WordPress.org

Ready to get started?Download WordPress

Forums

plugins - an open door for hackers? (12 posts)

  1. clivesgt
    Member
    Posted 7 years ago #

    hi
    my site keeps getting hacked and the mysql database changed or deleted. i keep reloading it and change all the user names and passwords only to have the site hacked again the next day.

    as far as i know i have taken all the precautions mentioned on the wordpress site.

    i wondered whether anyone has experience with installed plugins (or themes) that have been "doctored" to give vital information to the hackers? if so, how can we verify that these plugins or themes are legitimate?

    appreciate any input.

    thanks

    clive

  2. Daisyhead
    Member
    Posted 7 years ago #

    I'm not a developer or anything, but I have heard of instances where people load scripts into plugins for this purpose. However, I don't know if that's 100% true so I wouldn't take it for gospel.

    There was a thread a while back regarding this same issue. I'll look around and find the link for you.

  3. whooami
    Member
    Posted 7 years ago #

    clive.

    the blog in your profile?

    <meta name="generator" content="WordPress 2.0.5" />

    How can you possibly post a question like that when you havent even taken the time it takes to UPGRADE?

  4. moshu
    Member
    Posted 7 years ago #

    BTW, "open doors"... don't leave open more than one topic ;)
    http://wordpress.org/support/topic/99831?replies=6#post-499247

  5. clivesgt
    Member
    Posted 7 years ago #

    sorry whoami but i am not used to ugrades coming out so fast and furious so i never bothered to look as i believed that i had the latest version. my mistake.

    so i upgraded to 2.1 and i thought all my troubles were over. everything worked and every day when i visited my site, there it was, like it should be. until this morning...when i visited my site i was greeted by a wordpress blog called "swastikroi" - he/she had hacked my site and deleted the database.

    as far as i can tell, the only change i made yesterday was to include the "safeinclude" plugin. seems more than a coincidence that everything worked well until i loaded this plugin.

    anyway, appreciate any comments by others who have had their 2.1 hacked.

    thanks

    clive

  6. scaturan
    Member
    Posted 7 years ago #

    talk to your host and see what measures they have in place to prevent or audit future attacks.

    you can upgrade WordPresss to the latest and greatest version, but if you're host is not competent to do their part to do their best to secure and monitor their services, you'll be on the same loop. :)

    and of course, a strong password, being selective of plugins and/or hardcoded modifications you install also helps.

  7. IcelandDream
    Member
    Posted 7 years ago #

    It is more likely that the server is insecure, not WordPress. If you google the domain you come up with a lot of Index pages giving the curious a lot of information they shouldn't have. The Apache version is old. There are likely directories with insecure settings. If the site is on a hosted server then someone with shell or directory access can read your config file and get to the database.

    I would be looking at the server setup and who can get to it from a site on the same server.

  8. wild26
    Member
    Posted 7 years ago #

    I've never had a WordPress blog hacked, and I am not the most diligent of updaters, either. I would agree with IcelandDream and say check with the host to see how secure the server is.

  9. clivesgt
    Member
    Posted 7 years ago #

    hi

    my host is startlogic. com - they say the problem is with my site (wordpress). they have the hacker safe certification certificate displayed. see quote below.

    i somehow believe the problem is with the plugins. thinking back to the time my site was hacked, i had re-activated safeincludes but i also had made a backup (using the backup plugin) and forgot to change the cmod of the backup directory which requires public or group access to write the backup. so i guess the hacker could have got in that way. i have since changed the cmod to that directory and have had no problems since.

    i guess the problem is not with wordpress it's self but with the way i have been using the plugins - i.e the security has been slack on the access given to some of the files and directories used by these plugins. so i guess i will be more careful from now on.

    here's the quote from the startlogic site's hacker safe certificate...

    HACKER SAFE CERTIFICATION 05-MAR-2007
    This site is tested and certified daily to pass the HACKER SAFE Security Scan. To help address concerns about hacker access to confidential data, the "live" HACKER SAFE mark appears only when a web site meets the HACKER SAFE standard.
    Research indicates sites remotely scanned for known vulnerabilities on a daily basis, such as those earning HACKER SAFE certification, can prevent over 99% of hacker crime.

  10. pezastic
    Member
    Posted 7 years ago #

    Awhile back, I was using a fairly popular webhost provider that claimed a script uploaded was uploaded to my site via WordPress. The script was being used to send out enormous amounts of spam, and taking up a lot of bandwidth. Of course, they couldn't tell me what or where the script was. They said that was my problem - fix it, or my account would be terminated.

    Well, I saved them the trouble. I migrated my entire website to another provider and terminated my account with them. I haven't had a problem since. My bandwidth is nominal, right on with what would be expected.

    I know that the other provider was quick to jump the gun and accuse WordPress of being unsecure, let alone being too lazy to help fix "the problem". That may be the case with you, too. My advice would be to find another provider and avoid the hassle.

  11. bellatrix
    Member
    Posted 7 years ago #

    >>My advice would be to find another provider and avoid the hassle. <<

    May I ask, WHO do you suggest for a host?? My site has been hacked about 60x's, I switched from GoDaddy (the crappiest company I've ever dealt with) to another company, updated to 2.1 , updated all my plugins, changed my permissions, etc and they are STILL getting in.

    My hosting company says WordPress security is a nightmare, and I cant find any company that is secure! Any ideas?

  12. paul
    Member
    Posted 7 years ago #

    why not just use WordPress.com?

Topic Closed

This topic has been closed to new replies.

About this Topic