WordPress.org

Ready to get started?Download WordPress

Forums

Lev*tra link spam inserted into my header?! (18 posts)

  1. intricateartist
    Member
    Posted 6 years ago #

    I've just gone into my header (it's only been a few weeks since I looked), and there's SPAM inserted into my header by a hacker - how on earth would someone be able to get into my template header file and add their link? It was styled inline, negative margin and inserted above my header.

    How good is the security for 2.2.3?

  2. Chris_K
    Member
    Posted 6 years ago #

    How good is the security for 2.2.3?

    How good are your security practices?

    Did you leave theme files 777 and open to the world?

  3. intricateartist
    Member
    Posted 6 years ago #

    I don't chmod my files 777 - it's the standard 644.

  4. intricateartist
    Member
    Posted 6 years ago #

    any other ideas, then, Handy?

  5. Chris_K
    Member
    Posted 6 years ago #

    Not yet :-)

    If you look at the theme's header.php on your server, is the timestamp recent enough that you might have web server logs for that time frame? If so, dig through those looking for mention of it.

    Do you have the original files from that theme? How's the header in the original distribution?

  6. intricateartist
    Member
    Posted 6 years ago #

    Unfortunately, the timestamp is that of when I deleted the link, so all I know is that it's between July (my last backup) and October 11.

    I created the theme myself - so the original doesn't contain any spam.

    I'm wondering if it has to do with these spam registered users, editing the theme isn't allowed as a subscriber (which is what new users are set at), is there a way they could modify their access through the admin panel? Just the thought of it made me spend 2 hours deleting all those spam users from my database.

  7. moshu
    Member
    Posted 6 years ago #

    For the future, to stop those spam registerings:
    http://www.village-idiot.org/archives/2007/01/10/wp-deadbolt/

  8. intricateartist
    Member
    Posted 6 years ago #

    Thanks much, Moshu - I am on the hunt for a plugin that will disable registration entirely. That one looks great, but there are so many e-mail addresses to block - it will take too much time and many would have to come through once in order for me know the addy to block them. :/

  9. Jeremy Clark
    Moderator
    Posted 6 years ago #

    Don't need a plugin, it's built in. Under your options menu under General look under membership, uncheck the box that anyone can register.

  10. Ivovic
    Member
    Posted 6 years ago #

    instead of blocking by email, you may want to just set up an image verification on the registration page. Regular users won't mind too much - since they're already taking the time to register.

    I get a fair bit of spam myself, and a few of these regged spam users but none of that has ever resulted in compromised code. If you're concerned that the wp admin area is being compromised then the first thing you should do is limit access as much as possible.

    a .htaccess file to allow only password access to the admin area is a good start, and something the good folks here suggest as part of any responsible installation. This way you're relying more on your web server's security than you are on PHP.

  11. intricateartist
    Member
    Posted 6 years ago #

    Wow - Jeremy, thank you. I've been using WP for a couple of years and never even had to look at that option before.

    ::blushing::

    :P

    Ivovic - I am not .htaccess literate, how is that written in the file?

  12. Ivovic
    Member
    Posted 6 years ago #

    it requires that you generate a password hash too, so perhaps rather than fiddling with it manually, you might try a plugin which does it all for you.

    I'm not endorsing this plugin, it was simply the most recent one I could find, so it's very likely compatible.

    What looks to be another cute little plugin will lockdown the login page for an hour, upon a number of failed attempts. This will dramatically reduce the chance of your password being compromised by brute force.

    There's plenty of information to be found via google on how to do the htaccess/htpasswd stuff manually if you like, though.

    Also, if you're really concerned about sending your passwords etc by clear text, you can go nuts and enable SSL on your admin area with this... though I don't think it's really necessary.

  13. DianeV
    Member
    Posted 6 years ago #

    Also, your web hosting control panel may have a function allowing you to set passwords on directories. That might be a good way to go.

  14. tc8
    Member
    Posted 6 years ago #

    I am currently encountering this problem...i.e. spam inserted inti header, footer...what works best to prevent this?

    Thank you

  15. Anonymous
    Unregistered
    Posted 6 years ago #

    Hi there,
    each time I try to delete the spam, if I update the file, it just all reappears after first taking me to a new page with a list of all the crap that is now going to be in the header. I am a blogger novice and am not sure how to get this problem fixed.

    Thanks!

  16. mrmist
    Forum Janitor
    Posted 6 years ago #

    This thread is quite old. You may have been better off starting a new thread of your own.

    What version of WP are you running?

  17. Anonymous
    Unregistered
    Posted 6 years ago #

    Hi,
    I am using 2.0.5

  18. Anonymous
    Unregistered
    Posted 6 years ago #

    I am going to start a new thread on this subject, thanks mrmist.

Topic Closed

This topic has been closed to new replies.

About this Topic