WyseLabs Internet Marketing Forum :: Start Sharing

[sathish.k]

Did you know that more than web sites in the world run on the WordPress publishing platform? This makes WordPress more popular than Microsoft SharePoint, Blogger, or Drupal. It also means that WordPress is a large target for hackers. As it is Open Source, everybody has access to its Source Code and can experiment with new cracking/hacking methods easily.

Following are some easy steps to harden the security of WordPress site.

1. Don’t use ‘admin’ username
As of version 3.0, WordPress have the option to change your admin username into whatever you like. If you change it, potential hacker has to hack both username and password.

2. Install Login LockDown Plugin
Potential hacker will try to break your username/password combination using brute force or dictionary attack on your WordPress Login screen. Login LockDown Plugin will prevent that.

3. Install Secure WordPress plugin
Secure WordPress beefs up the security of your WordPress installation by removing error information on login pages, adds index.html to plugin directories, hides the WordPress version and much more.

4. Move your wp-config.php file
In your wp-config.php file there is database connection info as well as other data that should be kept from anybody to access. From WordPress 2.6 you can easily move this file from root folder location. WordPress will automatically look for your config file there if it can’t find it in your root directory.

5. Change database table prefixes
WordPress table prefix is wp_. As WordPress is Open Source, if you leave your table prefixes intact, everybody know the exact names of the database tables.

6. Change default secret keys
1. define('AUTH_KEY', '');
2. define('SECURE_AUTH_KEY', '');
3. define('LOGGED_IN_KEY', '');
4. define('NONCE_KEY', '');
A secret key is a hashing salt that is used against your password to make it even stronger.

7. Wordpress Update
Always update to the latest version of the WordPress, as it is the most secure one. Don’t forget to update your plugins and themes.

8. Protect your wp-admin
adds some serious password protection to your WordPress Blog.

9. Use strong password
Weak passwords are easy to break to modern brute force attack programs used.

10. Backup
Take regular backup of files and Databases.

[sathish.k]

"BulletProof Security" - A WordPress Security plugin

BulletProof Security protects your WordPress website against XSS, RFI, CRLF, CSRF, Base64, Code Injection and SQL Injection hacking attempts. One-click .htaccess WordPress security protection. Protects wp-config.php, bb-config.php, php.ini, php5.ini, install.php and readme.html with .htaccess security protection. One-click Website Maintenance Mode (HTTP 503). Additional website security checks: DB errors off, file and folder permissions check... System Info: PHP, MySQL, OS, Server, Memory Usage, IP, SAPI, DNS, Max Upload... Built-in .htaccess file editing, uploading and downloading.

[Angie_Kalamo]

Great tips. Another site of mine, which runs on Wordpress, got hacked right in the middle of a product launch. It was crazy! Yes, the ability to change the username from "admin" was long overdue by Wordpress...! Going to check out some of those plugins you mentioned - thanks.

[sathish.k]

Exploit Scanner

This plugin searches the files on your website, and the posts and comments tables of your database for anything suspicious. It also examines your list of active plugins for unusual filenames.It will not stop someone hacking into your site, but it may help you find any uploaded or compromised files left by the hacker.

When a website is compromised, hackers leave behind scripts and modified content that can be found by manually searching through all the files on a site. Some of the methods used to hide their code or spam links are obvious, like using CSS to hide text, and we can search for those strings.

The database can also be used to hide content or be used to run code. Spam links are sometimes added to blog posts and comments. They’re hidden by CSS so visitors don’t see them, but search engines do. Recently, hackers took advantage of the WP plugin system to run their own malicious code. They uploaded files with the extensions of image files and added them to the list of active plugins. So, despite the fact that the file didn’t have a .php file extension, the code in them was still able to run!

See the homepage for further information.

[sathish.k]

Better WP Security : A Wordpress Security Plugin

Better WP Security takes the best WordPress security features and techniques and combines them in a single plugin thereby ensuring that as many security holes as possible are patched without having to worry about conflicting features or the possibility of missing anything on your site.

[sathish.k]

Secure WordPress Plugin
Secure WordPress is a free WordPress plugin that helps secure your WordPress blog by reviewing key security functions. Hundreds of thousands of people already use the Secure WordPress plugin with great success to protect their blog content and visitors.

Key security features:
* Remove error-information on login-page
* Add index.php plugin-directory (virtual)
* Add index.html to plugin directory
* Remove the wp-version, except in the admin-area
* Hide wp-version in backend-dashboard for non-admins
* Remove Really Simple Discovery
* Remove Windows Live Writer
* Remove core update information for non-admins
* Remove plugin-update information for non-admins
* Remove theme-update information for non-admins (only WP 2.8 and higher)
* Block bad queries

Source:

[sathish.k]

WordPress Backup to Dropbox
Keep your valuable WordPress website, its media and database backed up to Dropbox in minutes with this sleek, easy to use plugin.

has been created to give you piece of mind that your blog is backed up on a regular basis.

Just choose a day, time and how often you wish yor backup to be performed and kick back and wait for your websites files and a SQL dump of its database to be dropped in your Dropbox!

You can set where you want your backup stored within Dropbox and on your server as well as choose what files or directories, if any, you wish to exclude from the backup.

The plugin uses so your Dropbox account details are not stored for the plugin to gain access.

Checkout the website -

Setup

Once installed, the authorization process is easy -

1. When you first access the plugin’s options page, it will ask you to authorize the plugin with Dropbox.

2. A new window will open and Dropbox will ask you to authenticate and grant the plugin access.

3. Finally, click continue to setup your backup.

Minimum Requirements

1. PHP 5.2 or higher

2. A Dropbox account

Source:

[beniston]

Thanks Sathish for sharing. This indeed is a very useful and necessary plugin.

[sathish.k]

Better WP Security takes the best WordPress security features and techniques and combines them in a single plugin thereby ensuring that as many security holes as possible are patched without having to worry about conflicting features or the possibility of missing anything on your site.
With one-click activation for most features as well as advanced features for experienced users Better WP Security can help protect any site.

Obscure

As most WordPress attacks are a result of plugin vulnerabilities, weak passwords, and obsolete software. Better WP Security will hide the places those vulnerabilities live keeping an attacker from learning too much about your site and keeping them away from sensitive areas like login, admin, etc.

*Remove the meta "Generator" tag
*Change the urls for WordPress dashboard including login, admin, and more
*Completely turn off the ability to login for a given time period (away mode)
*Remove theme, plugin, and core update notifications from users who do not have permission to update them
*Remove Windows Live Write header information
*Remove RSD header information
*Rename "admin" account
*Change the ID on the user with ID 1
*Change the WordPress database table prefix
*Change wp-content path
*Removes login error messages
*Display a random version number to non administrative users anywhere version is used

Source:

[beniston]

Listed here are 5+ different backup solutions for Wordpress.

And finally the Wordpress backup to Dropbox is explained.

http://www.1stwebdesigner.com/wordpress ... o-dropbox/

It was also mentioned by Sathish some time ago viewtopic.php?f=8&t=2926#p6811

[sathish.k]

Applying some security tricks to .htaccess file will tighten up the site’s security and give our wordpress sites an extra level of protection. Here are some steps how we can work with .htaccess file to improve the site security.

Wp-Admin access from limited IP addresses:

Wordpress admin is the administration panel for Wordpress so limited access to this area per IP address will increase the security. We can do this by creating a new .htaccess file and place it in the wp-admin folder.
Here is an example of allowing only one IP Address for wp-admin folder and deny from all others. Before applying this please make sure that you use a static public IP address while working with wp-admin (A Dynamic IP address is one that is temporarily assigned to a user by their internet service provider every time they connect).
------------------------------------
order deny,allow
allow from 119.226.66.146 (replace with your IP address)
deny from all
------------------------------------

Block an IP Address :

If you find an attempt to access the site from a vulnerable IP Address, you can block that IP Address by adding the following code to .htaccess.
------------------------------------
<Limit GET POST>
order allow,deny
deny from 119.226.66.146 (replace with the vulnerable IP Address)
deny from 119.226.66.147 (replace with the 2nd vulnerable IP Address)
allow from all
</Limit>
------------------------------------

Prevent directory Browsing:

As wordpress is popular many people know the structure of the folders and files in a wordpress site. This is vulnerable because hackers can easily identify the plugins which are used and the internal structure of the site. We can prevent this by disabling directory browsing for the site. We can do this by using the following code.
------------------------------------
# Prevent Directory browsing
Options All -Indexes
------------------------------------

Prevent important wp-content files:

Wp-content contains images, themes and plugins etc and it's a very important folder so we can prevent access to it from others by adding the following code.
------------------------------------
Order deny,allow
Deny from all
<Files ".(xml|css|jpe?g|png|gif|js)$">
Allow from all
</Files>
------------------------------------

Prevent .htaccess file from hackers:

.htacess files are sometimes vulnerable to hackers, so we can prevent access to this file by adding the following code.
------------------------------------
<Files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</Files>
------------------------------------

Protect wp-config.php file:

Wp-config file in the root directory contains all the site and database information, so preventing access to this file is very important, we can do this by using the following lines to .htaccess file.
------------------------------------
<Files wp-config.php>
order allow,deny
deny from all
</Files>
------------------------------------

[Chris Ward]

This is great, Sathish! Should we test some of this on a few of our clients who are receiving a lot of spam form submissions?

[beniston]

[sathish.k]

Yes Beniston,
I meant the vulnerable IP address .

<Limit GET POST>
order allow,deny
deny from 119.226.66.146 (replace with vulnerable IP Address)
deny from 119.226.66.147 (replace with vulnerable IP Address)
allow from all
</Limit>

[sathish.k]

Spam Free WordPress is a comment spam blocking plugin that blocks 100% of the automated spam with zero false positives.
This plugin was born out of necessity in September of 2007. A comment spam fighting plugin was needed that could handle huge visitor traffic, and huge spam attacks. Today the plugin can scale to handle any amount of traffic or spam.

Features

1. Automatically blocks 100% of automated comment spam
2. Local manual spam and ban policy set with local IP address blocklist
3.Global manual spam and ban policy set with remote IP address blocklist
4. Virtually zero database load under the heaviest spam conditions.
5. Zero false positives
6.Option to strip HTML from comments
7. No CAPTCHA cookies, or Javascript needed

Installation Requires: Wordpress 3.1 or higher and Compatible up to: 3.6

Source:

[Chris Ward]

Sounds like exactly what we need, if it works as promised.

Team, when can we test this out and implement it on all of our client sites?

Most of them don't receive that many spam submissions, but those that do would benefit and the only thing better than a small amount of spam would be no spam at all!

[DJ]

This should definitely be tested out first! If it works that is amazing!

[sathish.k]

Wordfence Security:
Wordfence Security is a free enterprise class security plugin that includes a firewall, anti-virus scanning, malicious URL scanning and live traffic including crawlers. Wordfence is the only WordPress security plugin that can verify and repair your core, theme and plugin files, even if you don't have backups.
Features:
1. Scans core files, themes and plugins against WordPress.org repository versions to check their integrity.
2. WordPress Multi-Site (or WordPress MU in the older parlance) compatible.
3. Wordfence Security for multi-site also scans all posts and comments across all blogs from one admin panel.
4. Premium users can also block countries and schedule scans for specific times and a higher frequency.
5. See how files have changed. Optionally repair changed files that are security threats.
6. Scans for signatures of over 44,000 known malware variants that are known security threats.
7. Scans for many known backdoors including C99, R57, RootShell, Crystal Shell, Matamu, Cybershell, W4cking, Sniper, Predator, Jackal, Phantasma, GFS, Dive, Dx and many many more.
8. Continuously scans for malware and phishing URL's including all URL's on the Google Safe Browsing List in all your comments, posts and files that are security threats.
9. Scans for heuristics of backdoors, trojans, suspicious code and other security issues.
10. Checks the strength of all user and admin passwords to enhance login security.
11. Monitor your DNS security for unauthorized DNS changes.
12. Includes a firewall to block common security threats like fake Googlebots, malicious scans from hackers and botnets.
13. Rate limit or block security threats like aggressive crawlers, scrapers and bots doing security scans for vulnerabilities in your site.
14. Choose whether you want to block or throttle users and robots who break your security rules.
15. Includes login security to lock out brute force hacks and to stop WordPress from revealing info that will compromise security.
16. See all your traffic in real-time, including robots, humans, 404 errors, logins and logouts and who is consuming most of your content. Enhances your situational awareness of which security threats your site is facing.
17. A real-time view of all traffic including automated bots that often constitute security threats that Javascript analytics packages never show you.
18. Real-time traffic includes reverse DNS and city-level geolocation. Know which geographic area security threats originate from.
19. Monitors disk space which is related to security because many DDoS attacks attempt to consume all disk space to create denial of service.

Requires: 3.3.1 or higher
Compatible up to: 3.4.2
Source:

[beniston]

[sathish.k]

Greater Security with Two Step Authentication
WordPress users can finally secure their account(s) with two step authentication. The optional feature has been rolled out recently and is accessible to all users.
Read more:

[sathish.k]

All in One WP Security & Firewall is one of the best user friendly security plugin for wordpress.
It provides User Accounts Security, User Login Security, Database Security and File System Security. It has advance Firewall Functionality with feature, and Brute force login attack prevention.

5G Blacklist helps reduce the number of malicious URL requests that hit your website. It’s one of many ways to improve the security of your site and protect against evil exploits, bad requests, and other nefarious garbage. If your site runs on Apache and you’re familiar with .htaccess, the 5G is an effective way to secure your site against malicious HTTP activity.


Requires: Wordpress 3.5 or higher
Compatible up to: 3.7.1

Source:

[douglas]

It would be great that Programming leads have a try on this security plug-in. Thanks Sathish!
All In One WP Security & Firewall

[jay]

Major Security Vulnerability in WordPress Could Take Down Websites. If your website runs on a self-hosted WordPress installation or on Drupal, update your software now.
Nir Goldshlager, a security researcher from Salesforce.com's product security team, has discovered an XML vulnerability that impacts the popular website platforms WordPress and Drupal.

Read more - http://mashable.com/2014/08/06/wordpres ... lowup-dos/

[eddy]

Jay,

Is this something we should be worried about? Do we need to recommend upgrading all our WordPress sites because of this? Please advise.

If so, we need to:
1 - create a letter and get it out to our WordPress clients. This would also be a good opportunity to upsell a Service Agreement.
2 - we should identify all those client who have a current service agreement and we should schedule WordPress updates for these clients ASAP

Cheers,
Eddy

[jay]

Hi Eddy,
Not sure for all the sites but sites with good ranking/premium clients needs to be upgraded. As mentioned in the post the aim of the hackers is to create high load in the server and this will cause visitors to leave the site and this is the aim of hackers who is funded by the competitors.

We are facing wordpress vulnerabilities frequently and we think it's time to plan things ahead while starting the project. Wordpress says that auto/minor updates will effect only the core files which are under wp-admin and wp-includes but major version upgrades will effect the files in themes and plugins as well.

So moving forward what we think the best option is to create a gdoc where all projects are listed and need to mention the current version number and which are all areas the custom code is implemented. This will help to upgrade the site and then restore the custom codes. This will generally be less time consuming than the ambiguous method we are following now.

Would like to know your thoughts!

[eddy]

Hi Jay:

I think once we know of a vulnerability that can affect a clients site and/or SEO, we should recommend an upgrade to our clients.

We have a standard upgrade letter we sent out to our clients on the last major update. We would need to do the same thing again with all client who are not on a Service Agreement with us. For those clients on an active service agreement, we should just do the upgrade.

In your GDoc you should also include a column for Service Agreement (Y or N) . If this is a Yes, then you can automatically schedule upgrades when required. For those with a No, the AM would have to send an email to the client, recommending the upgrade. Once approved on they enter into a service agreement, then the upgrade could be done.

Please set up the GDoc for all clients with WP. We can then check and see who has a service agreement, update that information and then begin notification of clients and upgrades.

Thanks
Eddy

[sathish.k]

Your WordPress login username can be leaked easily via author archive page’s permalink

http://domain.com/author/username/

The part here is /author/username/, as this is where your login username could be leaked.


How it can happen?

When we create a new user on your WordPress site, we assign this user a username for login purpose.
There is a field in the WordPress database called user_nicename, which can be found in the wp_users table. User_nicename is populated with the login username as the user is created. Once user_nicename is populated, it cannot be changed from WordPress’ Dashboard.

WordPress uses user_nicename will be added to the author archive page permalink.

For example, you’ve created a new user called user1. The author archive URL will be the following, http://domain.com/author/user1, you will get the author page


You can test this by using any wp site where you have blog post added. For eg: http://www.domain.com/blog/author/bloguser/

Please change "bloguser" with your username and you will see a list of all the posts by the particular user


How this can be prevented?

By changing user_nicename to different from your actual login username, it becomes more difficult for hackers to figure out what the login username is.

The user_nice name cannot be updated through Wordpress Dashboard, and it can be done by editing the wp-user table using mysql client tool. For eg: phpMyAdmin,HeidiSQL

By changing a user nice name to "user-new", and keep the login as "user1" the author achive page will show the URL as http://domain.com/author/user-new and the actual username "user1" cannot be traced by a hacker.

[sathish.k]

PHPMailer Remote Code Execution Vulnerability

A critical vulnerability has been discovered in PHPMailer, which is one of the most popular open source PHP libraries to send emails used by around 10 Million users worldwide.

Lots of websites developed using popular open source web applications, including WordPress, Joomla, Drupal, Yii, SugarCRM etc and comes with PHPMailer library for sending emails using a variety of methods, including SMTP to their users.

This vulnerability in PHPMailer that could potentially be used by (unauthenticated) remote attackers to achieve remote arbitrary code execution in the context of the web server user and remotely compromise the target web application.

To exploit the vulnerability an attacker could target common website components such as contact/feedback forms, registration forms, password email resets and others that send out emails with the help of a vulnerable version of the PHPMailer class.

Solution
The WordPress core team are currently working on a fix that will be included in a WordPress core security release.
Please update to the newest version of WordPress core as soon as it is released.
If you are using PHPMailer older than 5.2.18 in your own PHP applications, themes or plugins, please upgrade to PHPMailer 5.2.18 or newer immediately. or if you are a WordPress theme or plugin developer and have included your own copy of PHPMailer in your plugin or theme code, you need to update to PHPMailer 5.2.18 or newer immediately.

A snippet of the vulnerable code in PHPMailer and the fixes is shown below

phpmailer.jpg (180.2 KiB) Viewed 75313 times

phpmailer1.jpg (136.06 KiB) Viewed 75313 times

Source:
Source: