Security – wordfence plugin and more

Hi,

According to my host I was recently hacked. I was not able to be sure that I would catch the malicious code myself so I ended up paying for a “cleaning service” in order to get back online. In trying to figure out how it happened and what to do to prevent it from happening again, I’m finding myself a bit confused. I got a bunch of lit from the host (bluehost) and am still working my way through it. I changed the passwords, scanned my computer, made sure everything was updated and checked functionality of the website. I read “hardening wordpress” and found it fascinating, thought about attempting it, but then stumbled upon another post that discussed the security plug-ins. I ended up using wordfence. Is there anything in “hardening wordpress” that will not be done by this plug-in?

Bluehost also recommended using “Cloudfare” but in my reading I see that some people are mentioning that wordfence and cloudfare may not play well together. Does anyone know anything about this?

Next, wordfence gave me a warning that “the DNS of one of my subsites has changed”. What if anything should I do about this. I contacted bluehost about this but have not heard back yet.

Next, another post that I read said that their site crashed after an upgrade of site mapping. He said that his host said he was “using too much resources” which is what my host said. Could it be that this was my problem?

Also, I was examining my users. My business tends to be fairly local and I know many of my users, but many of the ones that I don’t know are example@nawny.com. All with the same not very common domain. Should I be worried about that? If so what should I do.

Anything else that you would suggest that I should do or not do?

Thanks,

Catrina

  • Michelle Shull
    • DEV MAN’s Apprentice

    Hi, Catrina! Let’s take these questions one by one.

    According to my host I was recently hacked. I was not able to be sure that I would catch the malicious code myself so I ended up paying for a “cleaning service” in order to get back online. In trying to figure out how it happened and what to do to prevent it from happening again, I’m finding myself a bit confused. I got a bunch of lit from the host (bluehost) and am still working my way through it. I changed the passwords, scanned my computer, made sure everything was updated and checked functionality of the website. I read “hardening wordpress” and found it fascinating, thought about attempting it, but then stumbled upon another post that discussed the security plug-ins. I ended up using wordfence. Is there anything in “hardening wordpress” that will not be done by this plug-in?

    WordFence is pretty comprehensive, it should cover all your bases here. It sounds like you’ve been proactive in getting your site cleaned up, and WordFence is a solid tool.

    Bluehost also recommended using “Cloudfare” but in my reading I see that some people are mentioning that wordfence and cloudfare may not play well together. Does anyone know anything about this?

    Cloudflare has some great features, but most of them can be handled by WordFence, good WordPress practices, and a practical approach to your site’s design. CloudFlare hosts and serves a cached copy of some of the resources on your site. They can also help you prevent some hacking attempts, but you’re pretty covered by WordFence here, too.

    Next, wordfence gave me a warning that “the DNS of one of my subsites has changed”. What if anything should I do about this. I contacted bluehost about this but have not heard back yet.

    Can you give me a few more details here? In which context did you see this warning? What were you trying to do when it happened, and what happened instead of what you expected?

    Next, another post that I read said that their site crashed after an upgrade of site mapping. He said that his host said he was “using too much resources” which is what my host said. Could it be that this was my problem?

    Are you using Domain Mapping? Are you on a shared host? Do you have memory or CPU usage limits on your hosting? Do you know what kind of resources your host thinks you’re using too many of?

    Also, I was examining my users. My business tends to be fairly local and I know many of my users, but many of the ones that I don’t know are example@nawny.com. All with the same not very common domain. Should I be worried about that? If so what should I do.

    They could be related, but they probably aren’t. These sound like run of the mill spam accounts to me, they frequently come for a similar domain in batches. Keep an eye on things, and you can obviously delete the users in question if you think they’re sketchy, but I think you’re okay here.

    Hope this helps!

    Anything else that you would suggest that I should do or not do?

  • Catrina
    • Flash Drive

    Hi,

    Thanks for your super fast reply.

    I feel like I found a gem with wordfence. I was not looking forward to trying to do all of the things mentioned in “hardening wordpress” to my site. I asked Bluehost also about the compatibility of Wordfence and Cloudfare. I will see what they say but it sounds like I don’t need both.

    After you do the first scan you get a number of things that you should “fix” or “ignore”. Even after the cleaning that I paid for Wordfence still found a number of things. A few of them were related to a theme that I stupidly got “elsewhere”….so I deleted that. It had some extra code added at the end of the footer. I don’t know if this was something new added after the “cleaning” which to me means there are still vulnerabilities or if it was something that was missed.

    Then this was the other message in question. It came to me in an e-mail from wordfence:

    This email was sent from your website “Catrina’s Attic” by the Wordfence plugin.

    Wordfence found the following new issues on “Catrina’s Attic”.

    Alert generated at Thursday 26th of February 2015 at 08:20:55 PM

    Warnings:

    * Your DNS records have changed

    I searched the forum here and WP.org and I see that a number of other people get this message. Some people suggested that we just disable the dns part of the scan, but others mentioned that this could be the way that the hackers are working. I personally did not change my dns but I read that the host may change it for one reason or another. As I mentioned I have contacted them also.

    This particular subdomain is something that is fairly inactive and is there as something that I want to develop in the future. I have a number of these subsites. Should I deactivate them until I have time to work on them?

    Site Mapping question: I started working on this a while back but got busy with other things and it fell by the wayside. It is near the top of my to do list now. I don’t currently have any mapped sites, but I do have the site mapping plug-in installed on my network and have updated it. It is not currently active, but as I mentioned I want to start working on this again. I do have shared hosting. I do have some usage limits in place but the last time I checked prior to the hacking incident I was no where near my limit. From what bluehost told me the hackers inserted some sort of looping script that hogged up the resources on the server. I don’t know if my site was the original point of entry or if it was another site on the server, but I did have malicious code on my site. I tried to find out from the host if it was me or another site and how they got in, but they were unable or unwilling to tell me.

    I’ll have to say I am a little afraid of opening up this multisite to “users” that I don’t know. I have a few users that have their own subdomains that have administrator status on their sub domain only but all of them I know. If I delete these users from this weird domain what is to keep them from just signing up again. Right now these users are just “subscribers”. What damage could they do as a subscriber? If they are eventually able to start their own sites how do I protect myself from them (I know about anti splog). Even users that I know; can they cause security breaches. Say I give my sister a blog and she works on it at an internet cafe or has a week password….is my network at risk?

    Thanks for your help!

    Catrina

  • Jude
    • DEV MAN

    Hi there @catrina

    Sorry the response took a while longer than expected. Appreciate your patience.

    Looks like Michelle is really busy and this thread somehow managed to slip through unnoticed, I’m gonna take the liberty of chipping in here.

    1) Yes web hosts can sometimes change DNS information, but thats really really rare. I would investigate further if I was you.

    2) Deactivte anything that is not fully ready, secure and tested from a public facing standpoint. One flaw or security vulnerability in an obscure sub site can take the whole network down.

    3) You can never guard against users, its a well known fact in the security circles that the users are the weakest link in any security setup. The best way to hedge against damages here is by taking backups often and keeping everything upto date.

    Hope this helps

    Cheers

    Jude

  • Jude
    • DEV MAN

    Hi there @catrina

    Sorry the response took a while longer than expected. Appreciate your patience.

    Looks like Michelle is really busy and this thread somehow managed to slip through unnoticed, I’m gonna take the liberty of chipping in here.

    1) Yes web hosts can sometimes change DNS information, but thats really really rare. I would investigate further if I was you.

    2) Deactivte anything that is not fully ready, secure and tested from a public facing standpoint. One flaw or security vulnerability in an obscure sub site can take the whole network down.

    3) You can never guard against users, its a well known fact in the security circles that the users are the weakest link in any security setup. The best way to hedge against damages here is by taking backups often and keeping everything upto date.

    Hope this helps

    Cheers

    Jude

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.