I don’t want him to be deleted, but rather I don’t want him to become admin again.
….It’s debatable if he’s not the kind of guy you can trust. I’d think that you could trust him. Why would he tell you that he cracked your site otherwise?
Here’ s brilliant suggestion: Why don’t you ask him how he did it? Then you can fix it.
Seems like he may have the answer you’re looking for…..
Just my, often unwanted, opinion,
Chad
If you do ask him and you fix it – please post the solution here so others can find this in the future….For when they don’t have the luxury of asking the guys who broke in….
I just re-read my last post and it sounded rude I think…That was unintended. Apologies.
What I meant was that I think you’d just tell him that you’re impressed (feed his ego) and want to know how he did it…
I’ve been that cocky student – I would have been honored to have a person ‘above me’ ask for my assistance…..He just needed to let you know you needed some assistance. π
Anyway – no hard feelings – sorry for the quasi-rude last post.
Thanks,
Chad
I certainly didn’t read it as rude, so no worries there.
I agree that he’s the only one who knows the exact answer, so I’ll just have to (as you say) feed his ego.
I’ll meet him tomorrow, but in the meantime I’ve installed about a dozen security plugins, Admin SMS dual-authentication and so-on.
If there is a security flaw in my website, I’d rather find out from a student/colleague with an ego, than a real hacker trying to steal my website.
Cool! Looking forward to hearing how he did it!
I’m following along with this post – you sure you don’t just have your UN and PW written somewhere that he can get to it? A file on the desktop named “wordpress_password.txt” or something…LoL!
Have a good day,
-Chad
Yes it is a possibility.
Did you try Menus –> Change role back to author
Then try changing your administrative account password, hosting control panel password, FTP password, and all email account passwords related to the website.
Regards,
OK. I found out in the end.
Authors can upload files into the media library, and that’s where the weakness was. He uploaded a particular file that roots around the website and find weak points and essentially hacks it. From this, he could basically set up the website as if it were being installed for the first time, and create an admin account as the creator of the website.
He’s a little cheeky monkey, but I did get to the source of the issue. Basically, he was only able to do this because he already had Author access to the site. He couldn’t have uploaded a file to the media library if he had just been a subscriber.
Since then though, I’ve installed a raft of security plugins, only let .png and .jpg to be uploaded, and as a rather cool Dual-Authentication SMS code generator, which basically texts me a code every time an admin tries to log in (very cool).
All of which means that he won’t be able to sneak in again.
This says it all:
How can I stop this, because he isn’t the kind of employee I can trust as admin on my site. He won’t give me a hint on how he did it, or what the bug is – he’s one of those pesky students trying to make a statement.
Not to sound alarmist but to be realistic; If the explanation regarding how the flaw was exploited was explained to you as presented, it’s most likely an intentional oversimplification of what’s actually been done on the server.
My personal response would be that All access for this individual should be firmly denied, and if the server the site sits on provides shared resources in an academic or corporate environment – or is on shared public hosting (you should assume it’s still compromised in any event) – you should make the appropriate contacts within your IT department or hosting support staff to ensure the continued safety of any other resources or sites on the server.
This type of intentional compromise and attitude should not be viewed as a trivial matter.
Just my opinion, mind you.
