administer vps

  • Patricia BT

    1. Has your site ever been hacked? What happened, why, and how'd it get fixed?

    I have been hacked on a Joomla site, whcih was a test site, about when I decided to come to WP around 2011-2012. Never been hacked on WP but always applied security basics (to be fair, it would have been the same on the Joomla site if I had also followed some security basics)

    2. What security concerns or questions do you have about WordPress, plugins, and themes?
    Concerns: As I'm not a dev (code-wise), but rather an integrator, I wonder what happen when a plugin is let without updates, and how this could be exploited (aging code, old API, deprecated functions, etc)

    3. What security tips do you have for WordPress beginners? (Bonus +3 Hero Points)

    - Options -Indexes in .htaccess or at hosting panel level
    - admin shouldn't be called admin
    - database prefix shouldn't be wp_
    - if someone attempts to log in with admin, immediate ban (some security plugins allow that, ex iThemes security)
    - main admin user shouldn't be left as user_id 1 in the DB
    - usernames shouldn't be displayed openly (use nice name or first name) (and I should practice what I preach haha)
    - enforce strong passwords, should be more than 16 chars, and must contain small+caps + numbers + symbols, best is machine generated, and use a password manager (I even use the salt creation tool to create passwords)
    - use a different password for database and create a different user for each different database on the same hosting account
    - wp-config file is elsewhere out of the public_html (or www) folder, and the wp-config there includes it, and both have 440 permissions
    - no folder has 777 permissions
    - no php execution allowed in wp-content/uploads
    - no file edition from the dashboard
    - sucuri scans
    - htaccess rules generated by iThemes security are quite good imo, (and include hackrepair blacklist)
    - BACKUPS: regular backups must be made (files and database), and automatically stored elsewhere

    I'm sure there is more :slight_smile: but it's 1.30 am here so my brain is a bit slow haha

    EDIT: ohhh I see that James Morris has also done a list in his post, with great advices, thx (that's for me to read other comments after having posted mine :slight_smile: )

  • Julian

    Never been hacked luckily.

    From the very start I've always been quite concerned with security. The best approach is to lock everything down that you reasonably can without inconveniencing your users/clients too much. Things like preventing code execution in directories where it's not needed, the proper file permissions, a secure server, etc. And I force everyone to use strong passwords, that helps too :slight_smile:

    Others in this thread have provided great tips for beginners already. I'd suggest going to the WPMU DEV blog, type in 'security' and read all the great articles from DEV about site security. You'll have a much better idea of what to do and what to look out for in securing your sites.

  • gagabytes

    One of my clients' website has been hacked years ago. What I did was, scanned all the files with malicous file and viruses. Investigated the site and found out those blog articles that has been posted wasn't from the company administration. Thus, I deleted those articles as well as the person account who has done this thru the database and wordpress.
    Then I installed Defender and done everything it suggested and became practice to other websites too. I turned on all the Defender features including log reports be emailed daily and banned common usernames.
    Since then, I have not received any report of hacked but blocked IPs and usernames of failed attempts => Thanks to that!

  • djsteve

    Pretty sure all of my wp sites have been hacked at least once. I have unhacked well over 100 wordpress sites. I've lost sites on shared servers, had defacements on dedicated servers, it's been a nightmare. Unhacking usually means make a backup and destroy everything. All the files and database. create new everything completely.

    concerns? probably catching plugin conflicts, outputting debug info when you don't even know there are errors being created - yeah. not fun not seeing the issues.

    advice? make your site, use one of the static html generators, spit out the files, backup your files and DB, delete all your wp files and the db off the server.
    If you need to change content once in a while, or take comments so bad that you need to keep wp running - then you need the shield plugin, ip geo block at a minimum. graphic captcha for login and sucuri sometimes should be added. sadly the old limit login attempts plugin is MIA - but you can find a similar one these days and set it to stop attempts after a few fails.
    Odds are, it's going to get hacked and you'll wish you had multiple backups one day. its nice to have an auto server backup running and something like wpmudev's snapshot.
    I usually catch hacked issues within a week - but a newer webmaster would likely want to make a couple of off site backups in cold storage, as it could happen that a site gets hacked, and by the time you realize it, the backups have run again and the backups only contain hacked files - which may be helpful, but no where near as useful as two click restore to healthy.
    be aware that a few wp sites on a shared server or your own shared cpanel usually means that some other site on that server gets hacked and they can dump the details for all the admin creds for all the sites on the server and your site gets owned soon thereafter.

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.