I have a hostgator website on which I installed Drupal. It was working fine until last weekend. I am primarily a .net developer and am not sure about the configuration of this open source application.
Recently, I noticed a large number of user accounts being created who never even logged in before. So, after setting up Google analytics, I determined that my site was hacked. I made this determination because the majority of the traffic and user flow is coming form RUSSIA, SERBIA and ROMANIA, hackers haven!
I realised that my website was not secure. So now I put the site into mainitainance mode, uninstalled the existing Drupal 7, and installed a new installation. It is very fresh now and I am on a mission to find some good security pratices.
I would like to know what security measures that I can implement other than these.
Also, how would I connect to my website's command line to change the file permission settings? Currently, I am using Filezilla and right clicking to change the properties.
Thanks, and apologies for the long question.
P.S. This is my website.
Hostgator provides SSH access. Use tool like WinSCP to transfer files and PuTTy to access command line. Once you get command line access, you will be hopefully able to install Drush on Hostgator. Drush will help you do many administrative stuff using command line and it is highly recommended to use. Since you are a .Net developer, I assume that you might be using Windows for development. Good news is that you can install Drush on Windows too.
Are you sure that your site was really hacked? Because, if you go to Account setting page (http://your-site/admin/config/people/accounts) and look under Who can register accounts?, you will see three options there. The default is "Visitors can create account". If you do not change this setting to something else, your new site will again face the same problem. Otherwise, you can select option Require e-mail verification when a visitor creates an account.
Another way to reduce number of spammers creating account on your Drupal site is to install CAPTCHA or reCAPTCHA module and configure it to show challenge to users when they create an account. This will block many spammers. You can also block specific IP range using Apache .htaccess file. You will find .htaccess file in your Drupal installation folder.
Another good practice is to periodically update Drupal core and contributed modules for security fixes. If you goto page admin/reports/updates, you will see what module requires an update. Command line and Drush will help you streamlining some part of this process.
If you regularly update Drupal (core & modules), use SSH for file transfer and apply correct file permissions, your site should be all secure. It is not that hard to maintain a secure Drupal site, given all the help is available for Drupal security team and Drupal community.
There is a Drupal Group (forum) that deals with Best Practices in Drupal Security that provides a number of excellent suggestions on how to secure Drupal sites. As for accessing your site via the command-line, I checked and Hostgator allows for SSH access on all of their hosting plans. You should be able to login via SSH, change to the sub-directory within your Drupal installation and change the permissions of a file or directory using the 'chmod' command.
Good luck!
Related
When I try to sign into my websites wp-admin login screen it refreshes and redirects me to the login page. After researching this issue it looks like deactivating the plugins should fix the issue. However, when I try doing this from phpmyAdmin, it tells me that the UPDATE command is denied to user.
I have tried using the FTP client 'Fire FTP' to try and access my files but I do not know which username and password needs to be used (I have about a million at this point).
Is there somewhere in the Azure portal where I can edit my files and deactivate the plugins?
Other information: I accidentally deleted the file the had my Wordpress admin password, but I am able to log into Azure, and phpmyAdmin. I also have my cPanel login information but I cannot figure out how to access that either. I am also using a Mac.
Please help! I have a basic understanding of web development but not much and I have worked incredibly hard on my website business but this has been a rough setback.
Looking at your problem, FTP is your best option. You can define the user/password at the portal in your app service blade:
Login into the portal: https://portal.azure.com
Navigate to your app service blade
Look for Deployment Credentials and set your username/password.
I was able to resolve this. Turns out I had exceeded my database storage. Simply upgrading my plan fixed the issue. So if anyone sees this and has the same problem, make sue that your SQL db has enough storage available.
The plugins made me exceed my storage but I did not need to deactivate them.
I have made the case for using WordPress as a CMS for an important project.
IT has challenged me to build out this base WP installation alongside the local (WAMP) served intranet and lock it down the best I can. They will then attack the installation with enterprise level penetration testing software.
I am only privy to a minimum amount of details however some security tools I am up against have been mentioned and will be used in conjunction with enterprise level software:
Kali.org
Tools from darknet.org.uk
Watabo
What I've done:
Wiped all basic WP out-of-the-box data such as Administrator username, changed login page URL, removed ajax calls, leveraged all options within iThemes Security plugin (which is pretty impressive) and a few of my own.
My question is for advanced advice on securing WordPress running 2015 theme and its PHP framework and Database. Proper htaccess configuration and possible pitfalls. Advice on any advanced methods of securing a website where it's likely to fail a pen test.
It's not easy to make a website completely invulnerable, especially if you have chosen Wordpress.
You should update your Wordpress website constantly. It means that you have to follow all the updates and install them immediately. Sometimes it's not easy to do, if everything is working as it should, and the database is not small. Wordpress is the most popular open source CMS in the world and many people want to crack it, write crawlers which are searching vulnerabilities online etc.
Simple steps to increase the security of any website:
Close a port if you don't use it or install firewall, tcpwrapped etc.
Don't use FTP, ever. Use SSH instead.
Don't make rights 777 on the whole folder. Make it 555 and when you need to upload some image or something else change the rights to 777 or 755 (if you do it by ssh). After doing your job change rights back to 555. Nobody couldn't upload payload or other malicious code to your website through the front end if it's not allowed for writing.
Check your website for sql injection vulnerability.
Don't use simple passwords. You could even change your passwords every month.
Don't duplicate passwords.
Regularly update your software.
For back end security you could use some IDS, for example Snort - https://www.snort.org/, but it's not easy to configure properly. Furthermore you should understand how a network works, tcp/ip, attack types and so much more.
Use OpenBSD as your server operating system if you do not understand the information security well. It was created with an emphasis on increased security.
Take some network scanner (for example nmap) and test your server for vulnerabilities.
Finally: I wouldn't recommend to use Wordpress for the reliable security :) and to say more I need to take a look at the website.
My apologies in advance if I am posting it in the wrong forum.
I have a WordPress site. Every couple of days, a new user is added as an "Administrator" as shown below
I have changed my password many times using complex passwords but to no use. I even searched on Google and have read links like this one.
I have also unchecked the option "Anyone can register"
However, I am unable to stop them from registering.
Fortunately, no malicious activity has been noticed (Ex: Deletions/Unwanted posts etc)
Please advise me on what I can do to stop these?
You clearly have a more serious compromise, like an uploaded malicious script or an unpatched vulnerability. You need to rebuild your site from scratch (clean install of the current versions of WP and any plugins and themes, using a known-good database export) ASAP before something really bad happens.
Unfortunately, it's impossible to say what happened without digging through your server. My guess is that somebody exploited a vulnerability and uploaded a script. It could be anything - an hole in the WP core, a plugin, or a theme; a malicious plugin or theme; a stolen password; a breach of another site on the same server; or a number of other things.
Regardless of what happened, the only safe fix is to rebuild the site. If you have data backups, you can achieve this in a few hours.
I strongly recommend installing the security plugin WordFence to help prevent similar problems in the future. (I have no affiliation with WordFence, but use it on a number of sites.)
Finally, you might want to read this discussion on security.stackexchange.com. The consensus in this situation is "nuke it from orbit." Good luck!
Someone is making a SQL injection in your site.
If you want to prevent this in future, you should do some things.
Rebuild your website from scratch.
Install some of the security plugins, like Bulletproof Security, Wordfence, iThemes Security. I suggest you to buy the license of Bulletproof, or use the free version + one of the others. And be careful for the equal settings.
The most common attack are with SQL Injection XSS, Plugin exploits and of course brute-forcing the admin pass. You should upgrade every plugin and Wordpress every time when you see a new version.
Use less plugins. They are one of the main reason for hacked websites. If you use Linux, Ican tell you how to scan your website for vulnerabilities. Or just tell me the url, and I will tell you the results.
Also change your /wp-admin path, there are a lot of bots who search the web and make bruteforce attacks.
Also is important to use different admin username from admin or Admin. And use strong passwords. It's a good practice when you make a new Wordpress installation, to do two more users. The first will be an Author and will post everything in the site, the second you should make with Administration role. After that delete the first admin user and start the new one.
Hackers knows that almost every time the user with id:1 is the admin, so they can try to access again. So in this case your admin will be with id:3, and again don't use username like admin and etc.
Best regards and wish you luck.
Kasmetski
Check index.php, wp-admin/index.php to see if they have been modified. Usually the following line of code is added to the top of the index.php file. A code starting with 'required' is usually added.
The file being ‘required’/’included’ here contains malicious code which is executed along with each run of WordPress. Such code can generate fake pharma pages, Japanese SEO spam pages and other malware infections.
Delete the #require code from the file after comparing it with the contents of the core WP files from it’s GitHub repository.
Check if there are any new files in the root of the server or /wp-admin folder that were not created by you. Some of the files that you may find are:
Marvins.php
db_.php
8c18ee
83965
admin.php
buddy.zip
dm.php
If you find any of the above suspicious files, take a backup and delete them.
Source: https://www.getastra.com/blog/911/fix-wordpress-admin-dashboard-wp-admin-hack/
I had a blog based on wordpress, v 3.1.2, the problem is the hosting company tells me a exploit gave access to hackers so they erased my files and databases, but also i found on pastebin the usernames and passwords to my parallels control panel(not the one of wordpress) and my password. See for yourself, available now only on cache:
http://webcache.googleusercontent.com/search?q=cache:QUq4z1nKabgJ:pastebin.com/n8gunbQx+invacib+pastebin&cd=1&hl=en&ct=clnk&client=ubuntu&source=www.google.com
The main question, getting those users/passwords can it be the hosting fault??? not associated with wordpress??
Yes it is the hosting company's fault. A hacker might have downloaded a database backup made by the hosting company of their clients info and shared these info in public.
A wordpress exploit, at worst, can only give the access the php has. If php has root access its the hosting fault for giving it root access.
What hosting company says you're out of date WP caused parallels to be hacked? Do you happen to know the version of parallels they're using? It is possible that the hacker put in a keylogger in WordPress and logged you typing in your parallel password. It is also quite possible if it is the host that I am thinking of that the passwords were easy to get. Of course, it is also quite possible that they got your passwords via a dictionary attack, especially if you used the same password and username or email on another site that was hacked.
I'm looking into building database driven websites based on opensource platforms in a sandbox area rather than having them accessible via the final URL until clients have paid up.
Is anyone aware of any problems this may cause with paths or functionality, or, know of any good articles on the subject?
many thanks
Shaun
There is no bad effect on functionality just because it is in sandbox. Generally, Joomla is almost location independent (untill and unless you are driving multiple websites from same joomla installation)
For security purpose secure the URL via .htaccess file (if more security required then setup a cron to update password every X hours, and email new details to user)
I would suggest having a cut-down, less privileged or demo account for signup users that can still enjoy the overall experience of your site without the full functionality of your killer-webapp services. "Restricting" them in a Sandbox area that is not even the actual site would not be as appealing and convincing as it could be for them to go from "freemium to premium" customers.
I develop all joomla sites on a local server and then upload to the production server once approved. In Joomla, when I upload the files to the production server, I usually need to change the mysql server as well and it can all be changed from the configuration.php file