My Wordpress site was hacked... a friendly security reminder :)
So, I just converted my static site into a Wordpress based site on Monday, and when I got home from my college class at about 11AM today, I checked my analytics and saw nobody has been on for the last half hour (What!?)... so I checked my site and was surprised by a black screen with green text stating some group from Pakistan hacked my site. Of course, the first thing I do is FTP to the site and check things out. Two files were edited about two hours before (The index.php and 404.php pages). I re-uploaded my backed up pages and the site was back online! Then I try to log in... "Oops! incorrect password!" so, I log into cPanel and access the database. The usename, password, etc were all changed, so I changed the details back... then was able to use the "I forgot my password" link and set up a new password.
After I got everything back up and running, I did some investigation and came across this article on the Wordpress Site. The article goes over many security measures that should be taken on your Wordpress site. Sure wish I knew about this earlier. Some of the things, like protecting files and directories, I had done on my static site. When switching to Wordpress, it didn't even occur to me that I should do that for the new directories. Based on what happened to me, it seemed to be that a person/bot accessed my Wordpress Admin Panel, and edited the index and 404 pages right through the admin panel, then changed the account details and left the site. After following the directions on that page, that is no longer possible.
So, you may be thinking (it was my first thought too!), "2 days and the site was hacked!?". Yes. The site gets hundreds of visitors a day because it's been online for over a year. It's not that the site "Just started", it's just been converted into a Wordpress site. A Wordpress site/blog is just as vulnerable rather it gets 2 visitors or 2,000 visitors, so my recommendation for anyone using Wordpress - "Harden" that Wordpress site using the steps in the "Hardening Wordpress" article. It seems that it would just be a matter of time before someone did hack your site if you leave your "secret files" open to everyone.
Of course, remember to use strong passwords, delete inactive plugins, keep everything up to date, etc. However, none of this really matters much if you leave the "backdoor" open for the hacker. So I took this experience as a lesson learned, and I hope it reminds everyone here to keep your site secure so that the unwanted don't get in.
Thanks so much for posting this. I haven't checked that article yet so I don't know if I'm being redundant, but it's also a good idea to change the name of the wp-admin folder to something that they won't guess. Most people don't ever change it so it makes the hackers job much easier. I'd really like to do that at some point but I wish I had done it upon setup because it would have been easier then.
Wow, I think that's the fastest I've heard anyone get hacked -- only two days after launch? It was like someone was waiting on you! lol
Thank you for sharing your story and glad you got everything back up and running.
Thanks for posting this. It is terrific information.
Here is a little detail, because it is something that is not clearly recognized upon installation of WordPress. Installation is very simple and you have to do very little more than insert an administrator name and a password. However, the admin name is filled in already with a default of "Admin." As a result, most people just assume that is fine.
As Lisa noted, it is easy to change your folder when installing but most who are new to WordPress (as all of us are at one time) do not know to do it at that time. And it is very difficult to change later. Frankly I do not know much about changing the folder. My initial thought is that it would seem easy to discover the installation folder from the site links.
It is also difficult to change the admin name although as you get better acquainted with the program many people will tell you that it is a bad idea to have the default because hackers will be assuming it in attacking your site. There is no clear way built in way in the program.
So the point is, if you know these things ahead of time and change the admin name most hackers will probably be deterred. If you want to change your admin name later the instructions I have read suggest that you just add a new administrator and then delete the admin. Personally, I am thinking that I will just add a new name, use it to make sure that it works as admin and then just change the options for the admin name to have a role of subscriber so I could restore it if I wanted, but anyone who hacked in to it would find themselves unable to do anything.
Last edited by James; 02-28-2013 at 09:59 AM.
I have a plugin that limits the number of login attempts on my blog. The plugin also includes a logging of the IP address and the login ID tried by the IP address. 90% of the time, someone that has tried to log into my blog has tried the user name of "admin" or "Admin", which proves the point of immediately changing the administrative ID for a WordPress blog.
For my blog I also enable two-factor authentication for the admin account, so even if they managed to get the user ID or password, they would need an additional code - that changes every minute - to log into my blog.
ArcadeThunder, did you manage to figure how to get into the dashboard of your blog? Did they guess the user ID and password or go in through another way?
I also did not use admin as my username. I use Website Defender, and I think this plugin allows you to change the user "admin" after install. I can't remember if I used a different username upon installation, or after I installed Website Defender.
Originally Posted by TechieGuy
I also have limit login attempts installed, and every single login attempt, except one, uses admin as the username. The one exception used my author nickname, so also take note not to make your new username the same as your author nickname.
I didn't find out exactly how they got into the dashboard. My password was somewhat secure, could of been better but wasn't bad either. There was no log-in of cPanel or FTP. The hacker group had a link to their Facebook page on their "Hacked" screen. I bookmarked it just for kicks and decided to check it out last night. 99% of the posts are them "bragging" about which sites they hacked (Mostly from other countries), but one post caught my eye where someone said they were hacked, and asked if they hacked all of the servers on Arvixe (Which is also my hosting company). So I wonder if it could of been something that happened through the hosting company???
Originally Posted by TechieGuy
I was using the default Admin name, but changed it last night. I also installed a plugin to limit the login attempts and some other security features.
Lastly, I did block the Dashboard and all admin files. An additional randomly generated username & password is required to access those files... otherwise you get "Authorization denied" or some such message. Many files just redirect to the 404 or home page.
So I just confirmed that 72 sites on my server were hacked. I have no idea how many sites are hosted on a server through Arvixe, but I am highly considering calling them tomorrow and seeing what's going on... and possibly changing hosting providers. I've had no problems with them in the past, but this doesn't seem right. Is 72 every site? or a small fraction of sites on the server?
There is a whole database of "which sites were hacked", in which I was able to find the page that was defaced on my site. It showed 71 other sites hosted on the server, in which I was able to confirm that they were indeed on the same server as my site.
This really irritates me! I pay money for this hosting, and expect it to be secure...