Hacked

fish · Jun 10, 2013

admin said:
The method used to get WP Admin password is via SQL injection.

Badly coded plugins are the cause.

They use the plugin to reveal the authcode for a password reset, once they have the password reset link (including a valid authcode) they change it to whatever suits them.

Admin

Which where the plugins at fault? would be good to know just in we have the same installed.

Thanks

><(((0>

baldidiot · Jun 10, 2013

I had a site (not wordpress) taken down repeatedly a couple of weeks ago - still no idea how they were doing it.

Nothing like a good hacking to get you to go through and back up/update all your sites!

Admin · Jun 10, 2013

https://www.youtube.com/watch?v=BrOMFz46BLQ

You can protect against manual SQL insert with this:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC]
RewriteRule ^(.*)$ - [F,L]
RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR]
RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
RewriteCond %{QUERY_STRING} tag\= [NC,OR]
RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
RewriteCond %{QUERY_STRING} http\: [NC,OR]
RewriteCond %{QUERY_STRING} https\: [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]
RewriteCond %{QUERY_STRING} base64_encode.*$.*$ [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(\[|\]|$|$|<|>|ê|"|;|\?|\*|=$).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*("|'|<|>|\|{||).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%24&x).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127\.0).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare).* [NC]
RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*$
RewriteRule ^(.*)$ - [F,L]
</IfModule>

Admin · Jun 10, 2013

I also just found out that Wordpress will still work even if you move the wp-config.php one lebel ABOVE the root, so put it outside the publically accessible webspace on your server.

So instead of:

~/home/user/public_html/wp-config.php

Simply FTP into your server, and then move wp-config.php above the public_html directory so that it is located in:

~/home/user/wp-config.php

Admin

Edwin · Jun 10, 2013

Another good defensive strategy: don't host a Wordpress-powered site on a server that also has other critical sites on it. That way, if they hack Wordpress only that site will get taken down.

dashu1 · Jun 11, 2013

admin said:
I also just found out that Wordpress will still work even if you move the wp-config.php one lebel ABOVE the root, so put it outside the publically accessible webspace on your server.

So instead of:

~/home/user/public_html/wp-config.php

Simply FTP into your server, and then move wp-config.php above the public_html directory so that it is located in:

~/home/user/wp-config.php

Admin

There's a lot of debate though with this about whether it's more or less secure to move the config file a folder above.

Can't see it'd make a whole lot of difference in the grand scheme of things myself.

Skinner · Jun 11, 2013

I can't see that making a difference, I'm looking into implementing a open_basedir for each install, more to limit php to the root of the install so it can hopefully contain an infection from spreading.

Admin · Jun 14, 2013

Amazing how many sites are hacked and used by spammers and people don't even realise:

http://www.blakeandblakerecruitment .co.uk/sites/default/airjordan9retro.aspx
http://www.stmarysmumbai .com/airjordanshoes.aspx
http://www.bgms .ie/jordans.aspx

Google reveals tons of others.

Admin