1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

[IMPORTANT] Secure your wp from bastards. For noobs and not only.

Discussion in 'Blogging' started by dima054, Aug 17, 2011.

  1. dima054

    dima054 Regular Member

    Joined:
    Jan 19, 2011
    Messages:
    447
    Likes Received:
    154
    First, fuck those who hack our blogs.
    Second of all. Here's my guide to protect your WP. I hope i forgot nothing.

    plugins:
    |
    V
    Code:
    Block Bad Queries (BBQ)
    Login LockDown
    Wordpress Firewall 2
    WP Security Scan
    WP Updates Notifier
    TAC (Theme Authenticity Checker)
    WordPress File Monitor
    ---------------------------------------------------------
    .htaccess(if using Apache of course) that goes into wp-admin directory
    |
    V
    Code:
    # BEGIN WordPress
    RewriteEngine On
    RewriteBase /
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]# 
    END WordPress
    --------------------------------------------------------
    !!addition!! to .htaccess in root directory that secures the wp-includes (append in end of .htaccess file)
    |
    V
    Code:
    # Block the include-only files. 
    RewriteEngine On 
    RewriteBase / 
    RewriteRule ^wp-admin/includes/ - [F,L] 
    RewriteRule !^wp-includes/ - [S=3] 
    RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] 
    RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L] 
    RewriteRule ^wp-includes/theme-compat/ - [F,L]
    # END BLOCK
    ---------------------------------------------------------

    next:
    goto Dashboard->Users->Profile.
    Setup a nickname(don't use the default "admin"!!!)
    change the "Display name publicly as" to the nickname you set up

    ---------------------------------------------------------

    Go through all the new plugins, see what they have to say, change table prefix(wp security plugin does that). Don't let the username to be default "admin"!

    (p.s. if the wp is installed in folder and not in domain root-you need to change the "/" in the .htaccess files to your folder path)
    (p.p.s. drop an empty index.html in wp-content/plugins/)
    (google for solution to "secure wp-admin with password")

    -----------------------------------------------------------------------------------------------------

    And the recent 0day shit. Btw, whoever is using Gazette theme, or those WooThemes, are AFFECTED!
    |
    V
    Seatch for the files named thumb.php or timthumb.php. If you find- look inside for "allowedsites", remove all the domains from the array, including the couple of lines below, remove all inside the "( )", so it looks like $allowedSites = array();
     
    • Thanks Thanks x 20
    Last edited: Aug 17, 2011
  2. dima054

    dima054 Regular Member

    Joined:
    Jan 19, 2011
    Messages:
    447
    Likes Received:
    154
    if i forgot something let me know i'll add it. This might protect you from most scriptkiddies.
     
  3. bertbaby

    bertbaby Elite Member

    Joined:
    Apr 15, 2009
    Messages:
    2,019
    Likes Received:
    1,496
    Occupation:
    Product marketing
    Location:
    USA
    Home Page:
    Don't forget the timthumb exploit as well needs to be patched as well!
     
    • Thanks Thanks x 2
  4. dima054

    dima054 Regular Member

    Joined:
    Jan 19, 2011
    Messages:
    447
    Likes Received:
    154
    Its already at top of the forum, but could be nice to have a good guide. If somebody wants to fix my english in he post-PM or comment here. THIS IS VERY IMPORTANT FOR US NOT TO GET THE BLOGS DEFACED by some simple automatic tools of those fuckers.
     
  5. yesrams

    yesrams Regular Member

    Joined:
    Dec 16, 2009
    Messages:
    354
    Likes Received:
    75
    Location:
    @BHW
    Thanks for your guide. It is very useful .
    Theme Authenticity Checer (TAC) is missing.
     
    • Thanks Thanks x 1
  6. dima054

    dima054 Regular Member

    Joined:
    Jan 19, 2011
    Messages:
    447
    Likes Received:
    154
    Added, never tried this one though. The only problem is that our shared hosts might start crying with those plugins if we got lots of visitors. No?
     
  7. yesrams

    yesrams Regular Member

    Joined:
    Dec 16, 2009
    Messages:
    354
    Likes Received:
    75
    Location:
    @BHW
    Is this correct? (!!addition!! to .htaccess in root directory(append in end of file))

    # BEGIN WordPress
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    </IfModule>

    # END WordPress



    # Block the include-only files.
    RewriteEngine On
    RewriteBase /
    RewriteRule ^wp-admin/includes/ - [F,L]
    RewriteRule !^wp-includes/ - [S=3]
    RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
    RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
    RewriteRule ^wp-includes/theme-compat/ - [F,L]
    # END BLOCK
     
    Last edited: Aug 17, 2011
  8. dima054

    dima054 Regular Member

    Joined:
    Jan 19, 2011
    Messages:
    447
    Likes Received:
    154
    Yeah, guess so. You jsut take the code block and copypaste to .htaccess to new line in the end. Just check plz that nothing died after all of that :) And the .htaccess in wp-admin would not even exist by default i guess.
     
  9. Tytus

    Tytus Regular Member

    Joined:
    Apr 22, 2011
    Messages:
    217
    Likes Received:
    22
    Home Page:
    Never heard of that. Thanks for info.
     
  10. ijof9

    ijof9 Power Member

    Joined:
    Mar 27, 2010
    Messages:
    536
    Likes Received:
    594
    Occupation:
    CTO
    Location:
    Western Europe
    Don't fuck hackers man, fuck the script kiddies.
    Plus, one of that plug-ins is mine; if I find out what blog you're using it on I can rig it at your next update. ;)

    ...just saying...
     
  11. dima054

    dima054 Regular Member

    Joined:
    Jan 19, 2011
    Messages:
    447
    Likes Received:
    154
    mmm I didn't really like this response. And of course whoever writes plugins might do whatever lol. Changed the "hackers", ok.
    BTW, so the datacenter is mine, and i can just do whatever with your hosts and servers. Thats not the point here
     
  12. rx78_300zx

    rx78_300zx Newbie

    Joined:
    Jan 16, 2010
    Messages:
    14
    Likes Received:
    0
    Thanks, I'm just starting out and security was one of my concerns.
     
  13. dima054

    dima054 Regular Member

    Joined:
    Jan 19, 2011
    Messages:
    447
    Likes Received:
    154
    Dude, if you're only starting, thee's no such a thing as security. Everything can be hacked. Depends how much they need it. But some hacking is doable through programs like scrapebox, and my "guide" can somewhat prevent that
     
  14. Thecheese

    Thecheese Newbie

    Joined:
    May 8, 2011
    Messages:
    13
    Likes Received:
    0
    Thanks for the guide. I lolled at the first line btw:D
     
  15. dima054

    dima054 Regular Member

    Joined:
    Jan 19, 2011
    Messages:
    447
    Likes Received:
    154
    After you'll get 15-20 sites defaced and it'll take 12 hours to recoved because the backup is too old and you changed tons of shit. You wouldn't laugh. Now go secure your installs!!
    p.s. any other security measures i forgot??
     
    Last edited: Aug 18, 2011
  16. csyhomme

    csyhomme Regular Member

    Joined:
    Oct 6, 2010
    Messages:
    241
    Likes Received:
    22
    Home Page:
    Thanks for the heads up, some mofo hacked one of mine just the other day through freaking admin
     
  17. iMicroniche

    iMicroniche Newbie

    Joined:
    Aug 10, 2011
    Messages:
    31
    Likes Received:
    5
    Noobs push off this hacking stuff thinking it won't happen to them, I know I did until one of my favorite sites were hacked.
     
  18. dima054

    dima054 Regular Member

    Joined:
    Jan 19, 2011
    Messages:
    447
    Likes Received:
    154
    Bumping. It must be. lol
     
  19. jiajilah

    jiajilah Junior Member

    Joined:
    Jun 6, 2008
    Messages:
    138
    Likes Received:
    122
    Bump and thanks!

    A few of my wp got hacked yesterday for timthumb exploit.
    Fix timthumb but still got hacked again.
    Gonna implement some of your suggestion to see if this help.

    More details about timthumb hack and fix.
    http://blog.sucuri.net/2011/08/wordpress-sites-hacked-with-superpuperdomain2-com.html

    Basically they mess with your javascript and inject lots of bad links.

    Personally I think below 2 steps is VERY important:

    1. When you troubleshoot or finding the virus, check the latest modified date file. If you are not updating anything but the modified date is yesterday, that should be the infected file.

    My case the files infected are l10n.js and jquery.js

    2. Check if your theme or plugin using any timthumb.php file. If yes, download and replace with the latest timthumb here http://code.google.com/p/timthumb/

    3. The htaccess suggested. Below is what it should looked like after modified:

    Code:
    # BEGIN WordPress
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    </IfModule>
    # END WordPress
    
    # Block the include-only files. 
    RewriteEngine On 
    RewriteBase / 
    RewriteRule ^wp-admin/includes/ - [F,L] 
    RewriteRule !^wp-includes/ - [S=3] 
    RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] 
    RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L] 
    RewriteRule ^wp-includes/theme-compat/ - [F,L]
    # END BLOCK
    
    If you want to further hardening your WP, read this office post from wordpress:
    http://codex.wordpress.org/Hardening_WordPress
     
    Last edited: Aug 19, 2011
  20. ijof9

    ijof9 Power Member

    Joined:
    Mar 27, 2010
    Messages:
    536
    Likes Received:
    594
    Occupation:
    CTO
    Location:
    Western Europe
    Oh man, don't worry, just posting for the sake of posting.
    Thanks for the list btw, looks like a damn solid bunker.