WordPress Security Issues Lead To Hacking??

Due to its popularity as a blogging platform, WordPress has become a prime target for hackers looking to take over blogs for search-engine optimization (SEO) of other sites they control, traffic-redirection and other purposes. Recently there have been spates of automated attacks which take advantage of recently discovered security vulnerabilities in WordPress.

organic-seo-services-get-more-traffic-to-your-website-by-providing-incentives-1683.png

To date, WordPress has been keeping up with the security holes by releasing updates within a few days of new exploits being found, but in the past few days new exploits have appeared that nobody seems to have answers for.

The common results of a successful attack are that a backdoor is installed (meaning the hacker can go back in and enter your blog at a later date), passwords for all users are downloaded, or spam pages are generated. At that point, you are no longer in complete control of your blog, including all the content and anything else in the same database that the WordPress install has access to.

Hackers are taking advantage of the open-source nature of the software to analyze the source code and test it for potential vulnerabilities. It is then left up to developers and users to detect, track down, and then close off the vulnerabilities in the code that attackers are using. The pattern seems to be that when a new hole is found, it is broadly exploited, and then developers rush out a patch and a new release. Thankfully most of the damage inflicted by the automated exploits can be reversed with an upgrade, though in some cases you can be left with thousands of pages and images to clean up (and they are usually well hidden).wordpress-attack

For users of WordPress, backups are essential, as are frequent updates, monitoring your blog usage and tracking the official WordPress blog and other blogs for news of any new security holes. There are also plenty of guides and applications available that can assist a site owner in further securing their blog.

Advertisements

Business Seo Solution guide to protect your WordPress Website??

WordPress is without doubt the most popular CMS at this moment in time, dwarfing other options such as Joomla and Drupal. While this is a good thing for WordPress, it now has a very large and active community contributing plug-ins, themes and fixes, but with this growth it now also has its bad points. When anything becomes this big, people will find ways to attack the CMS in question for whatever reason they see fit.

WordPress-Malware

One of the most ignored methods of keeping your install safe is updating your install when updates become available which ensures all of the latest patches and fixes are applied to your site. (You can also remove the readme.html and license.txt files from the root directory as they display the version number of WordPress you have installed.)

Some tips provided by Business Seo Solution to secure your WordPress Site:

WordPress as a whole (a website management platform) is very well designed. It doesn’t have any preposterous security issues that beginning programmers could exploit. The problems, however, arise when you try to tweak your installation of WordPress by adding new plugins or themes, implementing hacks, or doing anything else that interferes with WordPress.

Aside from plug-ins there are a number of additions you can make to your .htaccess file which in conjunction with plug-ins and regular updates will tighten up your site’s security and give you that extra level of protection. Wp-config.php is the file in your root directory that stores information about your site as well as database details, this file in particular we would not want to fall into the wrong hands.

You can limit who can access your admin folder by IP address, to do this you would need to create a new .htaccess file in your text editor and upload to your wp-admin folder. If you have the same IP address trying to access your content or trying to brute force your admin pages, you can ban this person using .htaccess with a simple snippet:

<Limit GET POST>

order allow,deny

deny from 202.090.21.1

allow from all

</Limit>

As WordPress is now so popular many people know the structure of a WordPress install and know where to look to discover what plug-ins you may use or any other files that might give away too much information about your site, one way to combat this is to prevent directory browsing. The wp-content folder contains images, themes and plug-ins and it’s a very important folder within your WordPress install, so it makes sense to prevent outsiders accessing it.

 

WordPress Vulnerabilities???

As we all know that running a WordPress-based website is often a pleasure, enabling you to focus on content and building relationships with readers and other websites.

Half of the WordPress sites out there are self-hosted, which means that the WordPress administrator carries the share of responsibility for a secure installation. Out of the box, there are several ways that WordPress security can be tightened down, but only a fraction of sites actually do so. This makes WordPress an even more popular target for hackers.htaccess

However, not everyone on the web is as friendly as you. Somewhere out there is a list with your blog’s name on it, where it sits, waiting to be targeted by hackers? When they get around to your blog, they’ll try various tactics to gain access to it, perhaps with the aim of selling legal drugs or infecting your visitor’s computers with malware.

Here is a list of top WordPress vulnerabilities:

  1. SQL Injection & URL Hacking:  WordPress is a database-backed platform that executes server-side scripts in PHP. Both of these characteristic can make WordPress vulnerable to malicious URL insertion attacks. Commands are sent to WordPress via URL parameters, which can be abused by hackers who know how to construct parameters that WordPress may misinterpret or act on without authorization.

 

SQL injection describes a class of these attacks in which hackers embed commands in a URL that trigger behaviors from the database. (SQL is the command language used by the MySQL database.) These attacks can reveal sensitive information about the database, potentially giving hackers entrance to modifying the actual content of your site. Many of today’s web site defacement attacks are accomplished by some form of SQL Injection.

WordPress-Malware

Most WordPress installations are hosted on the popular Apache web server. Apache uses a file named .htaccess to define the access rules for your web site. A thorough set of rules can prevent many types of SQL Injection and URL hacks from being interpreted.

 

  1. Access to Sensitive Files: Basically WordPress install has a number of files which you don’t want unauthorized persons to access. These files, such as the WordPress configuration file, install script, and even the “readme” file should be kept private.

As with preventing URL hacking, you can add commands to the Apache .htaccess file to block access to sensitive private files.

  1. Default Admin User Account: WordPress installs include an administrator user account whose username is simply “admin”. Hackers may try to log into this account using guessed passwords.

Any element of predictability gives hackers an edge. Instead, log into WordPress and create a new user with an unpredictable name. Assign administrator privileges to this user. Now delete the account named “admin”. A hacker would now need to guess both the username and password to gain administrator access, a significantly more challenging feat.

 

  1. Default Prefix for Database Tables: The WordPress database consists of numerous tables. In many WordPress installs, these tables are named with a default prefix that begins with “wp_“. For hackers, the ability to predict anything can provide an extra advantage.

 An easier way to change table prefixes for an existing WordPress installation is by using the plug-in named Better WP Security. This plug-in contains several defenses including some discussed elsewhere in this article, with a simple point-and-click interface to change your table names to include a randomly-generated prefix.wordpress-attack

5.      Brute-Force Login Attempts: Hackers often rely on automated scripts to do their dirty work. These scripts can make numerous attempts to log into your WordPress administration page by trying thousands and millions of combinations of usernames and passwords.

A successful brute-force attack against a strong password effectively becomes impossible with these limits in place, because the hacker can never try enough variations (or rather, it would take many years of continuous attempts).

Two WordPress plugins which let you enforce a login limiter are Limit Login Attempts and the aforementioned Better WP Security.

 

 

.htaccess tips to secure your WordPress Sites??

The .htaccess file is the easiest and the cheapest (actually it’s free!) solution to secure a WordPress blog. The .htaccess file is a configuration file for use on web servers running the Apache Web Server software. When a .htaccess file is placed in a directory which is in turn “loaded via the Apache Web Server”, then the .htaccess file is detected and executed by the Apache Web Server software. It is often used to specify the security restrictions for the particular directory.htaccess

Here are some tips by Business Seo Solution – cheap Seo Service provider:

  • Restrict Access to WP Admin directory by IP Address:  If you are running a simple website, there is no reason to allow others to access WordPress administration panel. You can protect your WP admin from unauthorized access by listing your static IP address in the .htaccess.
  • Disable Hotlinking: Sometimes another site may directly link images from your site. It saves hard disk space by not having to store the images. But your site ends up serving the requests for them, thus using up your precious bandwidth.
  • Stop Spammers: There are a number of ways to identify a potential spammer. One of them is to detect requests with ‘no referrer’. Spammers use bots to post comments on blogs and they come from ‘nowhere’.
  • Protect WP-Config: The wp-config.php file in your WordPress installation contains some real important secrets, like database name, database username and password etc. You have no choice but to keep it secure.
  • Disable Directory Browsing: Someone who knows the directory structure of a WordPress installation may use his knowledge to do some damage. Besides you should not let them know what plug-ins you are using.

Hackers Infect WordPress 3.2.1 Blogs to Distribute TDSS Rootkit??

Hackers are compromising WordPress 3.2.1 blogs in order to infect their visitors with the notorious TDSS rootkit, according to researchers from Business Seo Solution. It’s not clear how the websites are being compromised, but there are publicly known exploits for vulnerabilities that affect WordPress 3.2.1, which is an older version of the popular blog publishing platform.

Once they gain unauthorized access to a blog, the attackers inject malicious JavaScript code into its pages in order to load a Java exploit from a third-party server.

wordpress-attack

The Java vulnerability exploited in the attack is known as CVE-2011-3544 and allows the remote execution of arbitrary code. In this case, the attackers are leveraging it to install a version of the TDSS rootkit on the computers of people visiting the website.

The CVE-2011-3544 vulnerability started being targeted by most exploit toolkits in December 2001. These attack frameworks usually contain exploits for vulnerabilities in several software products like Adobe Reader, Flash Player and Java.

The Business Seo Solution researchers are not sure if this mass code injection campaign uses an updated toolkit or an entirely new one, but experts from security firm M86 Security have tied recent WordPress 3.2.1 compromises to the Phoenix Exploit Kit.

According to M86 security researcher Daniel Chechik, the people behind these attacks are luring victims to the infected websites by sending them spam emails that contain malicious links. The fact that these links lead to legitimate blogs helps attackers bypass URL reputation filters, Chechik said in a blog post on Monday.

It’s not clear if the attacks analyzed by M86 Security and Business Seo Solution are perpetrated by the same gang, but since they both target WordPress 3.2.1 blogs, webmasters are urged to upgrade to the latest version of WordPress, which at this time is 3.3.1.

In order to protect themselves from exploits, Web users should keep the software installed on their computers up to date, especially their OS, browser and browser plug-ins.

Hackers exploiting the security of WordPress????

WordPress is very popular platform these days (around 8.5% of all worlds’ websites are powered by WordPress!). As it is Open Source, everybody has access to its Source Code and can experiment with new cracking/hacking methods easily.

WordPress has become one of the most preferred exploitation destinations for hackers across the globe. While WordPress has been continuously releasing new versions that loop up the security holes, its popularity as a blogging platform has always prompted hackers to come up with new measures to hack information, interrupt service, and redirect traffic or other purposes. At Business Seo Solution– secured WordPress hosting provider, the security is very good and all the preventive measures are taken to make your website stay away from hackers.

WordPress-Malware

Although there are several ways in which WordPress issues can be tightened, only a few users follow them, which make the platform even more vulnerable. The open source nature of WordPress means a lot of damage can be done also through vulnerable WordPress themes and plugins or through automated exploits, which can destroy your website and your reputation. These are the top WordPress issues and vulnerabilities that are being exploited by hackers. Having acquired with the latest security tools, at CPWebHosting – cheap hosting provider you can easily develop or create a website with full high security so that the hackers don’t exploit your security.

Business  Seo Solution– a secured hosting provider gives some tips on security:

  1. 1.      Insecure Plugins and Themes: WordPress offers many free plug-ins and themes that enhance the functionality of your website with minimum costs. However, you have to be aware of the fact that they may contain vulnerabilities or even hidden malicious code that can compromise your website.
    1. 2.      Don’t use ‘admin’ username: Anybody who tries to get into your WordPress admin section will try with ‘admin’ as a username. If you change it, potential hacker has to hack both username and password. If you are running older version of WordPress (which I do not recommend), you can change admin username directly in the database.

 

  1. 3.      Strong Web Password: A lot of WordPress issues can be avoided with good habits and a strong password is one of them. A good password protects your site from brute attack and acts as a security gateway for your site. If a hacker is able to hack your administrator account, then he can install scripts that can possibly damage your whole server. Do not use predictable and weak passwords.

 

  1. 4.      Databases Access via a Root Account: All your WordPress content and web files are stored in one database. If you are using more than one web application, each application will have its own database. Your WordPress root account provides complete access to all your databases that are saved on the same web server or under the same web hosting account. If a hacker discovers your root account credentials, then he / she can get access to all your databases. Therefore, it is highly recommend to create dedicated accounts to access each individual database, rather than using your root account.

 

  1. 5.      Move your wp-config.php file: In your wp-config.php file there is database connection info as well as other data that should be kept from anybody to access. From WordPress 2.6 you can easily move this file from root folder location. To do this simply moves your wp-config.php file up one directory from your WordPress root. WordPress will automatically look for your Config file there if it can’t find it in your root directory. This way, nobody except a user with FTP or SSH access to your server will not be able to read this file.

 

  1. 6.      Database permissions: Database permissions allow a web application to access and also modify specific parts of the database. If database permissions are not tightened down, a malicious user can exploit such permissions and modify the database content and structure. Hacking attacks not only make cyber criminals rich and satisfied, they affect your site’s position in terms of search engine rankings. A site infected by spam is not only ranked low, it also gets highlighted, which adversely affects its reputation and business potential.

 

 

Did your WordPress Website get hacked?

Remember a few weeks ago there was all that noise about WordPress blogs getting hacked? Remember how everyone was urged to upgrade their blogs. You did upgrade didn’t you? No? It was inevitable that you’d be hacked. If you haven’t been hacked yet, it’s only a matter of time.

Unfortunately for some who did upgrade, it was too late. The hacker may have known about the security issues before we did and went about their merry way breaking into blogs and websites, grabbing usernames and passwords, and planting backdoor scripts to log them in again at a later date.

wordpress-attack

If you’ve been hacked

  1. Upgrade to the latest version of WordPress.
  2. Make sure there are no backdoors or malicious code left on your system. This will be in the form of scripts left by the hacker, or modifications to existing files. Check your theme files too.
  3. Change your passwords after upgrading and make sure the hacker didn’t create another user.
  4. Edit your wp-config.php and change or create the SECRET_KEY definition. It should look like this, but do not use the same key or it won’t be very secret, will it?

define(‘SECRET_KEY’, ’1234567890 );

 

How to Hackers hide their hacks?

The simplest way is hiding their code in your php scripts. If your blog directory and files are writable by the web server then a hacker has free reign to plant their code anywhere they like. wp-blog-header.php seems to be one place. Theme files are another. When you upgrade WordPress your theme files won’t be overwritten so make sure you double check those files for any strange code that uses the

Eval () command, or base64_decode()

They’re also uploading PHP code disguised as jpeg files to your upload directory and adding those files to the activated plugins list. This makes it harder to find them, but not impossible:

  1. Open PHPMyAdmin and go to your blog’s options table and find the active_plugins record.
  2. Edit that record. It’s a long line. Scroll through it and you’ll find an entry that looks like../uploads/2008/05/04/jhjyahjhnjnva.jpg. Remove that text, and make sure you remove the serialized array information for that array record. If that’s beyond you, just delete the active_plugins record and reactivate all your plugins again.
  3. Check your uploads directory for that jpg file and delete it.
  4. This Youtube video shows how to do that. I don’t think there’s any urgent need to remove the rss_* database record but it won’t hurt to do it.