Hacked Sites

Author Message

Posted: 4/21/2013
Quote message 


I just found out that there's been a huge surge over the past week or so in hack attempts on wordpress sites. It's using enough resources in the attack to really drain server hosting.

The attempt is to try and brute force the admin account, then once in create a new administrator:

sysadmin - with email sysadmin@wordpress.org

I've found a couple of my sites were hit so I changed the account to subscriber and saved, then changed the password and saved, then deleted the account.

Logins are limited to 4 attempts before locking out, and I have no "admin" user, but they got in anyway on the client sites.

Check your sites for this account and delete if you find it. I'm almost thinking it's a hacker attempt to make a statement by mass shutting down sites over the recent internet privacy bill - though I might be a bit paranoid on that thought :-)


Posted: 4/21/2013
Quote message 

There are a number of steps in securing a WP site:

The obvious ones:

- Set the correct folder permissions.
- Don't have a username called admin.
- Have a longer password, with letters and numbers, with at least one letter in caps.
- Always update WP to the latest version.
- You could setup a failed login limitation, but most attacks are by bits that have the ability to change their ip address each time.
- You can try setting up a captcha on your login screen, but some bots have the ability to do some optical character recognition.

- Make sure your tables don't use the prefix "-wp".
- Make sure that WP does not transmit its' version number. You need to mute that.

And once you think that all the holes are plugged, you still get hacked. How? Just because you secured the codebase, it does not mean you are secure. You can still get security holes from:

- Plugins
-Themes - lately many free themes allegedly have backdoors and other malware - they are php files after all. The free themes from Wordpress.org are safe, as well as the themes from respectable premium theme makers, ie: Woothemes, Elegant Themes, etc...

There is an interesting solution that even if they know your usename and password, they still won't be able to access your backsite. This is how it works: After you enter your username and password, you will get a message on your smart phone for verification. So if anyone knows your credentials they will still need to have your phone to gain access.

Here is the plugins' url: http://wordpress.org/extend/plugins/duo-wordpress/

And here is the companies web site (checkout the video on the homepage) https://blog.duosecurity.com/2013/01/introducing-the-duo-5-minute-challenge/

I think WP has very loose security standards, and nobody checks the plugins that they distribute through their site for major security holes. Thankfully, there are many other plugins, that scan your plugins for security holes, and other security problems with your site in general. Unfortunately, very few people take security very seriously which always starts with a good and complete backup system.


Posted: 4/22/2013
Quote message 

Bummer :-O

Hope they didn't do any damage.
Wordfence can check core files against the repository.

Thanks for the info & stay safe

Posted: 4/22/2013
Quote message 

If your client's WP installations are getting hacked, it's your fault. Take the initiative to lock them down and educate your clients.

Posted: 4/22/2013
Quote message 

Quote SiliconANGLE:
once your site is hacked (and the server it’s hosted on becomes compromised), it can then be used to infiltrate other sites.


On any type of shared hosting it's not just your wordpress site - it's also your neighbouring sites that can cause risk.

lol -
Quote me:
but sometimes the most careful precautions can still fail


Posted: 5/3/2013
Quote message 

Something to look out for is old versions of the Social Media Widget plugin, which gad a security flaw. We had a client site hacked yesterday, and I had to go through every site we have that uses the plugin (over 30 sites) and update it, so you can imagine the kind of night I had.

When a hacker adds code to the header or anywhere else, you can generally just delete and reload the theme and it will go away. That's how we got rid of the malware. Using BackupBuddy to keep you site backed up is a good idea too.

One little trick that works great to keep a client site going while you change themes is to create an identical theme and activate that one when you dump the main theme.

Use this site to check for malware:


Posted: 5/3/2013
Quote message 

1. Update WordPress, plugins and themes.
2. Lock down WordPress.
3. Secure your PC from malware.
4. Use strong passwords and never store them on your PC.
5. See #1


Posted: 5/4/2013
Quote message 

Just FYI Guys, I had some older sites infected and the attack vector was older Artisteer generated themes. Remember to re generate your themes with newer versions of Artisteer and don't leave older version of the themes installed.

Posted: 5/8/2013
Quote message 

Hi, speedyp,

Quote speedyp:
Do you have more info, specifically which files in artisteer 3 were open to attack and then removed or secured in V4??

I found version 3.x themes were getting code injected into the functions.php at the very top of the file. I'm looking to see if there's a way to protect existing themes.

Posted: 5/8/2013
Quote message 


The first set of .htaccess rules are particularly useful, but it's a good article overall.

Posted: 5/8/2013
Quote message 

Great info Abland - Thanks