1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Tired of hackers, want to know how they do it - Wordpress question

Discussion in 'BlackHat Lounge' started by HappyS, Sep 30, 2015.

  1. HappyS

    HappyS Regular Member

    Joined:
    Mar 15, 2013
    Messages:
    431
    Likes Received:
    64
    Gender:
    Male
    In the last half a year my websites were attacked by numerous hackers attempts.
    - first someone changed htaccess and redirected my mobile users to their virus
    - then someone injected malware so my website was deranked from Google
    - now I noticed literally 10Ks junk html files in my addon domain folders, on 2 separate websites, where my users are being redirected with some popup (provided a screencap)

    screen.png

    Do they always need to know my admin info, in order to change my files and put new files in the websites directory? I know they find vulnerability in the theme or plugins, but do they always target my admin password to be able to wreak havoc in my sites folder?

    I got tired of changing admin passwords...
     
  2. davids355

    davids355 Jr. VIP Jr. VIP

    Joined:
    Apr 25, 2011
    Messages:
    10,183
    Likes Received:
    7,832
    Home Page:
    Change admin password, change admin dir and also use a plugin (can't think of any off the top of my head)- I think some plugins harden file system as well to close off vulnerabilities.

    Keep Wordpress up to date and only use well supported plugins that are updated regularly.

    In addition, some hosts (such as A2 hosting) also have a feature where they monitor your sites for our of date software AND files as well as vulnerabilities and then you can have then centrally patched.
     
    • Thanks Thanks x 2
  3. blogzandstuff

    blogzandstuff Elite Member

    Joined:
    Jan 1, 2015
    Messages:
    5,749
    Likes Received:
    2,659
    Occupation:
    blog creator
    Location:
    UK
    they can get in many ways, your using admin as login and a easy password, your themes/ plugins are not up to date. i get hack attempts daily but i have in place security plugins. Get admin-username-changer plugin which allows you to change your admin username.
    limit login attempts which gives them only a couple of tries to get in before they are locked out for 24 hrs.
     
    • Thanks Thanks x 1
  4. ambushiv11

    ambushiv11 Jr. VIP Jr. VIP

    Joined:
    Apr 13, 2013
    Messages:
    572
    Likes Received:
    273
    • Thanks Thanks x 2
  5. Reaver

    Reaver Jr. VIP Jr. VIP

    Joined:
    Aug 6, 2015
    Messages:
    1,904
    Likes Received:
    5,459
    Gender:
    Female
    I haven't ever had a problem with hacking. I have a plugin that limits login attempts. I also make my password at least 20 characters long. It's usually a mixture of uppercase, lowercase, numbers and symbols. Just a suggestion: make your password a bit more secure.

    Also my username is never "admin." It's always something random that no one would ever think of.
     
  6. Apricot

    Apricot Administrator Staff Member Moderator

    Joined:
    Mar 26, 2013
    Messages:
    12,773
    Likes Received:
    8,186
    Gender:
    Female
    Occupation:
    BHW Admin
    Location:
    Station 2E
    Home Page:
    Don't make your database name and table prefixes easy to guess. Change directories except wp-content to read only. If you want to be ultra secure, you can whitelist admin IP's. Although don't do this if you've got a dynamic ip.
     
    • Thanks Thanks x 1
  7. photoads

    photoads Regular Member

    Joined:
    Jan 16, 2007
    Messages:
    282
    Likes Received:
    96
  8. the_demon

    the_demon Jr. Executive VIP

    Joined:
    Nov 23, 2008
    Messages:
    3,220
    Likes Received:
    1,591
    Occupation:
    Search Engine Marketing
    Location:
    The Internet
    Try the wordpress plugin Bullet Proof Security or WordFence.
     
  9. ChanzGrande

    ChanzGrande Elite Member

    Joined:
    Feb 16, 2008
    Messages:
    2,487
    Likes Received:
    1,177
    Occupation:
    Accountant
    Location:
    Northern Woods Counting Money
    I have used wordfence in the past, and it is a fine alternative for protecting one's wordpress sites.
     
  10. archon10

    archon10 BANNED BANNED

    Joined:
    Oct 10, 2011
    Messages:
    1,181
    Likes Received:
    1,668
    lol WP users don't know that they are the new Frontpage extensions lusers.

    "hey lets import code from some random on the internet and let it run on my site. That's a great idea!"
     
  11. cevman1

    cevman1 Regular Member

    Joined:
    Sep 4, 2011
    Messages:
    288
    Likes Received:
    140
    Wordfence or iThemes Security.....with Hide my WP, haven't had a problem in years /knockonwood
     
  12. LuckyCharm007

    LuckyCharm007 Jr. VIP Jr. VIP

    Joined:
    Jul 8, 2015
    Messages:
    1,838
    Likes Received:
    1,025
    Occupation:
    Affiliate Amazon Content Writer
    Home Page:
    Most the answers above are right. What I could also add that people might have forgot is to update and change password of your ftp. Also, make sure they are no sketchy username in your ftp.
     
  13. virtualpurity

    virtualpurity Jr. VIP Jr. VIP

    Joined:
    Nov 12, 2012
    Messages:
    764
    Likes Received:
    442
    Occupation:
    SEO, Hosting
    Location:
    /root
    Home Page:
    All of the above comments are helpful and all suggestions are a good thing to do but i dont think thats the case with you.

    My guess is that you have a shell uploaded on your website, so no matter how many times you change your password the hackers will still have access to your files in fact they dont even need your admin password.

    Read about rootkits and shells, find a good file scanner and run it on your website files. If you are on a dedi scan your dedi for possible rootkits.

    After that if you have a dedi than increase your server security , change ssh or other default ports, check process lists, check user lists etc. You can find how to do most of this things and much more on google.

    If you are on a shared host than do what others above recommended. Do some hardening and change database prefixes as Apricot mentioned. Also ask your host provider to give you logs info, and check if they can find the source or IP of the uploads or any clue about the hack in the logs. The problem might be in the host itself if its compromised. So ask around check it out and gather some more info.

    Hope this helps.
    VirtualPurity
     
    • Thanks Thanks x 2
  14. HappyS

    HappyS Regular Member

    Joined:
    Mar 15, 2013
    Messages:
    431
    Likes Received:
    64
    Gender:
    Male

    This IQ country IP blockator seems like a great plugin, was looking for something like that!!



    Did you mean to change all of this, from FTP and to change it for the owner as well?


    untitled.png


    @virtualpurity Great info, thank you.
     
  15. BreaknBrix

    BreaknBrix Power Member

    Joined:
    Mar 25, 2014
    Messages:
    756
    Likes Received:
    4,351
    Location:
    NE US
    I'm gonna sound like a sucuri shill. But if you have any sites making over 4 figs / month, hell... even a few hundred a month.... use sucuris paid subscription plan.

    First time our money sites got hacked it was a minor fix. Then I used better security plugins, still not knowing shit about hacking or security and soon enough we got hacked again. That 2nd time we lost thousands. I waited for days trying to learn and fix it myself. Then paid some "security expert" $80 who showed me some script, told me what he did and said it was "fixed". Days later everything was the same.

    When sucuri went to work they WENT TO WORK. They were very honest people. Said this wasn't a problem their normal security people could fix and sent it to upper management. Then they went crazy for 3 days sending me long lists of all the shit they were doing. Removed thousands of injected pages on 5 different sites. Hardened shells. Removed 14 different scripts. Reorganized and renamed a lot of things. Got all my normal pages back up. Then sent notices directly to Google.

    I know there are people on here who know security and understand all this technical shit (at least the basics of it). But hacking is like astrophysics to me. It requires a level of ingenuity I have no time to understand. If you're not on the grind trying to hack / or secure sites everyday, staying on top of shit, new exploits, etc you're not really secure. When I factor in the amount of time I was wasting just trying to learn security.... it's more than worth the money. IF your sites are worth it.

    -BB
     
    • Thanks Thanks x 4
  16. victorrex

    victorrex Junior Member

    Joined:
    Dec 6, 2014
    Messages:
    177
    Likes Received:
    37
    I have recently gone through a blog over word press security, it is actually very informative and shall help you too, please go to the the link below:
    http://www.blackhatworld.com/blackhat-seo/blogs/sunny_clicks/

    I found the content to be very informative and helpful, hope you also get the benefit out of it.
    Cheers.
     
  17. soccerlover

    soccerlover Jr. VIP Jr. VIP

    Joined:
    Jun 12, 2014
    Messages:
    3,347
    Likes Received:
    1,738
    Gender:
    Male
    Occupation:
    Seo Analyst :D
    Location:
    ♥♥♥ BHW ♥♥♥
    Home Page:
    1. Try to scan everything once located in your Public_html.
    It seems some shell bomb is induced.

    2. Change permissions to 000 for XMLPRC.php something file name.

    3. Update Themes/Plugins etc.

    4. Change Wp-Admin credentials.

    5. Keep the database name which can't be guessed :)

    In the end, make sure you've set the proper permissions.
    Change public_html to 750 or 751 from 755 or 777
    In addition, check uploads permission too.
    Ample of time, it is 777. :)

    If you've any doubts, ping me up :)
     
    • Thanks Thanks x 1
  18. ignotus

    ignotus Junior Member

    Joined:
    Oct 10, 2014
    Messages:
    119
    Likes Received:
    30
    A buddy of mine downloaded a background plugin which contained a backdoor that installed on the server. Basically if he deleted everything and all the wordpress files, they would still have access. I think he said they had to wipe the whole server and replace it with backups before the installed plugin.

    Yeah so careful with plugins, themes.

    Check to make sure you don't have any Sql vulnerabilities on the site. Even if you have a 64characted password it wouldn't matter. Wordpress has been good keeping it sql secured though.

    Not too important but its good to make sure to keep the pc you use clean from viruses to. And Maybe add some https to your website so your sign in are encrypted and cant be seen from packet sniffers.

    Not fool proof but checking up on those and doing the above of what others have said, like installing bulletproof security, setting correct permissions, changing default wp-login page, removing "Powered by Wordpress" are almost a fool proof method to keeping your sites secured as much as Facebook.
    :333:
     
    • Thanks Thanks x 1
  19. velukuse

    velukuse Newbie

    Joined:
    Sep 8, 2015
    Messages:
    12
    Likes Received:
    2
    if hackers already upload their backdoor, even how many times u change your pass they still get your username and pass
    better way to keep your site safe from hackers stay away from nulled/crack script
     
  20. Apricot

    Apricot Administrator Staff Member Moderator

    Joined:
    Mar 26, 2013
    Messages:
    12,773
    Likes Received:
    8,186
    Gender:
    Female
    Occupation:
    BHW Admin
    Location:
    Station 2E
    Home Page:

    Sorry, didn't mean to mislead - it's not quite that straightforward. Some folders need to allow the web server processes to run and some need to be writable by the owner (you).

    Have a look at the wordpress codex. If in doubt, follow it step by step and here's what they suggest for file permissions:


    Code:
    / 
    The root WordPress directory: all files should be writable only by your user account, except .htaccess if you want WordPress to automatically generate rewrite rules for you.
    /wp-admin/ 
    The WordPress administration area: all files should be writable only by your user account.
    /wp-includes/ 
    The bulk of WordPress application logic: all files should be writable only by your user account.
    /wp-content/ 
    User-supplied content: intended to be writable by your user account and the web server process.
    Otherwise, wordfence is a pretty good option for free and sucuri also provide a plugin with a fair amount of features for free though both of these offer paid add-ons/upgrades. Thing is, even if you're using a plugin, you'll still need to configure it so there's no substitute for reading around a bit.

    Otherwise, I'd agree with BreaknBrix in that, if you don't have the time and your site's security is valuable to you, then pay for one of the services like sucuri to do it for you. Just don't do nothing!
     
    • Thanks Thanks x 2