- This topic is empty.
-
AuthorPosts
-
February 5, 2013 at 12:39 pm #831990
wbprofitsMemberSucuri SiteCheck – Free Website Malware Scanner
sucuri is a site scanner for malware
Usually a coder can remover it . sucuri will also for a for a yearly feeFebruary 5, 2013 at 1:44 pm #831991
voodoomanMemberFirst off change your password immediately then make sure you have upgraded WordPress to the latest version and the same with all your plugins and your theme. If you are using a free theme and plugins that havn’t been updated by their authors for a long time they to may contain vulnerabilities.
Use the WordPress security plugin called “Wordfence”. It will scan your site file by file and hopefully detect the intrusion. If the intruder has hacked into your database then you will need some expert help.
If you view the Pages Not Found tab in your Wordfence admin area you will see how these hackers randomly search the internet for WordPress sites that have certain themes and plugins that obviously have vulnerabilities.
February 5, 2013 at 7:36 pm #831996
MissMMemberI have found the bad script on my Header file, I am just not sure from where to where to delete it? Can someone help me with this? I can PM you the Header text.
February 5, 2013 at 7:37 pm #831997
MissMMember……….
February 5, 2013 at 8:35 pm #831999
Darpan.bMember@byebyebaby 249703 wrote:
I have found the bad script on my Header file, I am just not sure from where to where to delete it? Can someone help me with this? I can PM you the Header text.
Did you find some help?
I send you a PM.
February 8, 2013 at 1:06 am #832026Anonymous
InactiveYou might want to change the default admin username to something else. This way, the hacker needs to guess the username and the password.
February 8, 2013 at 10:04 am #832028
MissMMemberI did
But thanks…February 8, 2013 at 2:44 pm #832031
cuddlypawsMemberThen you should work on to make your website safe now. There are many steps you can do to prevent further easy attacks. Set the right file permissions to (eg. index/config files 444), htaccess for admin folders, exclude libwww-perl visits, change all passwords etc etc…
February 8, 2013 at 3:11 pm #832033Anonymous
InactiveI know this hack, it’s the same one rmeeuwsen had.
PM me your cpanel login details and I’ll clean it for you.
February 9, 2013 at 11:36 am #832046
gokkenMemberHi bbb,
Install the following security plugins, after you’ve cleaned your site up:
- WordPress › Wordfence Security (scans files for exploits, scans WP core files, plugs and themes against original WP repository files. Blocks fake Google bots and also blocks anyone trying to brute force into your admin area. This is a must have for any WP site).
- WordPress › Growmap Anti Spambot Plugin (anti spam tool)
- WordPress › Break Out of Frames (stops anyone framing your site and running their banners atop and below your site.
Here are couple of other which are good to have:
- WordPress › WP-Optimize (delete saved drafts etc etc also optimizes your database)
- WordPress › WP Minify (crunches coding etc etc which speeds up load times).
Also change your Admin login name from “admin” to something else. You can do this via your database (easy if you have CPanel). Also change your password too. 15 alpha/numerical/special characters is what I use.
In addition I suggest hardening your WordPress with some tricked up htaccess commands. If you need these let me know
February 10, 2013 at 6:24 pm #832054
MissMMemberThanks Dave, but do those plugins not slow down my website a lot?
February 11, 2013 at 3:04 am #832065
gokkenMember@byebyebaby 249779 wrote:
but do those plugins not slow down my website a lot?
Every plugin will degrade performance a little.
However given you’ve already been hacked, I’d be more concerned about taking steps to stop being hacked again and less concerned about a few seconds of extra load time, which can be reduced by implementing gzip compression for example.
This is not html!
Add it to your first line in your .htacess file.[HTML]
# BEGIN Compress text files
AddOutputFilterByType DEFLATE text/html text/plain text/xml application/xml application/xhtml+xml text/css text/javascript application/javascript application/x-javascript application/x-httpd-php
# END Compress text files# BEGIN Expire headers
ExpiresActive On
ExpiresDefault “access plus 5 seconds”
ExpiresByType image/x-icon “access plus 2592000 seconds”
ExpiresByType image/jpeg “access plus 2592000 seconds”
ExpiresByType image/png “access plus 2592000 seconds”
ExpiresByType image/gif “access plus 2592000 seconds”
ExpiresByType application/x-shockwave-flash “access plus 2592000 seconds”
ExpiresByType text/css “access plus 6048000 seconds”
ExpiresByType text/javascript “access plus 2160000 seconds”
ExpiresByType application/javascript “access plus 2160000 seconds”
ExpiresByType application/x-javascript “access plus 2160000 seconds”
ExpiresByType text/html “access plus 600 seconds”
ExpiresByType application/xhtml+xml “access plus 600 seconds”
# END Expire headers# BEGIN Cache-Control Headers
Header set Cache-Control “public”
Header set Cache-Control “public”
Header set Cache-Control “private”
Header set Cache-Control “private, must-revalidate”
# END Cache-Control Headers
[/HTML]Next I’d recommend adding this to your htaccess file:
[HTML]
order allow,deny
deny from all
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK|DEBUG) [NC]
RewriteRule ^(.*)$ – [F,L]
[/HTML]To save adding a blank html/php page to every directory, you can use this to prevent anyone seeing what’s in a directory. Bare in mind this can cause a 500 error as it doesn’t work on all hosting. So it’s a add it and check thing.:
[HTML]
Options All -Indexes
[/HTML]February 11, 2013 at 12:48 pm #832071
MissMMemberYou are right about that… Thanks!
So just copy and paste, that’s all?
February 11, 2013 at 1:02 pm #832072
gokkenMember@byebyebaby 249800 wrote:
So just copy and paste, that’s all?
Yep, that’s it

I also use GEO IP blocking to stop places like China etc etc gaining access. Of course someone can use a VPN or proxy but 9 times out 10 spammers, script kiddies and misbehaving bots don’t bother using these so it does stop a % of undesirables accessing your site(s).
February 11, 2013 at 2:27 pm #832077
cuddlypawsMember@AussieDave 249790 wrote:
Every plugin will degrade performance a little.
However given you’ve already been hacked, I’d be more concerned about taking steps to stop being hacked again and less concerned about a few seconds of extra load time, which can be reduced by implementing gzip compression for example.
This is not html!
Add it to your first line in your .htacess file.[HTML]
# BEGIN Compress text filesAddOutputFilterByType DEFLATE text/html text/plain text/xml application/xml application/xhtml+xml text/css text/javascript application/javascript application/x-javascript application/x-httpd-php
# END Compress text files
# BEGIN Expire headers
ExpiresActive On
ExpiresDefault “access plus 5 seconds”
ExpiresByType image/x-icon “access plus 2592000 seconds”
ExpiresByType image/jpeg “access plus 2592000 seconds”
ExpiresByType image/png “access plus 2592000 seconds”
ExpiresByType image/gif “access plus 2592000 seconds”
ExpiresByType application/x-shockwave-flash “access plus 2592000 seconds”
ExpiresByType text/css “access plus 6048000 seconds”
ExpiresByType text/javascript “access plus 2160000 seconds”
ExpiresByType application/javascript “access plus 2160000 seconds”
ExpiresByType application/x-javascript “access plus 2160000 seconds”
ExpiresByType text/html “access plus 600 seconds”
ExpiresByType application/xhtml+xml “access plus 600 seconds”# END Expire headers
# BEGIN Cache-Control Headers
Header set Cache-Control “public”
Header set Cache-Control “public”
Header set Cache-Control “private”
Header set Cache-Control “private, must-revalidate”
# END Cache-Control Headers
[/HTML]Next I’d recommend adding this to your htaccess file:
[HTML]
order allow,deny
deny from allRewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK|DEBUG) [NC]
RewriteRule ^(.*)$ – [F,L]
[/HTML]To save adding a blank html/php page to every directory, you can use this to prevent anyone seeing what’s in a directory. Bare in mind this can cause a 500 error as it doesn’t work on all hosting. So it’s a add it and check thing.:
[HTML]
Options All -Indexes
[/HTML]Looks good, I would also recommend to add somehing like this, to prevent using of scripts eg. regarding mysql injections, globals, base64_encode data and request variables:
[HTML]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]
..//?)+ [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]
([a-z0-9_.]//?)+ [NC,OR]
RewriteCond %{QUERY_STRING} =PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
RewriteCond %{QUERY_STRING} (../|..) [OR]
RewriteCond %{QUERY_STRING} ftp: [NC,OR]
RewriteCond %{QUERY_STRING} http: [NC,OR]
RewriteCond %{QUERY_STRING} https: [NC,OR]
RewriteCond %{QUERY_STRING}
|w| [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)cPath=http://(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C).*iframe.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} base64_encode.*(.*) [NC,OR]
RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*([^)]*) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(
[|%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(
[|%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} ^.*([|]|(|)|<|>).* [NC,OR]
RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
RewriteCond %{QUERY_STRING} (./|../|…/)+(motd|etc|bin) [NC,OR]
RewriteCond %{QUERY_STRING} (localhost|loopback|127.0.0.1) [NC,OR]
RewriteCond %{QUERY_STRING} (<|>|’|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{QUERY_STRING} concat[^(]*( [NC,OR]
RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} (;|<|>|’|”|)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
RewriteRule ^(.*)$ – [F,L]
[/HTML]
Prevent config files access:
[HTML]
Order allow,deny
Deny from all
[/HTML] -
AuthorPosts