Important Post About WordPress Blogs Security

[joaquin]

Hello everyone.
I just received this email and it scared me.
I'm not sure what it means, but I'm assuming my blog was hacked and I deleted the user in Profile settings and I changed my password.
My original password was quite long with upper and lower case letters and numbers.
It would have been very hard for them to guess the password.
Here is the message.
New user registration on your blog Bad Breath Solutions For Bad Breath:
Username: tjie
E-mail: joeblowsthebighorn
============================
Anyone have any feedback on this and about ways of protecting your blog???

Joaquin

[Kangaroo Jack]

I think that was a user registering for your site and nothing to do with your admin account.

In your admin panel you should be able to determine the level of access that was given the the user.

[Robert]

People can sign up as normal users so they can post comments and use some other features. On most blogs all that is allowed to unregistered users so there is no need.

Not a security problem at all. They can't do anything they couldn't normally do.

[joaquin]

Thanks David and Robert.
I started to think that might be the reason after I made this previous post and thought about it. Whew.
Oh oh maybe I will get demoted from being a Senior Member.
I better get rid of the dummy hat. I knew I shouda never put it on in the first place. I tried to get the dental hygienist to inject a free healthy brain cells into my head today but she was all out of that.
I'm going to put the user back into my site.
Also I'm going to check on that level of access in admin panel.

Thanks David & Robert.

Joaquin

[bjsmooths]

I've had several wordpress sites hacked, and the culprits came in through the registration area. Don't exactly know how, but the hackers "piped" into my directory and placed spoof sites within the file directories which I couldn't delete.

Tech support looked into the situtation carefully and they are the one's who determined that the hacker came from being a new registrant on my blog.

They told me to turn off registrants, but leave commenting on if I wanted for them to place comments. Since I have done this, I have had no issues of security breaches on my wordpress sites.

These security issues have probably since been resolved with newer versions of wordpress (2.3 or later)

Another way I found out how to stop this is to place a blank .html file in each of my directories. As long as you don't name it "index.html" than it blocks the would-be hacker's from placing spoof sites within that directory.

[joaquin]

Quote:

Originally Posted by bjsmooths

I've had several wordpress sites hacked, and the culprits came in through the registration area. Don't exactly know how, but the hackers "piped" into my directory and placed spoof sites within the file directories which I couldn't delete.

Tech support looked into the situtation carefully and they are the one's who determined that the hacker came from being a new registrant on my blog.

They told me to turn off registrants, but leave commenting on if I wanted for them to place comments. Since I have done this, I have had no issues of security breaches on my wordpress sites.

These security issues have probably since been resolved with newer versions of wordpress (2.3 or later)

Another way I found out how to stop this is to place a blank .html file in each of my directories. As long as you don't name it "index.html" than it blocks the would-be hacker's from placing spoof sites within that directory.

Thanks bjsmooths. I'm going to do what you do as far as security goes. Excellent information to protect our blogs, and I greatly appreciate your feedback and recommendation.
What do you mean by directory, do you mean in the root where your domain is installed such as public_html? What do you think of the following information I saw in the PLRpro forum.

Here are three easy but important ways to protect yourself if you run a WordPress blog:

1. Secure your /wp-admin/ directory. What I’ve done is lock down /wp-admin/ so that only certain IP addresses can access that directory. I use an .htaccess file, which you can place directly at /wp-admin/.htaccess . This is what mine looks like:

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName “Access Control”
AuthType Basic
order deny,allow
deny from all
# whitelist home IP address
allow from 64.233.169.99
# whitelist work IP address
allow from 69.147.114.210
allow from 199.239.136.200
# IP while in Kentucky; delete when back
allow from 128.163.2.27

I’ve changed the IP addresses, but otherwise that’s what I use. This file says that the IP address 64.233.169.99 (and the other IP addresses that I’ve whitelisted) are allowed to access /wp-admin/, but all other IP addresses are denied access. Has this saved me from being hacked before? Yes.
2. Make an empty wp-content/plugins/index.html file. Otherwise you leak information on which plug-ins you run. If someone wanted to hack your blog, they might be able to do it by discovering that you run an out-of-date plugin on your blog and then they could exploit that.
3. Subscribe to the WordPress Development blog at WordPress Development Blog . When WordPress patches a security hole or releases a new version, they announce it on that blog. If you see a security patch released, you need to upgrade or apply the patch. You leave yourself open to being hacked if you don’t upgrade.

And here’s a bonus tip: in the header.php file for your theme, you might want to check for a line like

<meta name=”generator” content=”WordPress <?php bloginfo(’version’); ?>” /> <!-– leave this for stats please -->

I’d just go ahead and delete that line or at least the bloginfo(’version’). If you’re running an older version of WordPress, anyone can view source to see what attacks might work against your blog.

[golfer57]

Hello,
Thanks for the tips and I am going to do what is said. How do you turn off registrants but leave commenting on???

Also, what do you mean by this Another way I found out how to stop this is to place a blank .html file in each of my directories. As long as you don't name it "index.html" than it blocks the would-be hacker's from placing spoof sites within that directory. and how do you do it. Sorry for being stupid, just not sure????/

What do you mean by this and how do you do it:
2. Make an empty wp-content/plugins/index.html file. Otherwise you leak information on which plug-ins you run. If someone wanted to hack your blog, they might be able to do it by discovering that you run an out-of-date plugin on your blog and then they could exploit that.

Thanks for the info and look forward to hearing from you,
Steve

[bjsmooths]

Quote:

Originally Posted by joaquin

Thanks bjsmooths. I'm going to do what you do as far as security goes. Excellent information to protect our blogs, and I greatly appreciate your feedback and recommendation.
What do you mean by directory, do you mean in the root where your domain is installed such as public_html? What do you think of the following information I saw in the PLRpro forum.

Here are three easy but important ways to protect yourself if you run a WordPress blog:

1. Secure your /wp-admin/ directory. What I’ve done is lock down /wp-admin/ so that only certain IP addresses can access that directory. I use an .htaccess file, which you can place directly at /wp-admin/.htaccess . This is what mine looks like:

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName “Access Control”
AuthType Basic
order deny,allow
deny from all
# whitelist home IP address
allow from 64.233.169.99
# whitelist work IP address
allow from 69.147.114.210
allow from 199.239.136.200
# IP while in Kentucky; delete when back
allow from 128.163.2.27

I’ve changed the IP addresses, but otherwise that’s what I use. This file says that the IP address 64.233.169.99 (and the other IP addresses that I’ve whitelisted) are allowed to access /wp-admin/, but all other IP addresses are denied access. Has this saved me from being hacked before? Yes.
2. Make an empty wp-content/plugins/index.html file. Otherwise you leak information on which plug-ins you run. If someone wanted to hack your blog, they might be able to do it by discovering that you run an out-of-date plugin on your blog and then they could exploit that.
3. Subscribe to the WordPress Development blog at WordPress Development Blog . When WordPress patches a security hole or releases a new version, they announce it on that blog. If you see a security patch released, you need to upgrade or apply the patch. You leave yourself open to being hacked if you don’t upgrade.

And here’s a bonus tip: in the header.php file for your theme, you might want to check for a line like

<meta name=”generator” content=”WordPress <?php bloginfo(’version’); ?>” /> <!-– leave this for stats please -->

I’d just go ahead and delete that line or at least the bloginfo(’version’). If you’re running an older version of WordPress, anyone can view source to see what attacks might work against your blog.

These are all good precautions and it's probably measured by each persons preference.

Even though the wordpress team does new versions of wordpress, because it is open source, it can become a security risk as hackers learn what the vulnerabilities are.

I've placed an .html file in each of my directories in order to stop from hackers finding any types of vulnerabilities. One of wordpress's programmers had mention that this would help because it somehow "block" that directory from being compromised. Don't know the jist of this, but since I've done this, I've had no problems.

[bjsmooths]

Quote:

Originally Posted by golfer57

Hello,
Thanks for the tips and I am going to do what is said. How do you turn off registrants but leave commenting on???

Also, what do you mean by this Another way I found out how to stop this is to place a blank .html file in each of my directories. As long as you don't name it "index.html" than it blocks the would-be hacker's from placing spoof sites within that directory. and how do you do it. Sorry for being stupid, just not sure????/

What do you mean by this and how do you do it:
2. Make an empty wp-content/plugins/index.html file. Otherwise you leak information on which plug-ins you run. If someone wanted to hack your blog, they might be able to do it by discovering that you run an out-of-date plugin on your blog and then they could exploit that.

Thanks for the info and look forward to hearing from you,
Steve

Steve,

To turn off people from registering, in your back office, go to the "options" tab and drilled down to "General". Should be the first submenu.

Once in there, go to the part where there is a check box called "Membership" and Deselect the box where it says "Anyone Can Register".

For commenting to be on, go to that same tab called "Options" and go the submenu called "Discussions".

There is a title called "Usual settings for an article:
(These settings may be overridden for individual articles.)"

There is a checkbox called "Allow people to post comments on the article". Make sure that this box is checked.

In fact I have all the boxes checked under this submenu. (some for security some for SEO purposes like trackbacks)

About the blank .html file. You can name it anything BUT index.html. You don't want to name it this because this page will be the default page shown on your browser for that particular directory. We don't want the page to be the main page in that directory, so you can name it whatever you want, JUST NOT INDEX.HTML.

Upload it to your directory and you should be ok. I have it placed in every directory if there is no .html file in there.

What I mean by directory is this: "/public_html/" this is your home directory.

"/public_html/wp-admin/" this is a directory that all wordpress platforms have;

"/public_html/wp-content/themes/" this is your themes directory.

Now when you are referring to files, they usually end in either .php, .html, .htm, .css, and so on. Images are referred to .jpg, .png or .gif within the wordpress platform.

So when someone is referring to a file in the themes directory, this is probably what they mean:

/public_html/wp-content/themes/privacy.php <--(this isn't a file within this directory for real though)

Hope this helps,

[Boris_yo]

bjsmooths

Why not index.html?
If you name it anything else then hacker will still be able to see directory's contents - list of plugins.

There are certain files that serve the purpose of index.html file such as:

index.htm
index.html
default.htm
default.html
home.htm (not sure)
home.html (not sure)