Wordpress posts getting hacked by N3X0000S

[trylo]

Hi guys!

 

On one of my websites a post that wasn't even public got hacked. Not a lot of damage done, just written "hacked by N3X0000S" all over the place.

Do you know how I can secure Wordpress from stuff like that?

 

Thank you in advance!

[fjdhdhcyfhf]

there have been several vulnerabilities patched on wordpress this year. update your wordpress and follow all other security recommendations like not sharing passwords & email across sites.

[trylo]

I'm running latest version of Wordpress and I have 24 characters long individual passwords. Maybe it has been done long time ago before one of the updates and I just didn't notice...

[Joseph Stacklin]

5 minutes ago, trylo said:

Hi guys!

 

On one of my websites a post that wasn't even public got hacked. Not a lot of damage done, just written "hacked by N3X0000S" all over the place.

Do you know how I can secure Wordpress from stuff like that?

 

Thank you in advance!

I'd recommend you first enable SSL (free certs available from let's encrypt). Then I would download the following plugins:

• Dobby
• WordFence

Then you need to make sure that your db password IS NOT the same as your USER password. Your db password is public and anyone can read it (through the wp-config.php). I'd recommend deleting the site and starting over if you can, but if you can't (because of any reason) also work to try and get a virus scan of all files (in cPanel it's one or three clicks off of your dashboard and if you're running a VPS with command line, simply type the following:

sudo freshclam && sudo clamscan

(ubuntu)

[KuJoe]

How to secure Wordpress:

1) Don't use any plugins.

2) Don't use any custom themes.

3) Hope and pray.

 

Even with these steps there is no guarantee. Wordpress is a huge target for hackers and will continue to get exploited until the end of time. Even with security plugins it doesn't matter and once you're hacked, you need to delete everything and start from scratch if you want to be sure there's no backdoors.

 

I deal with more hacked Wordpress installs than every other script combined. It's disgusting how vulnerable Wordpress is and extremely depressing how the most common intrusion method is via custom themes. Seriously, what kind of software gives a theme so much control that it can be used to compromise a whole server? I've gotten to the point where the PHP mail() function is disabled for every one of my servers because the amount of spam being sent out by hacked Wordpresses every single day.

[KuJoe]

2 minutes ago, wolfboytech said:

I'd recommend you first enable SSL (free certs available from let's encrypt).

This will not help at all for securing the application itself, only securing the data being passed to and from the application.

2 minutes ago, wolfboytech said:

Then you need to make sure that your db password IS NOT the same as your USER password. Your db password is public and anyone can read it (through the wp-config.php).

If your wp-config.php file is publicly accessible you have bigger problems than your user password being hacked. The DB password would give somebody a lot more control over Wordpress than a user account password could.

[trylo]

@KuJoe So what is the solution? We are running 5 small simple websites on our VPS.

[KuJoe]

Just now, trylo said:

@KuJoe So what a solution? We are running 5 small simple websites on our VPS.

The only real solution I could recommend is to either run a completely vanilla Wordpress or switch to something other than Wordpress. There are so many other blog scripts out there that might not be as secure, but Wordpress is by far the most targeted and the number of automated attacks out there specifically for Wordpress is just awful.