|
|
|
|
||||
|
Welcome to the GoFuckYourself.com - Adult Webmaster Forum forums. You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content and access many other special features. Registration is fast, simple and absolutely free so please, join our community today! If you have any problems with the registration process or your account login, please contact us. |
 |
|
|||||||
| Discuss what's fucking going on, and which programs are best and worst. One-time "program" announcements from "established" webmasters are allowed. |
|
|
Thread Tools |
06-14-2011, 09:36 AM
|
#1 |
|
Confirmed User
Industry Role:
Join Date: Jul 2006
Location: Somewhere between reality and total ape-shit bonkers.
Posts: 2,870
|
Wordpress security question
Apparently someone has been trying to hack my site, trying to access plugin readme.txt files to get the version of wordpress and shit like that.
I've taken the usual security measures (at least they seem like the reasonable ones to me, but this is my first project with wordpress) such as removing the wp version indicators, adding plugin and theme index files, removing error indicators on login and relocating my login page. So far that seems to be keeping them out, but I'm concerned that it's only a matter of time before they find a way in. Is there anything else I could do to better protect my site? Also, is this something most wordpress users have to deal with, or have I somehow made a target of myself? I should add, that all of the questionable hits are coming from a Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90) user agent, but the IP's change daily, so obviously they are using proxies to mask their IP.
__________________
The best Adult Affiliate Programs reviewed and indexed by niche and feature. Easily find the sponsors that suit your needs.  |
|
|
|
06-14-2011, 12:28 PM
|
#2 |
|
Too lazy to set a custom title
Industry Role:
Join Date: Aug 2002
Posts: 54,932
|
i would only allow your ip in the admin block all others out.
__________________
Since 1999: 69 Adult Industry awards for Best Hosting Company and professional excellence.  High Traffic Dating/Cam Tab and Banner for sale. (chris at jaded.net) |
|
|
|
|
06-14-2011, 07:12 PM
|
#3 | |
|
Registered User
Join Date: Jul 2006
Posts: 89
|
Quote:
Also ... get on the WordPress mailing list ... to keep your eyes open for updates! ... join WP forums ... stay in touch with the buzz.
__________________
PhantomFrog.com....Premium Password Protection PhantomCart.com....CCBill + Phantom Cart = Clips Store Solution PhantomFlicks.com .Token-based Clips Store |
|
|
|
|
|
06-14-2011, 07:38 PM
|
#4 |
|
Confirmed User
Industry Role:
Join Date: Feb 2011
Location: La Isla Bonita Power Level: ❤❤❤❤❤❤❤❤❤❤
Posts: 886
|
"Wordpress" and "Security" are two incompatible meanings. Sorry but as long as it will be developed the way it is now your website and your server are in danger. Good luck though.
http://codex.wordpress.org/Hardening_WordPress
__________________
 This is sig area!
|
|
|
|
|
06-14-2011, 07:44 PM
|
#5 |
|
Confirmed User
Industry Role:
Join Date: Oct 2007
Posts: 1,448
|
You could always buy xMarkPro (see sig). Next upgrade coming out tomorrow will also contain an automated backup & revert feature for domains (including WP blogs). For example, have your blogs backed up every 3 hours. If someone hacks it, it's the click of a mouse, and it's back online. Plus have your blogs automatically updated when WP releases new versions, ensuring you're always running the most stable version.
__________________
xMarkPro -- Ultimate Blog Network Management Streamline your marketing operations. Centralize management of domains, pages, Wordpress blogs, sponsors, link codes, media items, sales and traffic statistics, plus more! |
|
|
|
|
06-14-2011, 07:46 PM
|
#6 | |
|
Monger Cash
Industry Role:
Join Date: Jul 2010
Posts: 2,772
|
Quote:
|
|
|
|
|
|
06-14-2011, 07:50 PM
|
#7 |
|
Too lazy to set a custom title
Industry Role:
Join Date: Jul 2001
Location: Currently Incognito
Posts: 13,827
|
Lots of things to do with wp...
I've found you can't always block based on IP because some scripts use the ajax in the admin area... thus visiting your site can create a warning. Give the plugin login lockdown a shot... it masks login errors, can set time out limits on fails, etc.. if someone happens to get to the login screen. Another thing you can do is protect your wp-login.php with basic user/pass protection to access it. It's not an end all, it's just another step. Drop this into your functions file, and set a user/pass... Code:
if ($_SERVER['PHP_SELF'] == "/wp-login.php"){ add_action('init', 'login_init');}
function login_init(){
$user = "YOUR-USERNAME";
$pass = "YOUR-PASSWORD";
get_option('get_header');
if($_SERVER['PHP_AUTH_USER'] != $user && $_SERVER['PHP_AUTH_PW'] != $pass){
header("WWW-Authenticate: Basic realm=\"\"");
header("HTTP/1.0 401 Unauthorized");
exit;
}
}
__________________
   ~TheDoc - ICQ7765825It's all disambiguation  |
|
|
|
|
06-15-2011, 05:23 AM
|
#9 |
|
Too lazy to set a custom title
Industry Role:
Join Date: Aug 2002
Posts: 54,932
|
i wouldnt even let subscribers in the admin area, if you are just using it for a login system so they can comment, i would redirect anyone that you dont want access to wp-admin out of there.
__________________
Since 1999: 69 Adult Industry awards for Best Hosting Company and professional excellence. High Traffic Dating/Cam Tab and Banner for sale. (chris at jaded.net) |
|
|
|
|
06-15-2011, 10:26 AM
|
#10 | |
|
Confirmed User
Join Date: Oct 2002
Posts: 3,745
|
Quote:
when I explain it to them. I pointed out a significant security flaw repeatedly for over a year and none of the Wordpress devs could even understand that there was a problem until thousands of sites were hacked. Secure, as much as possible, PHP itself. Make sure it's up to date, as PHP has recently started to such a lot less in terms of security. If you have a version that's a couple years old you may as well post your FTP password on your front page. One example is "register globals", which is tied with "running suexec on a dedicated serer" for the stupidest, most damaging thing anyone has ever done on a web server. Once it's up to date, make sure the settings are right for reasonable security. fopen_url, for example, show be off be default, but make sure it is. Disabling a few functions including eval, exec, and popen will stop most crack scripts, but some legitimate scripts may need to be adjusted to work in that case. Similarly for an egress firewall, but now we're getting more into general server security and away from Wordpress.
__________________
For historical display only. This information is not current: support@bettercgi.com ICQ 7208627 Strongbox - The next generation in site security Throttlebox - The next generation in bandwidth control Clonebox - Backup and disaster recovery on steroids |
|
|
|
|
