Knowledgebase

Wordpress is extremely popular and therefore popular as well with hackers. It is your responsibility to keep scripts up to date to help prevent hacking.

 

In many cases where sites with wordpress has been hacked the below has been found:

 

1. Usernames to cPanel were created automatically during account setup. For example, if you have mydomain.com, username would be "mydomain". This isn't a major security issue, but it's highly recommended to set something rather different, for example, "dommy2"

 

 

2. Password to cPanel was easy to guess. We saw following passwords (reported via support desk): "password", "Myblog1i", "sunshine17" "mycpanel" etc. Password must be created via Password generator tool provided by either cPanel or WHM. Also, you must change password every 3 months.

 

 

3. Wordpress data base name was weak, something like "username_wordpress". When you add new data base, you should add something not related to content, for example, username_blog27i. For strong username, please see #1 in this article. So final data base name would like like "dommy2_blog27i".

 

 

4. Wordpress data base USERNAME (username to DB) was weak. It's good idea to create strong username like "tr128q45". Please avoid special symbols like !@$%&" inside data base names. You can use lower case letters and numbers.

 

 

5. Wordpress data base password was EXTREMELY WEAK. In about 60% of reported security issues, we saw these passwords: "password" and "pass123". Please use password generator tool even for db username password setup. Strong password looks like this: @$124&^@!~11mrQ

 

 

6. Wordpress security keys in 90% of reported cases were set to default "put your unique phrase here". This is a huge mistake! You must use this key generator tool: http://api.wordpress.org/secret-key/1.1/

 

 

7. Wrong permissions on files and folders. In about 30% reported cases, we noticed wrong permissions: 666, 757 and even 777. Correct permissions for all files: 644 (including php files), folders: 755. If you don't know how to set it, let us do it!

 

 

8. In about 10% of call reported cases, we found old wp-config.php files, some even in .txt format. Those must be removed at once (basically, all unneeded old files and directories must be removed).

 

 

9. Backup files were located on the server. It's illegal and insecure to keep them on the same website. You can generate full cPanel backup via cPanel > Backup > Generate full backup then download it to personal computer. After that, it's important to remove backup file via FTP!

 

 

10. Most customers were accessing insecure cPanel channels, for example, http://domain.com:2082. Secure ports are: 2083 (cPanel), 2087 (WHM) and 2095 (webmail).

 

 

11. Some customers stored passwords inside browsers. You should really avoid storing data inside any browser for security reasons.

 

 

12. In about 20% of cases, end user computers were infected with Trojan horse. If your computer restarts, loads slowly, doesn't open some pages or acts weirdly, you should disconnect it from the internet at once, go to the store and find reliable AV software such is "Norton Suite" or "AVG Free". If you think that finding (or not finding) a virus is important task, you're wrong. The most important task is to resolve VULNERABILITY ISSUES. Most customers get infected even if they run latest Antivirus and firewall software. Viruses are usually getting through insecure applications (Frontpage, Outlook, Java etc).

 

13. Admin username CANNOT be "admin"! Please login to cPanel > PhpMyAdmin > Select wordpress data base then "users". There you can set secure username to wp-admin interface.

 

 

If you have any questions, if you need ANY assistance with site security, we're here to help. Do not delay. Do not wait until you get reported or suspended.

 

 

We're also decided to keep old backups (generated about a week ago) for additional 60 days (until December 9th 2010) on external backup server. Please keep in mind that backup restore will cost $10 per website. If you have own good backup, restore is free (full cPanel backup can be restored by system admin only).

 

 

More security resources: http://codex.wordpress.org/FAQ_My_site_was_hacked

 

How to secure Wordpress Blog: http://codex.wordpress.org/Hardening_WordPress

 

 

 

1. Change site password using Password Generator Tool provided by WHM or cPanel (don't forget to logout, close browser, wait for 30 seconds then login back with new password);

 

 

2. Remove MySQL user to Wordpress blog then add new one with STRONG password, again, using Password Generator Tool within cPanel. Example of good username: 17w4r1 (username will look like this 17w4r1_si7te1ty where 17w4r1 username to DB and si7te1ty username to cPanel. Example of strong password: Rx[f08_*&{bh. PLEASE DO NOT USE THESE USERNAMES AND PASSWORDS. YOU MUST USE OWN.

 

 

 

 

 

 

 

 

outside: /home/si7te1ty (where "si7te1ty" is username to cPanel).

 

 

7. Update Wordpress (all files). You should always use official http://wordpress.org

 

 

8. Update all Themes (WP templates). It's very important to keep them up to date. You must remove all Themes which are NOT in use.

 

 

9. Make sure your plugins are always updated. Also, if you are not using a specific plugin, make sure to delete it from the system.

 

 

10. Login to cPanel > Password protect directories then protect directory "wp-admin" with strong username and password. Please do not set username to "admin"! Note: this step might break some WordPress functionality, because the Ajax handler wp-admin/ajax-admin.php and other files can't be accessed without the password.

 

 

11. Generate full cPanel backup then download it to personal computer. Do not keep backups on your websites!

 

 

It's good idea to resolve local vulnerability issues by scanning your personal computer.

 

Please reset site password every 3 months. You must also update Wordpress blog as soon as they release new version. Wordpress is the most popular script, so it's being attacked a lot. Once you install it, you must dedicate some time.