Recently there have been several injection exploit attacks on WordPress through specific hosting companies. Godaddy, Network Solutions, and most recently Media Temple hosted sites were targeted for the attacks.
Cleaning all this up requires knowing what to look for and finding it file by file including every file in the database. A hugely daunting task when you manage as many WordPress installs as we do. Even though we’d taken a lot of precautions, we still got sucked into I signed up for service on Sucuri.net, a security consulting firm that scans and restores sites that have been attacked with Malware. I spent all weekend working with it. The team at Suciri went above and beyond to get me the information and tools I needed to get up and running quickly and their support team was helpful and responsive even outside of their posted support hours.
After running the scripts they gave me I spent the rest of the weekend tightening up all of the installs and making it at least a little harder to hack in. I know it’s not going to stop a dedicated hacker attack, but something more random might bounce off and Sucuri will let me know the minute it happens again so I can deal with it.
Now I have to say that although Media Temple initially sort of threw up their hands and passed the buck to WordPress when they realized the damage it was going to do to their reputation they stepped up and created a bunch of support docs and the Media Temple support team made every effort to answer calls. That said many clients reported 30 minute or longer support queues which is not at all common on Media Temple.
Bottom line it could have been any server. Maybe it could have been handled differently but it IS true that not updating often enough and being a bit sloppy about making your WordPress install secure is asking for trouble.
So, enough griping.
The fact is some of us have been lazy about security and that’s gotta stop now. It took me many hours of stress to resolve this, and a lot of frantic client calls in between. These kinds of things happen and as WordPress is so popular, PHP based AND open source it’s bound to happen again. Should you change blogging platforms? Probably not. It could happen to any of them. So I’m sharing with you what I did to resolve it, how to know if something happens again, and some steps to take to make WordPress secure. At least a little more secure than a standard install.
Set up an account with Sucuri
At least you’ll know when it happens the next time and the team at Sucuri will help you solve it before you lose everything.
Although Media Temple inferred that this didn’t happen on up-to-date installs that’s not true. I had updated several blogs to the most recent version and they still got hit. Still, update frequently. Here’s how to know when to update WordPress.
Admin user name
It used to be the default for the admin username to be “admin”. WAY to easy to guess and then all they have to do is figure out the password. Set up a new user and give that user admin permissions. Then demote the old admin user name to subscriber, or if you haven’t got any posts associated with the admin user then delete it.
Using the default name in your database tables “wp_yourdatabase” is asking for trouble. Many hosts give you the option of creating new names. Avoid using wp at all costs.
Login Lock down
Doesn’t it make sense that you don’t want an unlimited amount of login tries from the same IP address? That’s a common way for a hacker to find your password. This plugin blocks them after a set number of tries.
Secure WordPress Plugin
This plugin removes code that is easy for a bot to find and link to WordPress. It removes the version except in the admin area, sets permissions so only the admin is able to update plugins and themes etc and a slew of other things. They also offer a free security scan as well as a paid service on SiteSecurityMonitor.com
Windows Live Writer
This is notoriously vulnerable and so it makes your WordPress install vulnerable too. Learn how to use WordPress and you won’t need it.
Do regular backups of your database and your themes. That way if you have to restore them you won’t lose too much. If you’re using Amazon S3 there’s a great plugin to update directly to Amazon. WP S3 Backups.
Add a robots.txt file so search robots don’t index folders they don’t need to.
Here’s an example:
User-agent: * Disallow: /spamming/ Disallow: /wp-content/ Disallow: /wp-includes/