Wordpress Security

[Admin]

Dear WordPress Publisher,

If you would like to stop receiving WordPress security alerts and product updates from Wordfence, you can click here. You subscribed to this list via the Wordfence security plugin for WordPress.
I'm sure you've seen the news reports during the last 72+ hours about a "massive" "global" "distributed" brute force attack on WordPress systems.

Brute force attacks are ongoing, and this is simply an increase in frequency. To protect yourself, make sure all default accounts like "admin" have been deleted or renamed and that your passwords are very difficult to guess. A brute-force attack is a relatively unsophisticated attack where one or more remote machines try to guess your password.

The more successful attacks are attacks where a back-door known only to a hacker (a zero day vulnerability) is exploited to gain access to your system without logging in. The Timthumb vulnerability which I discovered and fixed last year is an example of this. I haven't seen any reports of a new "zero day" vulnerability being exploited in this attack.

The nature of the attack does suggest that a large portion of the brute force attacks currently underway may be originating from an individual or a single group. If successful this will result in a single individual or group having access to a large distributed network of compromised WordPress servers on relatively high bandwidth links. They can then launch further attacks from this platform. However, whether the attacks are being orchestrated by one person or one group should not affect how you protect yourself.

In this case:

1. Make sure your "admin" account has been renamed.

2. Make sure all your passwords are difficult to guess.

3. Make sure you've disabled and deleted all unused themes and plugins.

Don't be alarmed if you see an increased flow of login attempts on your Wordfence live traffic screen (The Logins and Logouts panel). As long as your passwords are hard to guess and you've removed the "admin" account, you'll most likely be just fine. If you're bored, you can manually block each malicious IP address using Wordfence, or even block the originating Networks. But I'm not doing this on my personal sites because I have strong passwords and no admin account.

Regards,

Mark Maunder
Wordfence Creator & Feedjit Inc. CEO.

If you run Wordpress and don't have Wordfence, install it now.

It is an awesome tool and has helped me block many IPs on my sites, especially those trying to get an Admin login.

Admin

 

[newguy]

Saw this the other day. I installed a tool to limit log in attempts, and deleted old themes. Some people move the log in page to a different URL too. Security by obscurity.

 

[Blossom]

I like it, but our security guy says it's massively bloated and can cause problems.

 

[monaghan]

OK - Silly question...

To protect yourself, make sure all default accounts like "admin" have been deleted or renamed and that your passwords are very difficult to guess.

Next to the Username field it says

Usernames cannot be changed.

Do I have to hit the database or is there a GUI method?

 

[tifosi]

Yes, that confuzzled me a bit as well.

In the end I didn't want to add another plugin so I went into the db and changed the 3 fields for the admin name data to a different one in the users table for user id 1.

The site visible nickname should also be different to the 'admin' name but this can be changed in the wp admin page and is held on the usermeta table with the user id being the key, so not a problem if you hack the db for the admin name.

As all other data - posts etc works off the userID it's not a problem to do this and the front end 'should' display the nickname anyway. So long as it's set, which is a good security measure in itself.

 

[AssetDomains]

OK - Silly question...


Next to the Username field it says


Do I have to hit the database or is there a GUI method?

Fastest way set up a new user with admin privileges log in as the new user then delete the original admin account.

 

[tifosi]

True, but sometimes keeping the admin account with userID 1 is useful, and creating a new account means lots of table updates if there is post/page/meta data tied to that userID.

Why WP protects the usernames is beyond me when the data is associated with the userID. Then again the WP db is a f&*ed up cobbled-together bag of non-normalised shite!

 

[monaghan]

Then again the WP db is a f&*ed up cobbled-together bag of non-normalised shite!

After spending over 10 years as a corporate database guy, I often cringe when I see how some people do databases

SELECT * and lack of a good WHERE clause or proper index seem to be the common issues

I've hit the database and changed the user names as it seemed the most simple method.

 

[tifosi]

yeah, I cut my teeth on some pretty hardcore oracle & informix driven industry db's so I know how you feel!

Don't even get me started on the WP core and it's kitchen-sink loading philosophy! Spaghetti-code, grrr. I develop for it because it's popular, not because it's good.

 

[spiderspider]

Its not just the username that should be changed, but also the user id, considering the first account created is normally admin, with a user id of 1.

I use 'Better WP Security' (free plugin) as it does all the backups, blocks, changes of usernames, ID, file protection, notification of changes, and restrictions that are needed. Not been hacked since I installed it.

 

[tifosi]

Its not just the username that should be changed, but also the user id, considering the first account created is normally admin, with a user id of 1.

Why?

 

[spiderspider]

Why?

Because user ID 1 is always the first one created, and as such Admin. Change the username, and not the ID, someone gets the DB, its dead easy to find admin username and pass, (as its number 1).

Change the user ID, and it just puts a stumbling block in the way. Not 100% I know.

The better WP security plugin is here: http://wordpress.org/extend/plugins/better-wp-security/

 

[tifosi]

someone gets the DB, its dead easy to find admin username and pass, (as its number 1).

Someone get's the DB and you're fucked anyway! The ID is irrelevent in the way this botnet works by searching on the username and dictionary passwords. Whether the administrator is id 1 or 101 makes no odds. WP logs in via the username field. The WP user/usermeta tables use the ID at the primary & foreign keys to tie post/meta data together.

Dictionary attacks aren't anything new, my error logs over the last 10+yrs running a large vbulletin forum tell me that.

One thing I always recommend above this is to jail user accounts and limit ssh & ftp to ip blocks ( or better static ips if your isp allows it ).

For WP passwords a non-dictionary case-sensitive password is essential.

 

[rodeboy]

Following the heads up in this thread I installed Better WP Security on all my WP sites (yes I know, 'Why wasn't something like that there already ....?'!)

The set up was straightforward and addressed most if not all of the issues referred to in the thread.

The one thing that amazes me is the number of lockouts I am getting from users who presumably are looking for vulnerabilities. Have they not got something better to do?

Any way, I feel safer having undergone this exercise, thanks to you guys who posted.

Chris

 

[mtalk]

My Web Hosting provider has recently forwarded us an article to secure our wordpress site, it has really helped, wish to share with you guys hope that help you : https://www.webhost.uk.net/blog/secure-wordpress-website.html

 

[Admin]

Nice, thanks for sharing. Still have a look at Wordfence, it tells you by email when any plugin or WP version needs an update which helps you keep on top of multiple sites.

Admin

 

[Admin]

WPtouch is dodgy

Vulnerability details
WordPress path /home/lighters/public_html
Title Plugin: wptouch 1.9.6.1, WP path: /home/lighters/public_html
Plugin Name wptouch
Version 1.9.6.1
Description WordPress WPtouch plugin is prone to a cross-site request forgery vulnerability. Exploiting this issue may allow a remote attacker to perform certain administrative actions and gain unauthorized access to the affected application; other attacks are also possible. WPtouch plugin version 1.9.31 is vulnerable; prior versions may also be affected.
References
http://plugins.trac.wordpress.org/changeset/409622/wptouch
http://secunia.com/advisories/47422/

 

[Jamie101]

This is well worth looking at if you use any cache plugins:

http://goo.gl/7hO65

Literally only take a few seconds to update it and make your site safer.