Site Hacked

[dgwyer]

Our site got hacked yesterday, which was a bit of a wake up call. Just wanted to canvas others on what levels of protection/Plugins etc. you use to prevent such attacks?

I tried to password protect the wp-admin folder, but when I activate this in CPanel I then get a 404 error message when trying to access the WordPress admin. I gather this is something to do with WordPress permalinks (reading some similar WP forum threads)?

I also installed the 'Limit Login Attempts' Plugin as an extra temporary measure.

[chipbennett]

Our site got hacked yesterday, which was a bit of a wake up call. Just wanted to canvas others on what levels of protection/Plugins etc. you use to prevent such attacks?

I tried to password protect the wp-admin folder, but when I activate this in CPanel I then get a 404 error message when trying to access the WordPress admin. I gather this is something to do with WordPress permalinks (reading some similar WP forum threads)?

I also installed the 'Limit Login Attempts' Plugin as an extra temporary measure.

Some idiot in Amsterdam keeps trying to brute-force my "admin" username account on my primary site. I know, because I've gotten four "lockout" email notifications over the past couple of days.

(And, yes: "admin" account. It's a bit of a honeypot. I've left it, as user ID 1, as "subscriber" user level. It attracts the script kiddies, and 1) keeps them from bothering with my real accounts, and 2) even if they brute-forced it, they'd get in, and not be able to do anything.)

[Ipstenu]

One thing to bear in mind is you need to sort out what the vector of attack was.

Most of my protection is server level. Mod Security, firewall stuff, securing my PHP settings, etc. I trust in the basic WP to be 'safe' from injections etc, keep tabs on my plugin security, and I use secure passwords.

[Ryan]

We'd need more information about your site to be helpful.

There's bazaillions of attack vectors but none of them should be usable if you are running on a secure host and with an unmodified up to date core (and no other software) and with secure plugins and themes.

[Ryan]

The only thing I could see on your site that I knew was coded by you guys, was the Twist of Ten theme, so I went to check out the code to see if there was anything odd in there, but it all seems fine bar a minor issue with the form validation of your admin page. But it's pretty minor and is a problem present in many other themes and plugins too so is highly unlikely to be causing the problem you experienced.

When validating forms like you have done in the functions.php, it's generally best to only pass the specific input fields you intended to enter through the validation function, whereas what you have done is to actually pass all of them without filtering except one.

So the following:

PHP Code:

// Sanitize and validate input. Accepts an array, return a sanitized array.
function tot_validate_options($input) {
     // strip html from textboxes
    $input['front_page_message'] = wp_filter_nohtml_kses($input['front_page_message']);
    return $input;
} 


Should look something like this (note how $input goes into the function, but $output is what is returned)

PHP Code:

// Sanitize and validate input. Accepts an array, return a sanitized array.
function tot_validate_options($input) {
     // strip html from textboxes
    $output['front_page_message'] = wp_filter_nohtml_kses($input['front_page_message']);
    return $output;
} 


You could also revalidate the options on serving them onto the admin page too, just in case something nasty was injected. Some people do this, some don't. And the skill level of those who don't is often quite high (ie: Otto). Personally I err on the side of caution and prefer to over-sanitize the heck out of things like this just in case I screw up somewhere else and can at least mitigate the damage done if something does get hacked. To revalidate them you would just change the following line in your functions.php file:

PHP Code:

<?php $options = get_option('tot_options'); ?>

to this:

PHP Code:

<?php $options = tot_validate_options( get_option('tot_options') ); ?>

As an aside (unrelated to security issues), you also use get_bloginfo( 'stylesheet_directory' ) whereas the recommended function is get_stylesheet_directory_uri() or get_stylesheet_directory() I think. You also have if ( ! function_exists( 'twistoften_setup' ) ): wrapped around one of your functions, which I find confusing since I wouldn't have thought that function would be present in anything but that theme.

[Ryan]

I can see a major security flaw in one of the plugins you are using which would allow someone to launch an XSS attack on you if you had allowed them editor access. I'll PM you with the name of the plugin.

EDIT: Sorry, it turns out that plugin has now been fixed.

[Ryan]

Ok, via one of your plugins (with editor access) I can inject the following into your site.

<script>alert('you have been hacked');</script>

However, it is being injected into a link tag which I'm having difficulties breaking out of. But I'm sure someone with more technical knowledge (or a little more caffeine in their system) could figure out how to hack you via that fairly easily.

[dgwyer]

And, yes: "admin" account. It's a bit of a honeypot. I've left it, as user ID 1, as "subscriber" user level. It attracts the script kiddies, and 1) keeps them from bothering with my real accounts, and 2) even if they brute-forced it, they'd get in, and not be able to do anything.

Good idea about leaving 'admin' account as a subscriber level! I will do that.

[dgwyer]

Ok, via one of your plugins (with editor access) I can inject the following into your site.

<script>alert('you have been hacked');</script>

However, it is being injected into a link tag which I'm having difficulties breaking out of. But I'm sure someone with more technical knowledge (or a little more caffeine in their system) could figure out how to hack you via that fairly easily.

Thanks Ryan, I'll check it out. I would have thought such a Plugin with massive download stats would be a little more secure!

[Ryan]

There is an entire forum thread here dedicated to that issue. It doesn't look like it will ever be fixed.