Tag: hack

Harden and secure wordpress, using managewp.com and GDPR.

Harden and secure wordpress, using managewp.com and GDPR.

Today on episode 18 of Web Hosting Podcast, I continue the discussion of the wordpress hack dissection. I have been asked, since the last episode, about ways to harden and secure a wordpress install and what I recommend to do about managing updates. Also in this episode, GDPR (General Data Protection Regulation), Are you ready for the coming changes on May 25th?

GDPR New rules for EU take affect May 25th, 2018 – Official Link
The most important pieces that change here
WordPress 4.9.6 was released with GDPR specifically in mind. Release Notes

Simple ways to keep your wordpress install safer.

  1. Keep your wordpress install updated. Plain and simple. Have a update schedule and stick to it. Some plugins need the core of wordpress updated before it will be allowed to update the plugin in question. If you are on a old version of wordpress, it is very likely your plugins are outdated as well and possibly contain exploits used to hack your site.
  2. Don’t use plugins that are outdated or no longer maintained. These could easily have old exploits that leave you open for a hack and they will never be updated. The plugin could also be purchased by a hacker group, which has happened, and they add code to exploit your install. If you see a plugin that has not had updates for many years then suddenly has 1 update recently, be wary.
  3. Use strong passwords and don’t use the default username “Admin”
  4. Use a plugin to block failed login attempts.
  5. Move wp-admin url to something else.
  6. Ensure the PHP version you are using is still being maintained. If you are using PHP 5.x series, you really should migrate to PHP 7.x.
  7. Use common sense. Don’t login to your wordpress site, even over HTTPS, in a shared wifi environment. This would be coffee shops, bars, the mall, etc.. Even over HTTPS, information can be intercepted.

 

If you are new to wordpress and managing updates, you can use an external management application that provides additional services.  I personally use managewp.com for this task.  It has many features (listed below) and is 100% free for unlimited domains.  Best of all, well maybe not best, they gave Web Hosting Podcast a coupon code to use after you sign up.  Use WHPOD after you enter in your billing details, this will apply $10 to your account so you can try the paid options for nothing.

Initial questions about managewp that I am often asked by listeners and pretty much anyone that will tolerate me talking about this product.

Q: why would i want to use it?

Q: how difficult is it to signup?

Q: do i need to be a techie to set it up?

Q: how much for basic services?

Q: how much is x feature?

Q: can i get help?

Q: Is it secure?

Current pricing for a site is free for unlimited domains. This free plan includes the following addons.

  • manage updates, plugins and themes
  • Monthly Cloud Backup
  • 1-click login
  • Performance Check
  • Security Check using sucuri
  • Collaboration
  • Analytics with google
  • Manage Comments
  • Code Snippets
  • Maintenance Mode
  • Client Report
  • Vulnerability Updates
  • Templates

The following addons are paid options per month per site. Total price for all Premium addons is $8/mo.

  • Premium Backups $2 +.13 per GB of traffic.
  • Clone (requires Premium Backups)
  • Safe Updates (requires Premium Backups)
  • Templates (requires Premium Backups if creating a template from a current site)
  • White Label $1
  • SEO Ranking $1
  • Uptime Monitor $1
  • Advanced Client Report $1
  • Automated Security Check $1
  • Automated Performance Check $1

Plugins I currently use the paid versions of:

Premium Backup – I schedule a nightly backup to their backup location and a weekly backup to DropBox. I also use “safe updates” which allows me to perform a backup before I run a update, then verify the screen image of before and after the update to determine if I need to roll back.

Security – This allows me to schedule a scan of my site daily. This not only scans my site for issues, it also checks for vulnerabilities in plugins and checks the web of trust to ensure my site is not listed on any “not safe” databases.

Uptime Monitor – This sends me a email and text message if my site goes offline, but not only that it also verifies that a specific keyword is found on my site. This helps let me know if my site has been defaced, which would still mean it is up and online.

SEO Ranking – I paid for this just to see how it works. This allows you to set up to 100 keywords and track them for your site with SEO.

Advanced Client Report – I also paid for this to see how it works. This allows me to get a weekly report for my site. it tells me what has been updated, SEO and Analytics reports as well as security audits. It pulls all the information from the plugins active in my account and sends me a nice little report every week.

Plugins I don’t pay for.
Advanced Performance – I already spend a lot of time using pagespeed tools to get the most performance I can. I am always tweaking things. It is just easier for me to trigger a Performance Check manually since I am always in my managewp dashboard.

My total monthly cost is $6. $2/mo. for Permium Backups, $1/mo. for Uptime Monitor, SEO, Client Reports and Security Check.

 

 

Dissection of a WordPress hack.

Dissection of a WordPress hack.

Today on episode 17 of Web Hosting Podcast, Megan and I, dissect a website hack we have been working on. We discuss the how, the what and ways to prevent future hacks. We also discuss the defacement of webhostingpodcast.com and how I recovered the site so quickly. And remember those quick tips I use to run? They are coming back in a new way!

Podcast phone line 971 249 2359 is manned by me on Thursdays 9AM PST – 12PM PST. Feel free to call in and press (2) to reach me directly during those hours. If you want to just leave me a message anytime, press (1) and it will send you directly to a voicemail box.

Dissection of a WordPress hack we have been dealing with, the topics we cover are.

How we think it happened.
How we cleaned it up.
What could have prevented it.

Info on what we found from sucuri, regarding this specific website hack.

You will find the plugin I used to find that the wordpress core files had been modified. This plugin is since abandoned by automattic (the makers of wordpress, woocommerce and jetpack to name a few) but it can still be used. You need to download the hash file for the version of wordpress you are using. I would just like to point out that other external and filesystem based scans did NOT find this hack. Only by careful examination of the output of the exploit scanner were we able to find the source of this hack. It is no longer enough to just scan with one tool and think the site is clean. I recommend that you scan with multiple sources if you think you have been hacked, or if a hack keeps coming back after being cleaned. I also, and I can not stress this enough, recommend a daily backup of your website. There are many tools out there that will help you obtain a regular backup to a external location, such as dropbox, s3, ftp, or google drive. There is no reason to not have this setup for your site.

This is the plugin link 
And this is the location of the hash file on github.