My webhost said it’s unlikely someone got my ftp information and said that he’s heard about the WordPress program’s lack of security.
Your webhost is ill-informed, ignorant, and also has not a single clue. I challenge anyone to document the “lack of security.”
As for the FTP issue, if someone got your FTP login stuff, that’s between YOU and YOUR HOST. It has nothing to do with WordPress.
Also, it is totally unnecessary to post the same topic more than once.
This has been reported at least once before. I thought I recalled seeing a 2nd report, but I can’t find it now. Wrong search terms, I guess.
It would help, fink, if you could give the details of your WP installation — what kind of server it’s on, if you’ve made any modifications to the default WP install, that sort of thing.
Also: where is WP in relation to your /html directory? Is the unwelcome file in one of the WP-accessible directories or outside of it?
The suggestion in the thread linked above is to password-protect the wp-admin folder. Try that for a start, I guess.
Thread Starter
fink
(@fink)
Sorry all for posting twice; I’ll take down the other one. I understand that if someone gained access to my ftp info it would be between myself and the webhost.
To the person who actually tried to be helpful instead of rude, thank you. My WP is within my /html directory. Should it be somewhere else? The unwelcome files were within a hidden folder that was placed inside the /html directory. My webhost said something about the way log-ins are set up on WP but I’m new to all this and did not have a clue.
I’m on a linux server, if that helps.
Thanks again.
Thread Starter
fink
(@fink)
logista, that previous post was very helpful. How does one go about password protecting the /html directory? Wouldn’t that then prevent people from seeing my site without the password?
I apologise for sounding rude, but I make no apologies for vehemently defending WordPress from unsubstantiated claims.
Thread Starter
fink
(@fink)
Nuclear Moose, peace. WP’s done wonders for my site. My webhost’s claim was that the WordPress PHP application was exploited. I’m at a loss.
Thanks.
fink,
I can understand your frustration with this. You must feel like you’re between a rock and a hard place. If you get a chance, ask your web host to document what s/he feels is the “avenue for exploitation” that s/he thinks is responsible for this. If your host simply says “it’s WordPress (or any other application for that matter)” without giving you a reasonable explanation, then I would be asking for more detail from them. You pay for the service, so it is not unreasonable to get an answer that makes sense.
to echo NM’s comments, talk to your webhost and get SPECIFICS on what they consider an exploitative element within WP. If they can’t give you specifics, I woudl it down to incompetence on their part.
I’ve dealt with a few hosts where the tech support honestly don’t know their elbow from their backside, and asking them a direct question with specifics often throws them. I’ve found if they can’t give a direct answer to their claims, and prove as such, then they’re perhaps not a host worth considering, or at least contact the head of tech support.ceo of the hosting company and inform them of the lack of understanding the tech support person has with the problem.
I;m not saying that WP is full prrof, I’m sure there are a few possibilities that will open up for exploitation, but nothing I have seen to date suggests this – after all 50,000+ download can’t be wrong, otherwise they would all be posting here and saying some jackanory hacked into my goat and all I got was a lousy tshirt.
Talk to your host, make sure you get their name and find out the exact problem they say exists with WP. It’s very possible it’s their servers that are vulnerable, but I guess that would be between you and them
fink,
You password protect the wp-admin directory, so whenever you go to the admin pages you have to enter in a password to even see the login page (in addition to logging in). I think that’s how it goes. I haven’t done it yet, ’cause I’m slow getting my new site live, so perhaps someone with experience can take over at this point 😉
And I think you use a file called .htpasswd. If you do a Google search, you’ll find lots of resources on it and .htaccess.
There are no known exploits which could cause this problem. If your host knows one, they should contact us ASAP.
