Web Hosting

WordPress Security is Not Just About WordPress

One of my customer’s WordPress installations was hacked and turned into an attack site over the weekend.

I got a plea for help on New Year’s Day because she couldn’t view her site or log in – she just got an error message whenever she tried to do either.

When I reviewed the file that was referred to in the error message I found some scripts had been added.

Two other files in the wp-includes directory had also been updated at the same time, so I deleted all of them and replaced them with clean versions.

When I then accessed her site to check it was working OK, I got two Malware files dumped onto my PC – so they had infected more than the 3 files I found.

My first step was to clean up my own PC. Luckily AVG, CleanUp! and Malwarebytes did a great job on that, so I was back in action again in an hour or so.

My next step was to access my customer’s site via FTP to delete the database and the entire WordPress installation.

Then I set up a new database and installed a clean version of WordPress.

In the process I took the following security steps:

  1. Created unrelated usernames and passwords for the database – long and complicated
  2. Changed the default wp_ database prefix to something else
  3. Changed the default ‘admin’ username to something else – long and complicated. I set out a process for doing that here.
  4. Created a long and complex password
  5. Installed WP-Security-Scan and checked all the file permissions
  6. Made sure the WordPress version was not visible
  7. Installed Login Lockdown to lock out anyone attempting to use an incorrect user ID or password to log in
  8. Installed a blank index.html file in the wp-content/plugins and wp-content/themes directories (to prevent anyone seeing what plugins or themes were installed)

And two and a half hours after I’d completed everything her site was hacked again.

They got in because they had a copy of her FTP login details, which they’d obviously stored so they could use whenever they wanted to.

Although I’d given strict instructions for her to change her FTP password, she’d not had a chance to do so after I’d finished everything.

And the lesson is…

Nothing could more clearly illustrate the point I made in this article that WordPress security involves more than just making your WordPress installation secure.

You need to consider your computer and your FTP accesses – i.e. your entire online environment.

There’s no knowing for sure how the scammers had got hold of her FTP login details, but some of the ways would include:

  1. Intercepting email which contained them
  2. Having a keylogger (malware) installed on her PC which captured them and sent them back to the scammers
  3. Intercepting them during an FTP transfer.

So the message is this:

In addition to taking all the security precautions I referred to above on your WordPress installation itself, make sure your computer is (and stays) clean and, if you’re regularly uploading stuff to your WordPress site, use SFTP rather than FTP.

It goes without saying that you should be using one of the Internet Security products from a reputable supplier. And that means the paid version, not the Anti-Virus version which is usually free.

But I also use two other products:

Malwarebytes, which is an excellent product and free to download.

A couple of years ago I got a Trojan on one of my computers which I couldn’t get rid of. McAfee couldn’t find it, Spybot S&D couldn’t find it and Adaware couldn’t find it.

But Malwarebytes did.

And since then I install and use it on every computer I own and every computer I’m setting up for someone else.

As long as you have one of the Internet Security products running you only need to run Malwarebytes manually every few days (but you should run it at least once a week). Make sure you update it before you run it, because they release new signatures every day.

And, by the way, although I’m delighted with the Internet Security product I’m using, Malwarebytes still picks up stuff that it misses.

The other product I use (also free) is CleanUp!.  This focuses more on clearing out your temporary files, but I needed it the other day because I opened a copy of the infected file from my customer’s site to review it on my PC.

Although I didn’t save the file, a copy was still sitting in my temporary files folder and CleanUp! zapped that one for me.

Summary

Long story short, then:

  1. Make your WordPress installation as secure as you can – follow the steps above
  2. Make sure your computer is clean and stays clean
  3. Use SFTP rather than FTP
  4. Check the front of your site each day (as if you were a visitor) to make sure it’s functioning as it should
  5. Backup your site (database and system files) at least weekly. (I do a full site backup every time I make any changes to content or structure)

And if you’d like to get hold of 7 tips for making your WordPress blog more secure just click here

Web Hosting

Comments on this entry are closed.

  • corrie 6 January, 2010, 12:41 am

    Wow, Martin. Once again this stuff is scary. I guess I need to do some extra prayers over my computer, along with the above suggestions.

    This is why I have an RSS feed to your site.
    .-= corrie´s last blog ..One Benefit of Asperger’s Syndrome =-.

    • Martin 6 January, 2010, 6:47 am

      Yes – this stuff is scary.

      The problem is, of course, that we’re only ever playing catch up with the bad guys. I learnt that when I was running a fraud control department many years ago.

      It’s also why some companies have hired hackers in the past to test their security systems.

      Unfortunately the reality is that the hackers, spammers and scammers are always going to be one step ahead – which is why I said that if someone is determined to hack your account they will.

      Cheers,

      Martin.

  • Keith Davis 6 January, 2010, 2:03 am

    Oh Martin
    I was having such a pleasant evening until I read this!
    “You need to consider your PC and your FTP accesses”
    Good point and I might add… your Cpanel login if you use Cpanel.

    BTW Filezilla has an FTP over explicit TLS/SSL setting, which my host tells me is secure.
    .-= Keith Davis´s last blog ..Ooh la la… =-.

    • Martin 6 January, 2010, 6:44 am

      Sorry to spoil your evening 🙂

      Yes – Filezilla does a great job!

      And definitely your cPanel login, although as part of sorting out my customer’s blog I discovered that (on Hostagtor at any rate) your cpanel login is linked to your FTP login. Change one and the other changes as well.

      Martin.

  • marvin 6 January, 2010, 8:06 am

    My blog was hacked also on my previous host. Seeing that index.php with bunch of other files were changed, I considered moving on a different server. Thankfully I have a backup of the database before the attack.

    Unfortunately, currently, my new server is down for hardware upgrades (bummer).

    Hackers will always look for way to get in to your site. So we should guard every possible entry.

    • Martin 7 January, 2010, 7:33 am

      Exactly my point 🙂

      Cheers,

      Martin.

  • Kevin Hayes 12 January, 2010, 11:29 am

    Wow…thats scarey….. I have a plugin to limit login attempts and a plugin called bad behavior….wp security scan too. I hope that is enough to stop this from happening to me. I have no clue what you were talking about to fix her site. I would be lost if that happened to me.

    Columbia SC Mortgage

    • Martin 12 January, 2010, 7:14 pm

      Hi Kevin,

      Yes – those plugins do good jobs, but the message is that you need to pay attention to your PC and all the other ways people could get access to your site files.

      Of course you need to keep your WordPress installation secure, which means taking all sensible steps including keeping both it and your plugins updated (which I omitted to mention above).

      But all that comes to nothing if the hackers can access your site via your FTP login details.

      So you need to think security in everything you do on your PC and online.

      Cheers,

      Martin.