Skip to content

Hardening WordPress - Reducing the attack vector

Blog
  • As you know I’m looking to do something on a wordpress installation hopefully soon.

    There are some some b****y amazing tips there and lots of quality advice 👏🏻👏🏻👏🏻. I’ve used WordPress a lot over the years and I must say there’s still lots in there that I should have picked up on but hadn’t even thought of acting on before.

    One of my websites was hacked a few years, probably a good 5-6 years back now and I feel most of the steps above if I’d have had Marks help and implemented the steps above then it may not have happened, anyway… one morning I visited my website and was greeted by a lovely green skull and crossbones that said something along the lines of “Your website has been taken over by such a such organisation”.

    Now, to the best of my knowledge I couldn’t login, I had been hacked and rightly or wrongly proceeded to delete my files via FTP.

    I’d lost hundreds of news stories I’d written and never trusted the domain again, would the hackers come back for more?

    In my mind I’m thinking the best thing to do is to start again, and like a fool I didn’t have a recent backup of my wordpress installation.

    I know Mark will go to town and have nightmares of all my rookie mistakes but after reading the blog I do feel a lot more confident if I was to use WordPress again that I’ve learnt a lot of what not to do and to not be too hasty next time.

  • @jac This sounds like quite the horror story, but sadly, all too common.

    @jac said in Hardening WordPress - Reducing the attack vector:

    rightly or wrongly proceeded to delete my files via FTP .

    This part is where I would have (if you knew me then) have stepped in and claimed back access to the site. The database was probably injected with malicious SQL, so wouldn’t be fit for production use, but it’s perfectly possible (and relatively simple) to get access back via a reset of the admin MD5 hashed password in the database itself.

    @jac said in Hardening WordPress - Reducing the attack vector:

    I’d lost hundreds of news stories I’d written

    This is exactly my justification for writing this

    https://content.sudonix.com/how-often-do-you-test-your-backups/

    @jac said in Hardening WordPress - Reducing the attack vector:

    In my mind I’m thinking the best thing to do is to start again, and like a fool I didn’t have a recent backup of my wordpress installation.

    This is why it’s of paramount importance to determine, design, configure, and set a backup and recovery strategy - and, as I mentioned in the article above, this needs to be tested periodically to ensure it is actually fit for purpose rather than simply relying on it being functional when you need it.

    @jac said in Hardening WordPress - Reducing the attack vector:

    I know Mark will go to town and have nightmares of all my rookie mistakes but after reading the blog I do feel a lot more confident if I was to use WordPress again that I’ve learnt a lot of what not to do and to not be too hasty next time.

    🙂 No, I won’t - really, I’ve seen this so many times, and one of the reasons as to why this platform exists in the first place is to educate, and ideally, eradicate.

  • @phenomlab said in Hardening WordPress - Reducing the attack vector:

    @jac This sounds like quite the horror story, but sadly, all too common.

    @jac said in Hardening WordPress - Reducing the attack vector:

    rightly or wrongly proceeded to delete my files via FTP .

    This part is where I would have (if you knew me then) have stepped in and claimed back access to the site. The database was probably injected with malicious SQL, so wouldn’t be fit for production use, but it’s perfectly possible (and relatively simple) to get access back via a reset of the admin MD5 hashed password in the database itself.

    @jac said in Hardening WordPress - Reducing the attack vector:

    I’d lost hundreds of news stories I’d written

    This is exactly my justification for writing this

    https://content.sudonix.com/how-often-do-you-test-your-backups/

    @jac said in Hardening WordPress - Reducing the attack vector:

    In my mind I’m thinking the best thing to do is to start again, and like a fool I didn’t have a recent backup of my wordpress installation.

    This is why it’s of paramount importance to determine, design, configure, and set a backup and recovery strategy - and, as I mentioned in the article above, this needs to be tested periodically to ensure it is actually fit for purpose rather than simply relying on it being functional when you need it.

    @jac said in Hardening WordPress - Reducing the attack vector:

    I know Mark will go to town and have nightmares of all my rookie mistakes but after reading the blog I do feel a lot more confident if I was to use WordPress again that I’ve learnt a lot of what not to do and to not be too hasty next time.

    🙂 No, I won’t - really, I’ve seen this so many times, and one of the reasons as to why this platform exists in the first place is to educate, and ideally, eradicate.

    Thanks for the reply mate.

    It’s good to know that these problems can be fixed. I think at the time I just thought they’ll attack it again once I’ve launched something else so the best way was for me to get rid of if I’m afraid.

    Now of course I’d do things differently 😉😆😆😆.

  • @jac What you can (and 100% should) do if you run a WordPress site is strongly consider WP Shield - there is a free version, but PRO is obviously much better as it has greater capabilities and features

    https://getshieldsecurity.com/pricing/

    I’ve used this with huge success over the years, and it’s my preferred and recommended security solution for anyone with a WordPress site.

  • @phenomlab said in Hardening WordPress - Reducing the attack vector:

    @jac What you can (and 100% should) do if you run a WordPress site is strongly consider WP Shield - there is a free version, but PRO is obviously much better as it has greater capabilities and features

    https://getshieldsecurity.com/pricing/

    I’ve used this with huge success over the years, and it’s my preferred and recommended security solution for anyone with a WordPress site.

    Absolutely! I can’t remember what I used to use last time but it was free. Most likely the mist downloaded security solution.

    Talking of security, somebody tried to access my emails before so I reset the password etc although I do feel I need to maybe use a password generator or something to be more secure.

  • @jac said in Hardening WordPress - Reducing the attack vector:

    Talking of security, somebody tried to access my emails before so I reset the password etc although I do feel I need to maybe use a password generator or something to be more secure.

    This is s slightly different topic, but it’s just as important. In most cases, the best advice is

    • Use a password manager to generate a strong password. You don’t need to remember it - that’s the job of the password manager itself
    • Enforce two factor authentication for your email accounts (most have this). In this case, should an attacker get access to your username and password, they still will not be able to login without the second factor which is typically a 6 digit code that changes every 30 seconds

    It’s important to note that two factor via SMS is in fact inherently weak and should be avoided - it’s always best at minimum to use a TOTP mechanism with something like AUTHY or Google Authenticator.

  • @phenomlab said in Hardening WordPress - Reducing the attack vector:

    @jac said in Hardening WordPress - Reducing the attack vector:

    Talking of security, somebody tried to access my emails before so I reset the password etc although I do feel I need to maybe use a password generator or something to be more secure.

    This is s slightly different topic, but it’s just as important. In most cases, the best advice is

    • Use a password manager to generate a strong password. You don’t need to remember it - that’s the job of the password manager itself
    • Enforce two factor authentication for your email accounts (most have this). In this case, should an attacker get access to your username and password, they still will not be able to login without the second factor which is typically a 6 digit code that changes every 30 seconds

    It’s important to note that two factor via SMS is in fact inherently weak and should be avoided - it’s always best at minimum to use a TOTP mechanism with something like AUTHY or Google Authenticator.

    Thanks for all the great advice mate appreciate it.

    I’ll follow it all up when home 👍🏻.

  • @jac No problem. I’m happy to put together a blog post for this if you think there’s a benefit ?

  • @phenomlab said in Hardening WordPress - Reducing the attack vector:

    @jac No problem. I’m happy to put together a blog post for this if you think there’s a benefit ?

    Absolutely matey, that’s up to you pal I’ve just followed the advice and used Microsoft’s authentication app that’s enabled two factor authentication.

  • @jac said in Hardening WordPress - Reducing the attack vector:

    Microsoft’s authentication app that’s enabled two factor authentication.

    Or is Google’s better?

  • @jac Microsoft’s and Google’s Authenticator both support TOTP - essentially, a time based system that changes every 30 seconds. The main principle here is that the device itself carrying the One Time Passcode only needs to be in sync with the source server in terms of time, and can be completely offline with no internet access.

    Provided the time matches on both devices, the One Time Passcode will be accepted. Applications such as Microsoft Authenticator and Authy also support push notification meaning you just choose either yes or no on your device when prompted, and then that response is sent back to the origin which then determines if access is granted or not.

    One of the best looking password less authentication models was CLEF - sadly, this product died out due to a lack of funding (if I recall correctly) although some open source implementations of this have appeared quite recently.

    Essentially, both products will achieve the same goal. TOTP is an industry standard, and widely accepted across the board. Not all services offer push confirmation.

  • @phenomlab said in Hardening WordPress - Reducing the attack vector:

    @jac Microsoft’s and Google’s Authenticator both support TOTP - essentially, a time based system that changes every 30 seconds. The main principle here is that the device itself carrying the One Time Passcode only needs to be in sync with the source server in terms of time, and can be completely offline with no internet access.

    Provided the time matches on both devices, the One Time Passcode will be accepted. Applications such as Microsoft Authenticator and Authy also support push notification meaning you just choose either yes or no on your device when prompted, and then that response is sent back to the origin which then determines if access is granted or not.

    One of the best looking password less authentication models was CLEF - sadly, this product died out due to a lack of funding (if I recall correctly) although some open source implementations of this have appeared quite recently.

    Essentially, both products will achieve the same goal. TOTP is an industry standard, and widely accepted across the board. Not all services offer push confirmation.

    Many thanks for the detailed reply mate.

    There’s some great advice in there that will help me secure my accounts.


Related Topics
  • How to deploy WordPress.org Developer theme

    Solved Configure
    4
    1 Votes
    4 Posts
    405 Views

    @Hari the real issue here is that I don’t think it can be used as a theme for WordPress because of the dependencies it clearly has, including its own Web server.

    My view here is that this is designed to be a complete development environment outside of the WordPress core.

  • WP / Woocommerce Mystery

    Solved Configure
    23
    12 Votes
    23 Posts
    1k Views

    @Panda said in WP / Woocommerce Mystery:

    Just back to my other question, have you ever used Shopify?
    It insists on a templating language to use any custom js.

    Not personally as never had any need, however, I do know that it uses Liquid for JS templating. It’s written in Ruby and is used to generate dynamic content on shop fronts. There’s zero reason as to why it wouldn’t work with data supplied by 3rd party API’s, although WordPress code won’t natively work for obvious reasons, and as such, this code would need to be re-written.

    The JS part will likely work with minor modification, but not the PHP file in it’s current form.

  • 9 Votes
    12 Posts
    584 Views

    @crazycells said in ION brings clients back online after ransomware attack:

    you know, they believe the world revolves around them

    Haha, yes. And they invented s*x.

  • No valid role attribute on elements

    Solved WordPress
    10
    0 Votes
    10 Posts
    553 Views

    I found it here, ins elements can not have aria elements

  • How to position ads responsively

    Solved WordPress
    13
    3 Votes
    13 Posts
    646 Views

    @phenomlab yes that’s the problem with these J’s, I will try my best , If I find something better I will share. Thanks

  • WordPress site

    General
    118
    10 Votes
    118 Posts
    12k Views

    @jac said in WordPress site:

    It’s Wordpress OUT, and Ghost IN it seems! *preference based .

    Even County’s site uses Wordpress 😉 . Although that does serve it’s purpose.

  • 1 Votes
    2 Posts
    323 Views

    @hari the cache level for woocommerce should always be bypass. Any caching of woocommerce will cause you serious issues and will result in the checkout process not functioning correctly.

    This does mean that the overall experience will be slower (depending on geographic location) although CF is known to cause significant issues hence the need to bypass.

    If you want to cache as much as possible, then set rules to bypass caching on the cart and account pages etc.

  • WordPress installation

    WordPress
    6
    0 Votes
    6 Posts
    527 Views

    @phenomlab said in WordPress installation:

    @jac that plugin is for single sign on between WordPress and NodeBB. The plugin you really need is this

    Brilliant, that does look good! 😁