Home – New Forums Tech talk WordPress hacker attacks

  • This topic is empty.
Viewing 12 posts - 1 through 12 (of 12 total)
  • Author
    Posts
  • #982749
    Ondetto
    Member
    • Total posts: 110
    Up
    0
    ::

    Just thought I’d post this here as lots of people on the forum use WordPress. It seems there has been a massive attack on WordPress websites in the last few days, and websites where the administrator username has been left as “admin” are particularly vulnerable. This is not a good practice as it hackers can easily guess the first part of the username / password equation.

    If your username is “admin”, make sure you change it ASAP, review your password and ideally update to the latest WP version.

    Some web hosts are implementing additional security measures due to the severity of the attacks.

    There’s more info on this website: http://nakedsecurity.sophos.com/2013/04/13/wordpress-blogs-and-more-under-global-attack-check-your-passwords-now/

    Frederike

    #1138592
    LucasArthur
    Participant
    • Total posts: 3,171
    Up
    0
    ::

    Thanks Frederike

    Good timing for me to see this :)

    Jason

    ps.. not that i use admin as username though 😮

    Jason Ramage | Lucas Arthur Pty Ltd | E: [email protected]   P: 61 3 8324 0344    M: 61 412 244 888
    #1138593
    Brent@Ontrax
    Member
    • Total posts: 336
    Up
    0
    ::

    Thanks for the update.

    I always advise clients to change the admin password and also change the admin rights to the lowest possible (if keeping the admin username) and then create a New Administrator account for updates etc.

    Regardless of what we do, the hackers are always looking to find ways around what we do (insert rude name for them), but if we keep the updates applied and perform regular backups, then at least we can make it a lot harder for them and “just in case” we can recover quickly.

    Brent

    #1138594
    MatthewKeath
    Member
    • Total posts: 3,184
    Up
    0
    ::

    You can also move the URL that you login from.

    Makes it harder for the hacker to attempt brute force attacks if they can find the login page.

    Great advice on Username and Password.

    #1138595
    Brent@Ontrax
    Member
    • Total posts: 336
    Up
    0
    ::
    MatthewKeath, post: 158113 wrote:
    You can also move the URL that you login from.

    Makes it harder for the hacker to attempt brute force attacks if they can find the login page.

    I never heard of moving the login URL, how do you do that? or can you point me somewhere that shows that process. I like the sound of it.

    Thanks.

    #1138596
    John Templeton
    Member
    • Total posts: 65
    Up
    0
    ::

    Thanks for the heads up / reminder. Always try to change my passwords every 30 days or so.

    #1138597
    MatthewKeath
    Member
    • Total posts: 3,184
    Up
    0
    ::
    Brent@Ontrax, post: 158122 wrote:
    I never heard of moving the login URL, how do you do that? or can you point me somewhere that shows that process. I like the sound of it.

    Thanks.

    There is a few ways to do it.

    You can get a plugin, and some
    Wordpress admin and security plugins do it as well.

    Or you can use .htacess method: http://wp.smashingmagazine.com/2012/05/17/customize-wordpress-admin-easily/

    #1138598
    JohnTranter
    Member
    • Total posts: 842
    Up
    0
    ::
    MatthewKeath, post: 158168 wrote:
    Or you can use .htacess method: http://wp.smashingmagazine.com/2012/05/17/customize-wordpress-admin-easily/

    It may be late and I’m tired, but that method looks like it simply adds an additional simple login url, it doesn’t change it.
    i.e. you could still login at http://domain.com/wp-login.php

    #1138599
    OneArmedGraphics
    Member
    • Total posts: 314
    Up
    0
    ::

    TIP: Leave an administrator account, but change it’s access level to subscriber only.

    (And obviously changing the username on the actual administrator account)

    #1138600
    BrettM33
    Participant
    • Total posts: 1,372
    Up
    0
    ::

    Here are some more advanced WP security measures with .htaccess

    Add this to the bottom of your root .htaccess file:

    Code:
    # Stop all access to wp-config.php

    order allow,deny
    deny from all

    # No directory browsing
    Options All -Indexes

    People still can’t view your config file in their browser without this (unless the PHP installation on the server is screwed up & the browser instead views .php files as text), but it’s just another security step.

    Inside your wp-admin/ directory add this into a .htaccess file:

    Code:
    order deny,allow
    deny from all
    allow from 123.456.78.90
    allow from 123.45.


    Allow from all

    This is just an EXAMPLE above. Basically what it does is blocks ALL access to this directory apart from the IP’s you list below. If you have a static IP you can list your whole IP there, if you have a dynamic IP then you can list it as a subnet like 123.45. – then this will block everybody except people that have IP’s starting with 123.45. (which will be most people that use the same ISP as you).

    The bottom part allows access to several file types to anyone such as images, xml files etc.

    In your wp-content directory put this inside a .htaccess file:

    Code:
    Order deny,allow
    Deny from all

    Allow from all

    This blocks access to this dir to anyone and anything inside it apart from several file types to anyone such as images, xml files etc.

    This should keep your WP pretty secure. :)

    #1138601
    Zava Design
    Participant
    • Total posts: 1,463
    Up
    0
    ::
    JohnTranter, post: 158170 wrote:
    It may be late and I’m tired, but that method looks like it simply adds an additional simple login url, it doesn’t change it.
    i.e. you could still login at http://domain.com/wp-login.php
    Yep, corrrect.

    And this is the one big issue with WP that I’m surprised they haven’t dealt with it by now, not being able to specify your own admin URL. Just about every other enterprise level CMS allows this, and should be implemented for WP too.

    If a hacker can’t even find your admin then that’s going to be a major step in stopping attempted access.

    #1138602
    Netorigin
    Member
    • Total posts: 421
    Up
    0
    ::

    Over the last week, we’ve had to implement security on the web server side to .htaccess deny IP addresses that visited the wp-login.php page and didn’t send a browser request for CSS.

    Cheers,

    Shaun

Viewing 12 posts - 1 through 12 (of 12 total)
  • You must be logged in to reply to this topic.