Enjoy unlimited access to all forum features for FREE! Optional upgrade available for extra perks.

Hacked

Status
Not open for further replies.
The method used to get WP Admin password is via SQL injection.

Badly coded plugins are the cause.

They use the plugin to reveal the authcode for a password reset, once they have the password reset link (including a valid authcode) they change it to whatever suits them.

Admin

Which where the plugins at fault? would be good to know just in we have the same installed.

Thanks

><(((0>
 
I had a site (not wordpress) taken down repeatedly a couple of weeks ago - still no idea how they were doing it.

Nothing like a good hacking to get you to go through and back up/update all your sites!
 
https://www.youtube.com/watch?v=BrOMFz46BLQ

You can protect against manual SQL insert with this:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC]
RewriteRule ^(.*)$ - [F,L]
RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR]
RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
RewriteCond %{QUERY_STRING} tag\= [NC,OR]
RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
RewriteCond %{QUERY_STRING} http\: [NC,OR]
RewriteCond %{QUERY_STRING} https\: [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>|ê|"|;|\?|\*|=$).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*("|'|<|>|\|{||).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%24&x).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127\.0).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare).* [NC]
RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*$
RewriteRule ^(.*)$ - [F,L]
</IfModule>
 
I also just found out that Wordpress will still work even if you move the wp-config.php one lebel ABOVE the root, so put it outside the publically accessible webspace on your server.

So instead of:

~/home/user/public_html/wp-config.php

Simply FTP into your server, and then move wp-config.php above the public_html directory so that it is located in:

~/home/user/wp-config.php

Admin
 
Another good defensive strategy: don't host a Wordpress-powered site on a server that also has other critical sites on it. That way, if they hack Wordpress only that site will get taken down.
 
I also just found out that Wordpress will still work even if you move the wp-config.php one lebel ABOVE the root, so put it outside the publically accessible webspace on your server.

So instead of:

~/home/user/public_html/wp-config.php

Simply FTP into your server, and then move wp-config.php above the public_html directory so that it is located in:

~/home/user/wp-config.php

Admin

There's a lot of debate though with this about whether it's more or less secure to move the config file a folder above.

Can't see it'd make a whole lot of difference in the grand scheme of things myself.
 
I can't see that making a difference, I'm looking into implementing a open_basedir for each install, more to limit php to the root of the install so it can hopefully contain an infection from spreading.
 
Status
Not open for further replies.

The Rule #1

Do not insult any other member. Be polite and do business. Thank you!

Featured Services

Auctions Ending - Flip.uk

Sedo - it.com Premiums

IT.com

Premium Members

AucDom
UKBackorder
Register for the auction

Latest Comments

Acorn Domains Merch
MariaBuy Marketplace

New Threads

Domain Forum Friends

Other domain-related communities we can recommend.

Our Mods' Businesses

Perfect
Service
Laskos
*the exceptional businesses of our esteemed moderators
Top Bottom