20i Reseller Hosting

Wordpress Security

Discussion in 'Wordpress' started by Admin, Apr 15, 2013.

Thread Status:
Not open for further replies.
  1. Admin

    Admin Administrator Staff Member

    Joined:
    Jun 2004
    Posts:
    10,823
    Likes Received:
    305
    If you run Wordpress and don't have Wordfence, install it now.

    It is an awesome tool and has helped me block many IPs on my sites, especially those trying to get an Admin login.

    Admin
     
  2. Domain Forum

    Acorn Domains Elite Member

    Joined:
    1999
    Messages:
    Many
    Likes Received:
    Lots
    articles.co.uk
     
  3. newguy United Kingdom

    newguy Well-Known Member

    Joined:
    Dec 2009
    Posts:
    2,781
    Likes Received:
    61
    Saw this the other day. I installed a tool to limit log in attempts, and deleted old themes. Some people move the log in page to a different URL too. Security by obscurity.
     
  4. Blossom

    Blossom Well-Known Member

    Joined:
    Oct 2010
    Posts:
    1,428
    Likes Received:
    57
    I like it, but our security guy says it's massively bloated and can cause problems.
     
  5. monaghan United Kingdom

    monaghan Moderator Staff Member

    Joined:
    May 2007
    Posts:
    2,103
    Likes Received:
    70
    OK - Silly question...
    Next to the Username field it says
    Do I have to hit the database or is there a GUI method?
     
  6. tifosi United Kingdom

    tifosi Well-Known Member

    Joined:
    Oct 2004
    Posts:
    3,424
    Likes Received:
    55
    Yes, that confuzzled me a bit as well.

    In the end I didn't want to add another plugin so I went into the db and changed the 3 fields for the admin name data to a different one in the users table for user id 1.

    The site visible nickname should also be different to the 'admin' name but this can be changed in the wp admin page and is held on the usermeta table with the user id being the key, so not a problem if you hack the db for the admin name.

    As all other data - posts etc works off the userID it's not a problem to do this and the front end 'should' display the nickname anyway. So long as it's set, which is a good security measure in itself.
     
  7. AssetDomains

    AssetDomains Well-Known Member

    Joined:
    Feb 2010
    Posts:
    3,046
    Likes Received:
    69
    Fastest way set up a new user with admin privileges log in as the new user then delete the original admin account.
     
  8. tifosi United Kingdom

    tifosi Well-Known Member

    Joined:
    Oct 2004
    Posts:
    3,424
    Likes Received:
    55
    True, but sometimes keeping the admin account with userID 1 is useful, and creating a new account means lots of table updates if there is post/page/meta data tied to that userID.

    Why WP protects the usernames is beyond me when the data is associated with the userID. Then again the WP db is a f&*ed up cobbled-together bag of non-normalised shite! :)
     
  9. monaghan United Kingdom

    monaghan Moderator Staff Member

    Joined:
    May 2007
    Posts:
    2,103
    Likes Received:
    70
    :)

    After spending over 10 years as a corporate database guy, I often cringe when I see how some people do databases :(

    SELECT * and lack of a good WHERE clause or proper index seem to be the common issues

    I've hit the database and changed the user names as it seemed the most simple method.
     
  10. tifosi United Kingdom

    tifosi Well-Known Member

    Joined:
    Oct 2004
    Posts:
    3,424
    Likes Received:
    55
    yeah, I cut my teeth on some pretty hardcore oracle & informix driven industry db's so I know how you feel! :)

    Don't even get me started on the WP core and it's kitchen-sink loading philosophy! Spaghetti-code, grrr. I develop for it because it's popular, not because it's good.
     
  11. spiderspider

    spiderspider Active Member

    Joined:
    Feb 2013
    Posts:
    676
    Likes Received:
    48
    Its not just the username that should be changed, but also the user id, considering the first account created is normally admin, with a user id of 1.

    I use 'Better WP Security' (free plugin) as it does all the backups, blocks, changes of usernames, ID, file protection, notification of changes, and restrictions that are needed. Not been hacked since I installed it.
     
  12. tifosi United Kingdom

    tifosi Well-Known Member

    Joined:
    Oct 2004
    Posts:
    3,424
    Likes Received:
    55
    Why?
     
  13. spiderspider

    spiderspider Active Member

    Joined:
    Feb 2013
    Posts:
    676
    Likes Received:
    48
    Because user ID 1 is always the first one created, and as such Admin. Change the username, and not the ID, someone gets the DB, its dead easy to find admin username and pass, (as its number 1).

    Change the user ID, and it just puts a stumbling block in the way. Not 100% I know.

    The better WP security plugin is here: http://wordpress.org/extend/plugins/better-wp-security/
     
  14. tifosi United Kingdom

    tifosi Well-Known Member

    Joined:
    Oct 2004
    Posts:
    3,424
    Likes Received:
    55
    Someone get's the DB and you're fucked anyway! The ID is irrelevent in the way this botnet works by searching on the username and dictionary passwords. Whether the administrator is id 1 or 101 makes no odds. WP logs in via the username field. The WP user/usermeta tables use the ID at the primary & foreign keys to tie post/meta data together.

    Dictionary attacks aren't anything new, my error logs over the last 10+yrs running a large vbulletin forum tell me that.

    One thing I always recommend above this is to jail user accounts and limit ssh & ftp to ip blocks ( or better static ips if your isp allows it ).

    For WP passwords a non-dictionary case-sensitive password is essential.
     
    Last edited: Apr 16, 2013
  15. rodeboy United Kingdom

    rodeboy Active Member

    Joined:
    Sep 2010
    Posts:
    572
    Likes Received:
    6
    Following the heads up in this thread I installed Better WP Security on all my WP sites (yes I know, 'Why wasn't something like that there already ....?'!)

    The set up was straightforward and addressed most if not all of the issues referred to in the thread.

    The one thing that amazes me is the number of lockouts I am getting from users who presumably are looking for vulnerabilities. Have they not got something better to do?

    Any way, I feel safer having undergone this exercise, thanks to you guys who posted.

    Chris
     
  16. mtalk India

    mtalk Active Member

    Joined:
    Apr 2011
    Posts:
    82
    Likes Received:
    3
  17. Admin

    Admin Administrator Staff Member

    Joined:
    Jun 2004
    Posts:
    10,823
    Likes Received:
    305
    Nice, thanks for sharing. Still have a look at Wordfence, it tells you by email when any plugin or WP version needs an update which helps you keep on top of multiple sites.

    Admin
     
  18. Admin

    Admin Administrator Staff Member

    Joined:
    Jun 2004
    Posts:
    10,823
    Likes Received:
    305
    WPtouch is dodgy

    Vulnerability details
    WordPress path /home/lighters/public_html
    Title Plugin: wptouch 1.9.6.1, WP path: /home/lighters/public_html
    Plugin Name wptouch
    Version 1.9.6.1
    Description WordPress WPtouch plugin is prone to a cross-site request forgery vulnerability. Exploiting this issue may allow a remote attacker to perform certain administrative actions and gain unauthorized access to the affected application; other attacks are also possible. WPtouch plugin version 1.9.31 is vulnerable; prior versions may also be affected.
    References
    http://plugins.trac.wordpress.org/changeset/409622/wptouch
    http://secunia.com/advisories/47422/
     
  19. Jamie101 Netherlands

    Jamie101 Well-Known Member

    Joined:
    Jan 2012
    Posts:
    1,073
    Likes Received:
    16
    This is well worth looking at if you use any cache plugins:

    http://goo.gl/7hO65

    Literally only take a few seconds to update it and make your site safer.
     
Thread Status:
Not open for further replies.