[Hidden-tech] WordPress security question

Rich Roth webmaster at hidden-tech.net
Thu Jan 14 14:40:36 EST 2016

Previous message: [Hidden-tech] WordPress security question
Next message: [Hidden-tech] WordPress security question
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

A few points of reference:
1) Attackers generally don't have a domain, because they are coming from an IP used to 
login via comcast or some related network,
so you'd be blocking 1000's of possible visitors.

2) Attackers might come from suspect countries like .ru, .ro, or .cn but that is a very 
poor way to identify them and rarely accurate.

3) Changing a password is good - there are plenty good generators online, expect 8-15 
characters with a mix of upper, lower, numbers and special characters BUT unless your 
prior password was really bad (like 12345) it was probably not the point of attack.

4) Using https is wonderful as a general rule but again, not likely how someone got it in 
-- since not likely the attacker was on your local network

5) repeated, high rate IP activity is a good place to look for issues and a easy place to 
block, at the server level is best and many have
denyhosts running routinely.   There are a number of good plugins in the WP plugin directory.

6) The best diagnostic you should do asap after the compromise is
     a) look for recently changed files, often in a tmp or cache directory;
         from an ssh command you can use:  find . -ctime -2 -ls (shows files changed 
within the last 2 days)
     b) compare against a fresh WP install
     c) check the logs for repeated access from the same IP and look at what program files 
were accessed.
         specifically look for IPs hitting lots of 404s because those are probes looking 
for weaknesses.

In reality, the most likely point of attach is because:
      - the version of wordpress is old
     - there is an open exploit in one of the wordpress functions -- the wysiwyg editors 
like fck are the worse, as they often
     have image upload functions that are very easy to crack.
     - the worst security hole in many CMS based systems today (WP, Joomla, drupal) is the 
'update version' directly from the web
             admin dashboard, because that means your whole directory file tree of 
programming is open to writing from the web server,
             which is how most attackers get in to cause trouble.

SO the best you can do is make sure as much of the directory tree is read-only to the web 
server, and even root-writable only.
2nd best is to use ftp for updating with a different user from the web server.

For many WP system admins, it is necessary to upload images from the web dashboard, so 
make sure *only *that directory tree
is web server writeable - (for WP) maybe even WPHOME/wp-content/uploads root-writable only 
and create the new year 2016 directory by hand - so only that sub-tree is writable - and 
make sure none of those files can be execute by php as programs,
which means something like this in an .htaccess file for those directories:
         RemoveHandler .php
         RemoveType .php
         php_flag engine off

Frankly, Shel without more info, we are guessing -- just remember in today's internet 
EVERY web site is constantly being attacked.

Rich/webmaster

On 1/14/2016 1:57 PM, Erik Amlee wrote:
>
> You cannot change username or register a second account with the same email address. 
> Best is to delete the old account and re-create it with the same permissions.
> And there are WordPress plugins that claim to block IP addresses by country, but you 
> would also deny legit traffic. If you are seeing brute force attacks on wp-login, a 
> better solution would be a plugin that locks/bans by IP after X login attempts.
> Erik Amlee
>
> Director of Programming
> _______________________________
> Yes Exactly, Inc. | yesexactly.com <http://yesexactly.com> | 413.325.8251
> ---------- Forwarded message ----------
> From: *Shel Horowitz* <shel at principledprofit.com <mailto:shel at principledprofit.com>>
> Date: Thu, Jan 14, 2016 at 11:19 AM
> Subject: [Hidden-tech] WordPress security question
> To: Hidden-Tech Tech <hidden-discuss at lists.hidden-tech.net 
> <mailto:hidden-discuss at lists.hidden-tech.net>>
>
>
> A client's site was compromised recently. I changed the password to something impossible 
> to guess--but I'm wondering if:
> 1) There's a way to change the username in wp-admin
> 2) It's possible to block domains or country codes of attackers trying to sign in (most 
> of them seem to be from France)
> Thanks,
>


-- 
Rich Roth
Webmaster/Steering Committee Member
Hidden-tech http://www.hidden-tech.net
The Talent you need is right here,
Join and share your skills
((Sponsored by Thrives Media))
http://www.thrivesmedia.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.hidden-tech.net/pipermail/hidden-discuss/attachments/20160114/79e13c15/attachment.html

Previous message: [Hidden-tech] WordPress security question
Next message: [Hidden-tech] WordPress security question
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Hidden-discuss mailing list