LinkBack URL
About LinkBacksServer side I guess, when I checked the wp-config.php originally the file had secure file permissions...Originally Posted by Jeffro
Here For The Peanuts
Server side I guess, when I checked the wp-config.php originally the file had secure file permissions...
Premium WordPress Hosting - Zero Click WordPress Installation on Hosting Signups!
Big Tipper
That would lend credence to the claims that the problem was shared hosting vulnerability rather that WordPress itself.
Hello World
This certainly doesn't seem to be isolated to Media Temple. Chris Pearson was hit with a similar hack (nothing wrong to the naked eye but Google sees all sorts of spam) while on vps.net I believe. A few other sites have reported similar issues & none were on MT.
While most WP hacks do usually spread much quicker, I think using the lack of widespread hacks as the main reason to NOT blame WordPress is a pretty thin defense.
WP might end up not being the culprit here but I think we all have to admit that it's earned a reputation of being hit pretty often. Suspecting this is a WP issue isn't out of line or some sort of insult to everyone that works on the project.
To be honest, I find the "it's not our problem" attitude displayed in this thread a little troubling.
On the more helpful side of things has anyone that has been affected checked their .htaccess file?
Kegger
It could also be a plugin that is used by all the affected sites.
Hello World
I'm finding a LOT of sites being hit by this, even some Joomla sites. Is it common for the two platforms to share exploits? Does this suggest it's perhaps a php issue not JUST a WordPress issue?
WordPress Rockstar
There's a difference between *targeting* wordPress sites and WordPress having an exploit.
it's good at getting picked up in search engines.
It's popular.
thsoe two things right there is why hackers do this. There's no point in them hacking flat HTML files on obscure sites, nobody uses them and it's easily found.
This thread is a month old, and since it started, I did have a client with a similar issue. It was not WordPress, I could find no evidence. People forgot that it's a LOT easier to get into someone's ftp account than it is WP.
Especially if what the hackers are doing is changing theme files.
How many ways can you access theme files? Oh right, a few - right outside of WP. And if they are adding extra files and folders deep down in the WP file system - well, it's where you never look, and once again - it's outside of WordPress.
They're relying on the general user's lack of knowledge about where these things are and how WP works.
There are plenty of unsecure themes & plugins too. that does not means WP itself is the cause. It's a correlation here, not a causation.
I had another friend who had a similar issue, but the hackers screwed up so his themes whitescreened on him. guess what? They got in via his computer. Then they got in to his server by snagging his ftp creds.
They can mess with your database because once they are in to your server, they can simply read your config file same as you do. And there's your db username & password.
While I do need usernames & passwords to work on client sites, soemtiems I am surprised at the ease with which people give them up. I've had strangers email me out of the blue, looking for free help & emailing me every username & password they have. A lot of the time, it would have taken me maybe 5 minutes to figure out their password anyway. Which they've reused everywhere.
If it's wordpress itself, I'll eat my hat. But if they are doing the exact same thing on Joomla sites? Then it's not WordPress.
cPanel is also a big target, not just ftp. Anyone research any cPanel vulernabilities yet?
Now, on the two sites I listed above, I didn't have access to any server logs (and 1 he knew how they got in). On any of the sites affected lately, has anyone done any cross-referencing of their access logs? There would be where you start. They tell you all kinds of interesting happenings.
Hello World
Yeah, I've reached out to a few of the people that have been hit & asked them to pull their server logs. I'll let you know if/what I find out.
There's definitely a distinction between WP being the source of the issue & WP being the target, but it would seem to me if large amounts of WP sites are being hit, it's something the WP community should try to nail down & fix, rather than saying "well, WP isn't the source so it's no big deal."
It sounds like at least a few people have had clients with this issue & cleaned the site somewhat effectively (without recurrence). That just seems like info that should be shared openly in the community rather than hush hushed because it might inspire some more people to try the hack in the first place.
WordPress Rockstar
No, I think you've got your assumptions all wrong there. :)
We're not saying it's no big deal. I for one am just trying to downplay the whole "OMGBQQQ WORDPRESS IS A HACKER'S DELIGHT!!! ELEVENTY!!!" tweets & such going around. Because then I get more direct inquires from people asking what they need to fix on their WordPress sites, who are worried for no reason.rather than saying "well, WP isn't the source so it's no big deal."
So... you think I am purposely not sharing basic good server management techniques? Do we have a raised eyebrow smiley here?That just seems like info that should be shared openly in the community rather than hush hushed
C'mon... do I need to broadcast how it is not a good idea to use the login "admin" and password "passw0rd" as BOTH your wp login AND your FTP/cPanel logins?
Yes, I have seen people do this. Yes, I bonk them over the head and tell them not to.
If you're running a decent web site, at some point you have to learn how to manage your webspace. Logs are there for a reason, learn how to read them. If you're reading logs and it shows a large number of proxy conections at the exact same timestamps that your site gets hit with spam... well, you don't have to be an expert to see that maybe you should block proxy connections. Same as a large number of login attmeps form a similar range of IP addresses where you're the only user and it's not your IP. Duh, ban that IP range. Lock down access to certain areas of your site based on your IP only then.
That is not Wordpress, that is server management. These are not top secret things to do. The reason hacks occur is because hackers know most people do not do these things.
And scan your own Windows box for viruses. If you re-read my post above, I just stated one person had a virus on his own computer that did it.
On The Rocks
The WordPress community can realistically only fix WordPress issues. The problems you're talking about are basic server management issues. Running server is a full-time job for a lot of people, you're not going to be able to distill that down to something a dilettante can reasonably grasp and implement.
It's not really a matter of keeping things quiet so much as that computer and network security is a highly complex topic that you can't put into a few paragraphs on a forum or a webpage. People learn for years how to do just some of that sort of thing.
I mean, explain your entire job and everything you do in, say, three paragraphs. Can't do it, can you? Books... hell, whole libraries exist on this sort of topic. You're just not going to be able to cover the whole thing; not even a little bit of the whole.
WordPress Legend
I agree.
What do you do? Tell someone to go listen to all three-plus years of the SecurityNow! podcast? Even then, not much of what Andrea said above would be necessarily explicit.
Though, I wonder if a well-written Codex article on server management best practices wouldn't at least be a start?
WP TurnKey - Turn-Key WordPress installation and maintenance services
WordPress user since 2005 | @chip_bennett | chipbennett.net | cbnet Plugins
Posting Permissions
Reply With Quote