WordPress.org

Ready to get started?Download WordPress

Forums

About Keeping WordPress Secure (30 posts)

  1. erikacon
    Member
    Posted 1 year ago #

    ceconn.com

    I can't tell you how many times I've been hacked. Most recently, this morning. I have the usual updates - all of them and all current.
    I tried moving wp-config file one directory up to wp-includes folder but that just meant I could not log on to my site. I tried changing permission to 400 and adding stuff to .htaccess. None of that worked because it locked me out as well.

    What is a body to do?

  2. s_ha_dum
    Member
    Posted 1 year ago #

    What are the permissions on the server?

    Is it shared hosting?

    Have you noticed any users with high authority?

    Is your password secure and the passwords of anybody else with high authority-- administrator, editor, etc?

  3. erikacon
    Member
    Posted 1 year ago #

    My folders are 755 and files are 644. Yes, it's shared hosting but I keep hearing it's something I'm doing or not doing that's causing the problem. I've been dealing with the same host for several years and for the most part, it's been uneventful. This hacking started in April this year and has been driving me crazy since then. There is only one user and that's me. Also, I've changed my passwords over and over again. It's started to get confusing.

    I maintain it's from their end - perhaps an insecure domain on the same server. Be damned if I know. Trouble is, I've just renewed for two years. If I'm going to change I'll have to wait, won't I?

  4. s_ha_dum
    Member
    Posted 1 year ago #

    You need to figure out the hacker is getting in. This could be tough. On shared hosting a vulnerability on any of the hosted sites can, under the right circumstances, give the hacker access to some or all of the other sites.

    Have you completely re-installed since this started?

    What are the symptoms of a 'hack' at your site? What happens?

    Meanwhile... FAQ: My Site Was Hacked

  5. erikacon
    Member
    Posted 1 year ago #

    A bunch of times. I'm getting pretty good at this.

  6. s_ha_dum
    Member
    Posted 1 year ago #

    You have re-installed from a clean WordPress download, clean plugins, and clean theme?

    What are the symptoms of a 'hack' at your site? What happens?

    Do you have access to something like PhpMyAdmin? If so, have you looked in the database directly for users that might be hidden?

    Meanwhile... FAQ: My Site Was Hacked

  7. erikacon
    Member
    Posted 1 year ago #

    All of the above.

    I've had a number of ways that I know it's hacked. First of all, when I type in my website they tell me. You've been hacked, instead of my home page. Of course, that also affects my sub-domains and my add-on domains. The last couple of times, that did not happen. I just had my main site affected. But, my main site is the most important one.

    There was an instance when I checked phpmyadmin and I saw a foreign email address and password and username. I quickly fixed that.

    It's just that it's annoying beyond belief.

  8. s_ha_dum
    Member
    Posted 1 year ago #

    I don't think I can help you anymore remotely like this. Have you thought about hiring someone to do a thorough audit of your site? Look to the bottom of the page for "WP Jobs". Either your site has a big hole in it or your host does, and I don't think I am going to be able to tell you which, but you really do need to find out.

  9. erikacon
    Member
    Posted 1 year ago #

    I know. Thanks anyway.

  10. Abhishek Ghosh
    Member
    Posted 1 year ago #

    I maintain it's from their end - perhaps an insecure domain on the same server. Be damned if I know. Trouble is, I've just renewed for two years. If I'm going to change I'll have to wait, won't I?

    You have renewed the domain name. You can change the name servers at any time (i.e. the web host). You need not have to wait for 2 years. Understand the thing : domain name and server are separate things. You can use from same or different provider.

    For example, you opted for Rackspace Cloud, if you change the name server set, typing your domain name will point towards Rackspace Cloud's specific folder. Its called DNS propagation. I am not sure if you are asking about whether it will take time.

  11. s_ha_dum
    Member
    Posted 1 year ago #

    @Abhishek Ghosh, If it is on their end, she needs to change hosts. When she said that she had renewed I assumed that she meant she had renewed a hosting contract, not her domain name.

    @erikacon, while I can't make any promises, this hacking problem should give you some leverage with your host. Also, you might be able to get out of this the same way I got out of the dorms in college-- annoy the powers that be so much they let you go. :)

  12. Abhishek Ghosh
    Member
    Posted 1 year ago #

    You are right s_ha_dum, I forgot the fact that Shared usually charges for one year or more.

  13. erikacon
    Member
    Posted 1 year ago #

    What I meant was, I have paid for another 2 years of hosting. I don't want to lose that money. Besides, how do I know the next one will be any better?

  14. Abhishek Ghosh
    Member
    Posted 1 year ago #

    You have done something wrong with .htaccess. The posts, categories, tags and pages are throwing 404 -

    http://www.webpagetest.org/result/120703_FT_X1Q/

    The Rackspace Cloud, MediaTemplate or Amazon will not keep a security flaw. This is very frank answer.

  15. erikacon
    Member
    Posted 1 year ago #

    I should have checked it. It's true, I read on this site about bullet proofing wordpress. One of the things suggested was moving .htaccess one directory above to wp-includes.

    I'll move it back into the root right now.

  16. Abhishek Ghosh
    Member
    Posted 1 year ago #

    Create one .htaccess for each folder and make the permissions accordingly.

    There are among quite vulnerable files :

    ./wp-admin/install.php
    ./wp-config.php
    ./readme.html

    These are risky as if the server is updating their softwares (or rather PHP is not running), these files can be read on browser like text files.

    Protect with these at .htaccess of the root :

    # prevent browsing of readme file
    <files readme.html>
    order allow,deny
    deny from all
    </files>

    # prevent editing htacess itself
    <Files .htaccess>
    order allow,deny
    deny from all
    </Files>

    # prevent viewing of install file
    <files install.php>
    order allow,deny
    deny from all
    </files>

    In wp-admin, the .htaccess must have these :

    <FilesMatch "^(install\.php|example\.php|example2\.php|example3\.php)">
    Order allow,deny
    Deny from all
    #Allow from 88.77.66.55
    </FilesMatch>

    There is a naughty trick to prevent login - simply rename wp-login.php from FTP when you need not to login. After login, again rename it (unless you are logging out, this file is not needed). You can read the article of perishablepress.com for more tricks.

    # is used for commenting out (the code will not work) in .htaccess.

  17. erikacon
    Member
    Posted 1 year ago #

    Wow. Looks like I've got my work cut out for me. I'll get right on that. It looks like someone even hacked my appletv. I called AVG this morning and they've been running scans since then. Then I'll call Apple.

  18. erikacon
    Member
    Posted 1 year ago #

    OK, Done.

  19. erikacon
    Member
    Posted 1 year ago #

    I have a number of add-on domains and also sub-domains. Do I have to do anything with them?

  20. stevejohnson
    Member
    Posted 1 year ago #

    I can almost guarantee that you have a backdoor script installed in some out-of-the way folder. There isn't an easy way to clean up intrusions like this - you have to examine or replace from a known good source every file in your account, which includes the folders for addon domains and subdomains.

  21. s_ha_dum
    Member
    Posted 1 year ago #

    I can almost guarantee that you have a backdoor script installed in some out-of-the way folder.

    I believe so too. However, erikacon has stated a couple of times that she has reinstalled from clean sources, not once but numerous times.

  22. Abhishek Ghosh
    Member
    Posted 1 year ago #

    May be some deleted plugin / theme has kept a script and someone played / playing with it.

    Let us see what happens next for your website.
    Repeat the same for add-on domains and also sub-domains too. They are fully separate regardless whether they are on subfolder or subdomain.

  23. erikacon
    Member
    Posted 1 year ago #

    What should I be looking for?
    Where would I find a backdoor script?
    In fact, what is a backdoor script? How does it look?
    When you say a known good source, what do you mean? What about my backups? Wouldn't that be a known good source?

  24. erikacon
    Member
    Posted 1 year ago #

    OK, here goes nothing.

  25. Abhishek Ghosh
    Member
    Posted 1 year ago #

    Read the whole web page including Vladimir's comment :

    http://perishablepress.com/tale-of-a-hacked-website/

  26. erikacon
    Member
    Posted 1 year ago #

    Done. All of them now have the .htaccess what the main domain has.

  27. erikacon
    Member
    Posted 1 year ago #

    I actually read all of it, especially Vladimir's comments. I went into cpanel and then Error logs. I got this. I don't know if that is helpful but here it is:
    [Wed Jul 04 13:24:09 2012] [crit] [client 66.249.66.239] (13)Permission denied: /home/erikacon/public_html/tapc.ca/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable
    [Wed Jul 04 13:24:09 2012] [crit] [client 66.249.66.239] (13)Permission denied: /home/erikacon/public_html/tapc.ca/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable
    [Wed Jul 04 13:23:06 2012] [crit] [client 188.65.96.106] (13)Permission denied: /home/erikacon/public_html/say-cheese/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable
    [Wed Jul 04 13:23:05 2012] [crit] [client 188.65.96.106] (13)Permission denied: /home/erikacon/public_html/say-cheese/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable
    [Wed Jul 04 13:20:45 2012] [crit] [client 180.76.6.232] (13)Permission denied: /home/erikacon/public_html/boy-scouts-canada/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable
    [Wed Jul 04 13:19:41 2012] [crit] [client 208.115.113.85] (13)Permission denied: /home/erikacon/public_html/countrygarden/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable
    [Wed Jul 04 13:19:41 2012] [crit] [client 208.115.113.85] (13)Permission denied: /home/erikacon/public_html/countrygarden/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable
    [Wed Jul 04 13:19:24 2012] [crit] [client 124.115.0.18] (13)Permission denied: /home/erikacon/public_html/tapc.ca/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable
    [Wed Jul 04 13:19:24 2012] [crit] [client 124.115.0.18] (13)Permission denied: /home/erikacon/public_html/tapc.ca/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable
    [Wed Jul 04 13:17:07 2012] [crit] [client 180.76.6.211] (13)Permission denied: /home/erikacon/public_html/tapc.ca/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable
    [Wed Jul 04 13:17:07 2012] [crit] [client 180.76.6.211] (13)Permission denied: /home/erikacon/public_html/tapc.ca/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable
    [Wed Jul 04 13:08:16 2012] [crit] [client 208.115.113.85] (13)Permission denied: /home/erikacon/public_html/countrygarden/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable
    [Wed Jul 04 13:08:16 2012] [crit] [client 208.115.113.85] (13)Permission denied: /home/erikacon/public_html/countrygarden/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable
    [Wed Jul 04 13:08:03 2012] [crit] [client 208.115.113.85] (13)Permission denied: /home/erikacon/public_html/can-we-talk/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable
    [Wed Jul 04 13:08:00 2012] [crit] [client 208.115.113.85] (13)Permission denied: /home/erikacon/public_html/say-cheese/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable
    [Wed Jul 04 13:05:58 2012] [crit] [client 180.76.5.111] (13)Permission denied: /home/erikacon/public_html/can-we-talk/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable
    [Wed Jul 04 13:01:06 2012] [crit] [client 66.249.66.148] (13)Permission denied: /home/erikacon/public_html/can-we-talk/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable
    [Wed Jul 04 12:59:27 2012] [crit] [client 208.92.218.66] (13)Permission denied: /home/erikacon/public_html/can-we-talk/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable
    [Wed Jul 04 12:58:46 2012] [error] [client 77.75.77.11] client denied by server configuration: /home/erikacon/public_html/canwetalk/.htaccess
    [Wed Jul 04 12:57:34 2012] [crit] [client 77.75.77.11] (13)Permission denied: /home/erikacon/public_html/tapc.ca/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable
    [Wed Jul 04 12:57:34 2012] [crit] [client 77.75.77.11] (13)Permission denied: /home/erikacon/public_html/tapc.ca/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable
    [Wed Jul 04 12:57:31 2012] [crit] [client 77.75.77.11] (13)Permission denied: /home/erikacon/public_html/tapc.ca/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable
    [Wed Jul 04 12:57:31 2012] [crit] [client 77.75.77.11] (13)Permission denied: /home/erikacon/public_html/tapc.ca/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable
    [Wed Jul 04 12:57:19 2012] [crit] [client 66.249.66.239] (13)Permission denied: /home/erikacon/public_html/tapc.ca/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable
    [Wed Jul 04 12:57:19 2012] [crit] [client 66.249.66.239] (13)Permission denied: /home/erikacon/public_html/tapc.ca/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable
    [Wed Jul 04 12:56:04 2012] [crit] [client 100.43.83.158] (13)Permission denied: /home/erikacon/public_html/tapc.ca/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable
    [Wed Jul 04 12:56:04 2012] [crit] [client 100.43.83.158] (13)Permission denied: /home/erikacon/public_html/tapc.ca/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable
    [Wed Jul 04 12:52:22 2012] [crit] [client 66.249.66.148] (13)Permission denied: /home/erikacon/public_html/say-cheese/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable
    [Wed Jul 04 12:52:20 2012] [crit] [client 66.249.66.121] (13)Permission denied: /home/erikacon/public_html/say-cheese/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable
    [Wed Jul 04 12:52:07 2012] [crit] [client 180.76.5.53] (13)Permission denied: /home/erikacon/public_html/countrygarden/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable
    [Wed Jul 04 12:52:06 2012] [crit] [client 180.76.5.53] (13)Permission denied: /home/erikacon/public_html/countrygarden/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable
    [Wed Jul 04 12:51:49 2012] [crit] [client 1.202.218.8] (13)Permission denied: /home/erikacon/public_html/countrygarden/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable
    [Wed Jul 04 12:51:49 2012] [crit] [client 1.202.218.8] (13)Permission denied: /home/erikacon/public_html/countrygarden/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable
    [Wed Jul 04 12:49:39 2012] [crit] [client 100.43.83.158] (13)Permission denied: /home/erikacon/public_html/countrygarden/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable
    [Wed Jul 04 12:49:39 2012] [crit] [client 100.43.83.158] (13)Permission denied: /home/erikacon/public_html/countrygarden/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable
    [Wed Jul 04 12:48:20 2012] [error] [client 1.202.218.8] File does not exist: /home/erikacon/public_html/canwetalk/404.shtml
    [Wed Jul 04 12:48:20 2012] [error] [client 1.202.218.8] File does not exist: /home/erikacon/public_html/canwetalk/robots.txt
    [Wed Jul 04 12:19:53 2012] [error] [client 115.250.194.46] client denied by server configuration: /home/erikacon/public_html/wp-admin/install.php
    [Wed Jul 04 12:19:15 2012] [error] [client 115.250.194.46] client denied by server configuration: /home/erikacon/public_html/wp-admin/install.php
    [Wed Jul 04 12:19:14 2012] [error] [client 66.249.66.148] client denied by server configuration: /home/erikacon/public_html/wp-admin/install.php
    [Wed Jul 04 12:19:08 2012] [error] [client 115.250.194.46] client denied by server configuration: /home/erikacon/public_html/wp-admin/install.php
    [Wed Jul 04 09:59:33 2012] [error] [client 1.202.218.8] File does not exist: /home/erikacon/public_html/canwetalk/404.shtml
    [Wed Jul 04 09:59:33 2012] [error] [client 1.202.218.8] File does not exist: /home/erikacon/public_html/canwetalk/robots.txt
    [Wed Jul 04 09:05:07 2012] [error] [client 123.126.50.71] client denied by server configuration: /home/erikacon/public_html/saycheese/.htaccess
    Warning: DocumentRoot [/home/erikacon/public_html/whatsmellssogood] does not exist
    Warning: DocumentRoot [/home/erikacon/public_html/fotosbyerika.com] does not exist
    Warning: DocumentRoot [/home/erikacon/public_html/fotoblog] does not exist
    Warning: DocumentRoot [/home/erikacon/public_html/food911] does not exist
    Warning: DocumentRoot [/home/erikacon/public_html/whatsmellssogood] does not exist
    Warning: DocumentRoot [/home/erikacon/public_html/fotosbyerika.com] does not exist
    Warning: DocumentRoot [/home/erikacon/public_html/fotoblog] does not exist
    Warning: DocumentRoot [/home/erikacon/public_html/food911] does not exist
    Warning: DocumentRoot [/home/erikacon/public_html/whatsmellssogood] does not exist
    Warning: DocumentRoot [/home/erikacon/public_html/fotosbyerika.com] does not exist
    Warning: DocumentRoot [/home/erikacon/public_html/fotoblog] does not exist
    Warning: DocumentRoot [/home/erikacon/public_html/food911] does not exist
    Warning: DocumentRoot [/home/erikacon/public_html/whatsmellssogood] does not exist
    Warning: DocumentRoot [/home/erikacon/public_html/fotosbyerika.com] does not exist
    Warning: DocumentRoot [/home/erikacon/public_html/fotoblog] does not exist
    Warning: DocumentRoot [/home/erikacon/public_html/food911] does not exist
    Warning: DocumentRoot [/home/erikacon/public_html/whatsmellssogood] does not exist
    Warning: DocumentRoot [/home/erikacon/public_html/fotosbyerika.com] does not exist
    Warning: DocumentRoot [/home/erikacon/public_html/fotoblog] does not exist
    Warning: DocumentRoot [/home/erikacon/public_html/food911] does not exist
    [Wed Jul 04 07:08:56 2012] [error] [client 1.202.218.8] File does not exist: /home/erikacon/public_html/canwetalk/404.shtml
    [Wed Jul 04 07:08:56 2012] [error] [client 1.202.218.8] File does not exist: /home/erikacon/public_html/canwetalk/robots.txt

    I have deleted my food blog, so that makes sense. Also fotosbyerika was demolished during the first hacking and, would you believe, that's the only one I did not have a backup for? I'll have to start from scratch.

    The instructions are often over my head. That's a lot to take in all at once. I'll just keep re-reading until i figure it out.

  28. erikacon
    Member
    Posted 1 year ago #

    In case I forgot as I do sometimes, thank you all so very much. I do appreciate it.

  29. Abhishek Ghosh
    Member
    Posted 1 year ago #

    Great.

    Permission denied is appearing as you wrongly moved the .htaccess to wp-config (instead of having individual .htaccess). The number of attempts indicates when a visitor tried to access any page, post, tag or categories. From WordPress config file, that .htacess was needed for showing the proper webpage. If you compare with any IP tracing software, you will get my IP starting with 117 too!

    To test, you can rename the root .htaccess (like bak.htaccess). If you visit few pages, you will get 404 plus the error on log.

    Vladimir's comment is remarkable really.

    Now, you need to restore the backups of very carefully.

  30. erikacon
    Member
    Posted 1 year ago #

    Thanks again. I will do that.

Topic Closed

This topic has been closed to new replies.

About this Topic