It is not enough to remove the consequences, you need to understand the causes of the occurrence. I already wrote that we were hacked and, they say, we decided everything. However, after a week history repeated itself, another jquery script was changed, as well as .htaccess files. Moreover, in .htaccess there were redirects to some left site only for mobile devices and tablets, and therefore I did not notice this immediately.
In a couple of days, we managed to find all the files modified by the attacker, as well as those created by him specifically for penetration (shell). And again, thanks to the hosting for the help. Then I decided to take all the measures described on the Internet..
The content of the article
- one All parts of my little blogger FAQ:
- 2 Tips for securing your WordPress blog
- 2.1 Refresh codes for counters and widgets
- 2.2 Update all plugins and WordPress to the latest versions and remove unused ones
- 2.3 Update timthumb.php
- 2.4 Check the rights to folders and files
- 2.5 Change username admin
- 2.6 Change all passwords to more complex ones
- 2.7 Protect .htaccess and wp-config.php files from access for everyone
- 2.8 Protect wp-includes folder with .htaccess
- 2.9 Protect wp-admin folder with .htaccess and .htpasswd
- 2.10 Change database prefix
- 2.11 Install the Belavir plugin
- 2.12 Install WP Security Scan Plugin
- 2.13 Install Better WP Security Plugin
- 2.14 Monitoring changes on your ftp
- 2.15 Backups of databases and files every few days
All parts of my little blogger FAQ:
I have written a number of blogging related articles. They do not pretend to be a complete manual, but beginners may find it useful. You can read it if you are interested.
0. I recommend the course «How to become a thousand-year blogger and earn»
one. How to start blogging
2. How to promote a blog - a list of my actions
3. How to make money blogging and traveling
4. An example of making money on our blog - Finstrip 2013, finstrip 2012, Finstrip 2011
five. Reader and Search Traffic, and Why Readers Don't Return
6. Some truth about travel blogging
7. Tips for securing your WordPress blog
Tips for securing your WordPress blog
Tips for securing your WordPress blog
The list is unlikely to be complete, and, as they say, whoever needs it will be broken anyway. But at least these actions can be done by almost any blogger in order to protect himself at least a little..
Refresh codes for counters and widgets
Check the codes of all counters and social widgets on your blog and on the website where you got them from.
They may have been updated. I noticed that Facebook often changes the code for widgets, they seem to increase security..
Update all plugins and WordPress to the latest versions and remove unused ones
Here comments are superfluous, everyone knows how to do it. Vulnerabilities are usually found in plugins and themes, so at least everything that is not used is best removed..
Update timthumb.php
If your theme uses resize of thumbnails via timthumb.php, then be sure to update this file to the latest version, since older versions are known to be a vulnerability.
Check the rights to folders and files
All files must have 644 permissions, 755 folders, except for .htaccess - 444 permissions and uploads folder - 777 permissions.
Change username admin
The fastest way is to go to phpadmin and execute this query in your database there:
UPDATE wp_users SET user_login = ‘Your new login’ WHERE user_login = ‘admin’;
Or you can simply create a new user through the blog admin panel, reassign all articles to him, and delete the old admin user.
Change all passwords to more complex ones
Trivial advice, but passwords should be complex, consisting of numbers and letters of different case. Also, do not forget that after fighting viruses, you need to change all passwords in any way (blog admin panel, hosting admin panel, ftp, sql databases), and it also makes sense to change the secret keys in the wp-config.php file.
Protect .htaccess and wp-config.php files from access for everyone
Add to your .htaccess at the root of your blog, this is the code:
Order deny, allow
deny from all
order allow, deny
deny from all
Protect wp-includes folder with .htaccess
Create a plain text file, name it .htaccess and copy it to the wp-includes folder, after adding the code to the file:
Order Allow, Deny
Deny from all
Allow from all
Protect wp-admin folder with .htaccess and .htpasswd
Create a plain text file, name it .htaccess and copy it to the wp-admin folder, after adding the code to the file:
AuthUserFile /home/public/.htpasswd
AuthType Basic
AuthName “restricted”
Order Deny, Allow
Deny from all
Require valid-user
Satisfy any
Where, «/home/public/.htpasswd» Is the full path to the .htpasswd file. It is desirable that this file is located above your blog directory.
The .htpasswd file stores the encrypted password for access to the wp-admin zone. The easiest way to create this file is here by specifying the username and password in the usual form. It is best not to repeat yourself and specify data that differs from the existing accounts.
With this method, there is only one inconvenience - it is not applicable if you have a multi-user blog, since the password will be requested from all users.
Change database prefix
Change your sql database prefix from standard «wp_» for some «wpsdjflk647_» it was possible at the very beginning of the creation of the blog. But even now this is not a problem. I made it a plugin, which will be discussed below. Although it was possible to go to phpadmin, replace all the table names there, and then change the prefix in the wp-config.php file
Install the Belavir plugin
Install the Belavir plugin, which will track changes in all php files of your blog. The plugin itself does not monitor anything, but starts a check when you go to the blog admin panel on the Console page, where it actually displays the changes. He has no settings.
Install WP Security Scan Plugin
Install the WP Security Scan plugin to do some things, in particular:
- change database prefix
- check the rights to folders and files
- hide WordPress version
- connect an antivirus for your blog and check it
Install Better WP Security Plugin
Install the Better WP Security plugin, it is even more needed than the previous two. The list of its capabilities is very long, I will list a part:
- allows you to change the database prefix
- removes unnecessary information from the blog code by the type of WordPress version
- monitors changes in all files
- bans the ip of those who enter strange addresses in the browser after your blog name, getting a 404 error
- prohibits guessing the password for the admin panel, bans the ip
- changes the standard login addresses to the admin panel, excellent protection against brute-force attacks
- and much more.
Monitoring changes on your ftp
Install the ftpinfo program on your computer, which allows you to connect to your ftp server and monitor changes in all account files for their appearance / deletion / change. A very handy thing during virus attacks. You can monitor not only all files, but also create masks for files and folders.
Backups of databases and files every few days
A very useful thing, it can also come in handy for fighting viruses. The originals of the files will always be at hand and there will be an opportunity to roll back if it is not possible to clean the site from viruses. I am using the BackWPup plugin. It has many features, including copying data to Dropbox - a convenient service that provides 2GB of free space on the Internet and synchronization with your computer.
These are the tips for protecting a blog on WordPress, I applied on our blog. If there are any questions or additions (maybe something else can be done), write in the comments 🙂
