What if a Multisite Got Hacked?

Hello,

I'm currently a WPMU DEV Member, i'm building a multisite network,and i'm curious about what if a multisite got hacked!

I have built many wordpress sites before, and i have experienced many of these hacking problems but my sites where all single wordpress installation.

I'm now a little worried about multisites vulnerability & security issues.

I have never built a multisite network before, so i have few questions in mind:

1) If a multisite network got hacked:

- Will all other sites across the network be affected?
- Is there a way to treat or disinfect a single site without having to shut down the whole network?
- Can hackers or the malicious codes damage the whole network database or just files for a signle site ?

2) I know that usually when the database of a site grow large in size it became much harder & take more time to restore that site on the hosting server. So How about a multisites with ...GB database size!

Can a backup plugin like (snapshot) help me restore my whole network incase something goes wrong oneday?

3) Finally, i would appreciate if you have any precautions or advice to best secure a multisite network

Thanks in advance,
Andrew
http://andrewrezk.com

  • aristath

    Hello there @Andrew Rezk, I hope you're well today!

    - Will all other sites across the network be affected?

    Depends on the hack... If they hack the account of that site's admin user then no. If they somehow manage to get access to your filesystem then yes.

    - Is there a way to treat or disinfect a single site without having to shut down the whole network?

    Again it depends on the hack.... if they got hold of the credentials of that site's administrator then yes.

    - Can hackers or the malicious codes damage the whole network database or just files for a signle site ?

    On a multisite, the codebase is common to all sites, and so is the database. If they manage to access that then they can affect all sites.

    Can a backup plugin like (snapshot) help me restore my whole network incase something goes wrong oneday?

    Yes.

    3) Finally, i would appreciate if you have any precautions or advice to best secure a multisite network

    That's easy...

    1. Host:
    Choose the right host. My advise would be using a managed WordPress host like for example WPEngine. If that's above your budget, then get a cheap VPS from DigitalOcean or Linode and set it up using this script: https://rtcamp.com/easyengine/ This will setup your environment for maximum performance and security on WordPress.

    2. Hacked plugins/themes:
    Do not, under any circumstances use hacked, nulled or whatever you might call them plugins and themes. Most hacks happen because someone installs a script that has been "nulled". In an attempt to save a few bucks, most of the time you will end up spending days trying to figure out what went wrong.

    3: Themes:
    Do not use themes that make use of timthumb.

    4. Use CloudFlare.
    Their free plan is great and improves security a lot: https://www.cloudflare.com/

    5. Use Limit Login Attempts
    This plugin here: https://wordpress.org/plugins/limit-login-attempts/ will prevent bruteforce attacks (essentially randomly trying passwords for the admin user until they get it right).

    6. DO NOT USE SECURITY PLUGINS.
    I can't stress that last part enough... a big percentage of issues in these forums occur because of these plugins. Please avoid them... If you do all of the above then a "security" plugin can only cause trouble.

    I think that's all! :slight_smile:

    Cheers,
    Ari.

  • GeekMaster

    Hello Ari,

    I can't thank you enough for these useful tips. Appreciate that.

    - For the hosting part, can i start with any VPS hosting like: inmotionhosting.com
    I heard they have good service and also relatively good prices.

    I'm not sure if i will need CDN and all other features that WPEngine has , although it looks great but it's also expensive compared to others.

    - For security, I can't understand why using such plugins is that BAD?!
    I thought that they are useful. Can you please explain more about your experience with such security plugins Cons and Pros.

    Currently i'm using ithemes security: https://wordpress.org/plugins/better-wp-security

    It's free and they also have a pro version. what's your opinion about it?

    Best,
    Andrew

  • aristath

    - For the hosting part, can i start with any VPS hosting like: inmotionhosting.com
    I heard they have good service and also relatively good prices.

    Well, it's not that cheap... On DigitalOcean and Linode you can get a really good VPS @ $10/month instead of $29... I'm guessing their price is at $29/month because they include cPanel, WHM etc. but cPanel & WHM add an overhead that you don't need, they are pretty resources-heavy and mess with your server's configuration making it really difficult sometimes to use plugins like Domain-Mapping, Multi-Domains etc.
    Instead, simply by getting a "blank" VPS and setting up everything yourself using the easyengine script, you get a performant and secure environment in less than 10 minutes.

    - For security, I can't understand why using such plugins is that BAD?!
    I thought that they are useful. Can you please explain more about your experience with such security plugins Cons and Pros.

    From experience, a lot of the issues we see in these forums are due to a caching or a security plugin. Though they can be useful if properly configured, even the slightest mistake can cause mayhem and mess things up real bad. In an effort to "secure" a website, they can get over-jealous and disallow access to normal users, they can prevent WordPress from applying necessary changes files and as a result break the site.
    I have just seen way too many sites plagued by things like that... If you do choose to use a security plugin, please be really cautious with its configuration...

    Things that can be hacked are usually the following:
    1. WordPress accounts (bruteforce attack). Using the Limit Login Attempts plugin that I linked to before you can protect yourself from that.
    2. DDOS attacks. Using CloudFlare you should be fine. Cloudflare also bans known "hacker" IPs and pro-actively checks incoming traffic to make sure you don't get hacked. Its CDN and caching are just an extra bonus :wink:
    3. PHP & Apache (server-side) hacks. PHP and Apache are just scripts that run on our server. They are software, and like all software they have vulnerabilities. However, instead of Apache & PHP, you can use Nginx & PHP-FPM. They are a lot more performant, they are less resources-intensive on the server, and they use a protected "pool" to run your site's processes. Similar to suExec and/or suPHP for an apache server... only way better! The easyengine script that I linked to above has all of that by default so you don't have to worry about a thing. :slight_smile:

    I hope that helps!

    Cheers,
    Ari.

  • Catrina

    Good Morning Andrew,
    I am here to tell you that a multi site absolutely can be hacked and it can take down the whole network. I started dealing with a hack in mid Feb. I had my site professionally cleaned. And then because I had a lot to learn about prevention and still do I started reading.
    There is a lot of information out there about this and some of it is conflicting. I'm am very interested to hear more about security plug ins messing up a site. Over at wordpress.org they recomend wordfence which I installed. I also installed cloudfare. According to wordfence e-mails the hacking attempts were continuing, but I'm not sure which of my problems were caused by more hacking and what was caused by my attempts to harden my site. I was also reading hardening wordpress. I don't have the link but easy to find with a google search. I did read some things that maybe cloudfare and wordfence may not play well together.
    I think the biggest thing is to keep all plugins and themes up to date. That means not only doing updates when they come but also recognizing those themes and plugins that are no longer being updated.
    This is not easy...I have found it very difficult to discover when a theme was last updated and it's not like the author is sending you an e-mail saying "hello my theme is no good any more".
    So last week someone got into my site again and actually moved it to a different nameserver. I lost access and when I got it back they had deleted things and changed permissions and I wasn't even super admin any more. Luckily I had a second super admin that they didn't think to disable.
    So my multisite is broken and I have no idea where to start to repair it. My main site is functional. Not sure if I should start from scratch or try and repair.
    I would like to start from scratch but preserve content. Any ideas?
    The sub sites were still there but multisite plugin was deleted. Do you think I can try just reinstalling.
    I'm doing a search of the help forums first but will start a ticket for help if I don't figure it out.
    I'm interested in hearing more about if you think wordfence could have contributed to messing up the site.

    • GeekMaster

      Hey Catrina,

      I do appreciate you sharing your experience here, i know it is really a huge problem.
      I'm also concerned about protecting a multisite and i know it won't be easy, but i'm sure it can be done. There are many successful wp mutlisite networks outthere like edublogs, and they were able to protect their sites for years. We just need a good security plan and precautions to secure our hard work.

      I'd like to ask: Did you use the Free or Paid version of Wordfence ?
      - If the Paid version, How much does it cost you?
      I can see that with the paid version, you have to purchase API key for each website so if i understood this right, you will have to purchase separate API key for each site on your network?!
      If that's the case, it can cost a fortune to secure a mutlisite network with 100's of sites.

      I totally agree with you that, it is really hard to discover when themes or plugins are outdated.
      That alone is a huge headache.

      In my opinion, the first thing you should do to secure your multisite for years to come is to find a reliable backup service that can backup every single site on your network, this way if something goes wrong in future, it will be easier for you to restore your whole mutlisite network. I have been looking for a good backup service myself, and i think code guard is a great one. As shown on their site, they can backup the entire wordpress multisite network.

      Since you already had alot of hack attempts, I recommend you start a new multisite installation.
      I hope your database or content is still clean. Although, i'm not a tech guy but if i were you, i'd look for a way to safely export my database or content and import it to a new multisite installation. It may work that way, at least you won't have to build every single site from scratch.

      I'd also be interested to know if anyone can share with us any different thoughts or tips on how to preserve the content and secure a multisite network in that case.

      Best Regards,
      Andrew

  • Catrina

    Hello Andrew and thank you for your insite.
    I was using the free version. Basically what it does it scan your site daily and then let you know via e-mail what if finds. It doesn't do anything about it. You have do decide what if anything to do about it.
    If nothing else it has been an educational tool for me but it seems I've spent an awful lot of time trying to decide if the alerts are important.
    I know that there are plugins out there that actually act on the results of the scan. That would be nice for those of us that aren't experts but I wonder if that is the type of program that aristath was speaking of above.
    I am also wondering if aristath or someone else could tell us what timthumb is. He said not to use themes that use it. How do we tell if a theme is using it? In fact any suggestions to tell if a theme is being updated and/or has security issues.
    I thought I had a backup. I purchased site back up pro from my host and I thought I was good. They only have a backup from one day ago though. If you want to go back further, say before an incident, you are out of luck. I don't have that many sites and some of them I wanted to redo or haden't even developed yet and I do have all of my blog content and photos stored on my computer, but I was so hoping I wouldn't have to upload it again a piece at a time.
    I will check out code guard. Someone else mentioned SnapShot. What about that as a backup option? I also have a large external hard drive. Is there an easy way to use that as a daily back up? Right now it seems the program that I use is too involved and I wouldn't do it after each work session.
    Also, does anyone think that there is danger in saving database files back to my computer and or external hard drive? Can things that were done to my files infect my hardware? And if the files do contain some sort of vulnerability would I then be spreading them to my new build when I put them back?
    What should I look for in the files to see that they are clean. I know basic code and php but I'm not comfortable with reading an entire plug in or theme file and saying with any certainty "looks good to me."
    I'm thinking I should go all the way back and do a fresh wordpress installation. What do you think?
    Andrew, I hope you find good solutions and this never happens to you.
    Thanks for your help,
    Catrina

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.