Compromised wordpress and file permissions question
I have a site on my server that keeps getting hacked. Various files get changed. i have already changed my password and the site admin has changed his but it has happened again. I have the plugins below. I am wondering if folder permissions are good enough. For example the wordpress includes folder is at 755, can this be improved without preventing the site from working? can a "simple" user account change files?
- Removed-
-
I've removed all of the links you posted, no need for that here. This sort of question might be better asked over on the Wordpress support forums. :) Also, they've got a guide here you might like to know about: Hardening WordPress " WordPress Codex 0 -
OK great, I guess I'll have to go off and learn on my own.... before I get hacked again. I was hoping for a quick answer on file/folder permissions. I have already noticed that if I install wordpress through cPanel it sets some files with different permissions to an independant install. Who ever is doing this came back over night and did more damage than they did before despite having wordfence installed. The site runs wordpress as a forum as well and i found a user - the last one to register with a dubious name and email so deleted it. But this was a simple user, how were they able to modify over 100 files as a simple user? Before I become an amateur expert in security after this site is obliterated the most obvious course of action is to make sure all files are locked down and not open to modification. The only thing I can think of is that this user being a user had enough permission to modify wordpress files. 0 -
Here are some links that might help : FAQ My site was hacked " WordPress Codex ........ and probably one of the most relevant : 0 -
Well i have done all i can with wordfence. I have indeed done all they recommend already. It is now down to general wordpress security. 0 -
I was not blaming anyone, simply saying that I have indeed exhausted the wordfence capabilities and it is time to make sure wordpress is also secure. I warned the user against a wordpress based forum but he would not listen. His plugins appear to be all reputable ones. 0 -
Well no further modifications to any of the site files. I am looking at the server security and under a cPHulk brute force protection page I see a country blacklist/whitelist. What does this apply to? any access to the server including just viewing the websites or is this just log in's to cPanel? all of my customers are UK based. 0 -
cPHulk will provide protection against brute force logins to the following services : - cPanel services (Port 2083).
- WHM services (Port 2087).
- Mail services (Dovecot and Exim).
- The PureFTPd service.
- Secure Shell (SSH) access.
0 -
OK, well it is a start as all of my users are in the UK, I have been looking at the logs for traffic in wordfence and indeed a few from russia and vietnam, pakistan. They all try to log straight into a certain post or user profile from the main page which means it's not a normal human visitor as they all try to go directly to unapproved forum posts or now deleted user accounts without going through site links ie they are returning spammers to what they put there before. Some try to directly log in to accounts previously setup that have not been activated. However as you suggest a small minority appear to be in the UK, for all I know these may even be from bots set up on other hacked UK servers or as you suggest someone using a proxy. So no I am not expecting to solve it all with a blacklist but plenty of people from dodgy countries that have no business accessing anything other than the public websites are happily not disguising their location and blocking the bigger offending countries outside of europe will at least make them work harder or not bother if it's a simpler attack. 0 -
Oh and as for not blaming cPanel or wordpress, wordpress was designed to make setting websites up easy for anyone, I see plenty of advice against using it for a forum and this would seem correct, I have even been warned in the past of the security of wordpress itself, I still don't know how they got in as nothing silly was done. My WHM has warned of plenty of critical problems with..... itself. It would appear that WHM is installed by choice with many of it's own recommendations not in place. But then of course at every turn I am urged to buy cloud linux and plenty of companies some recommended by cPanel offer to fix hacked websites and lets face it by seasoned and experienced when they refer to their teams they mean that given that they are constantly fixing the same system clearly once you learn to deal with one hack type you can have plenty of success using the same method on the same type on many websites. I'm sure the simple actions I took on behalf of my haked user would have commanded a couple of hundred dollars or more from one of these so called experts. 0 -
I am delighted to see you have resolved your issues. So that we can all make sure our users do not suffer from the same vulnerabilities, perhaps you could share with the community exactly how your site got hacked and what malware (if any) was installed that was altering the files on your users Wordpress site, or how the hackers kept on altering the files after all the passwords had been changed ? and, of course, exactly how you cleaned or disinfected the server/website and subsequently secured it ? 0 -
Well I'm not sure what it was but they were trying to redirect people to another site to enter login details i think. i simply replaced the altered files with original copies prom wordpress and the plugins. I installed wordfence and followed all of the recomendations, i have set fairly tight restrictions on the blocking of users that get their log in details wrong. As i said i still don't know how they got in, the only way i can explain the second attack if I have truly stopped them was that the other admin user took too long to change his password. I have enabled the WHM brute force prevention settings that you suggested as well as black list all non European countries. i removed the xmlrpc.php API from all wordpress sites, I don't know if that is how they were guessing their way in in the first place as it bypasses what security wordpress has. If it's any consolation to the "experts" another user has gone to his site and found it all ready to install wordpress again so it's not all over yet :( there was no malware istalled per se they modified just about every java script file they could get their hands on. 0 -
3 wordpress sites have been reduced to blank copies of wordpress ready for reinstall, wonder how that happened, oh yea, cPanel ship WHM with no security enabled. Modsecurity has picked up various attacks since this morning with a list of nearly 100 entries, naturally in classic linux style information is scant, I have no ida if the log is telling me this bad stuff happened or if it was blocked. Thanks to the bog standard installation these people just walked in! 0 -
I'm sorry to hear you're having these security issues. If you wouldn't mind, please visit this area in your WebHost Manager and see if that check comes up with any security issues: WebHost Manager "Security Center "Security Advisor If any come up red, what are they? Assuming you now have ConfigServer firewall installed, please visit this area in WebHost Manager: WebHost Manager "Plugins "ConfigServer Security & Firewall Click, Check Server Security. If any come up red, what are they? If you prefer you don't have to do this. they modified just about every java script file they could get their hands on.
Your site(s) has clearly been compromised, going by this comment. If you're unsure of how to clean up this sort of issue, please contact your Hosting Provider for help or suggestions. Or, you might consider looking into hiring an expert to assist you. Here are a few suggestions: If you know for sure which account is the one having the issues, I suggest you suspend it. That should prevent anyone but you from having access to its file system until you can sort these issues out. Assuming you've got proper backups enabled, you might be able to restore the account from a backup prior to the issues, and then take a closer look at the files and directories on that account. You might be looking at the file and directory dates in the plugins directories for example. Oddly named directories or files with recent dates, that sort of thing. If the user on this account can be reached, ask them if they've installed any new add-ons in the past 6 months or so. If they say no, and something on that account has new dates stamp, you might have something to go on. If they've installed an addon or new style, what is it, is it up to date, and did they install a pirated version possibly?wordpress was designed to make setting websites up easy for anyone
This is true. But, there is more to all of this than installing a few scripts and add-ons and away you go. Assuming you're managing your own server, you might consider moving to a managed server. You can find some of the best, Managed services providers from cPanel Partners using this search page: My apologies I can't help more but compromised sites/servers require an expert admin with direct access to the system to sort out. If it can be sorted out. GL with this.0 -
Apache vhosts are not segmented or chroot()ed.Enable "Jail Apache" in the "Tweak Settings" area, and change users to jailshell in the "Manage Shell Access" area. Consider a more robust solution by using "CageFS on CloudLinux" The MySQL service is currently configured to listen on all interfaces: (bind-address=*)Configure bind-address=127.0.0.1 in /etc/my.cnf, or close port 3306 in the server"s firewall. I have disabled the shell access full stop so I don't know why this is an issue. i assume jailed means enabled but with restrictions ?, The tweak setting is greyed out and so I can't do anything with it. i am not on cloud linux. The second issue is double dutch to me. I suspect that thanks to the total lack of security meaning the actual bundled security was not enabled these people just walked into every account on the server with a brute force attack. Thanks a bunch. The reason i bought a commercial solution was with the expectation that i was purchasing something fit for use and not some hacked together freeware thing where again i need to hire experts. It's even complaining about the password strengths! the default ones set up by cPanel!!!! Last time i tried installing a third party firewall it nearly locked me out of my own server because a user trying to access emails over a none STARTTLS connection was upsetting it and his iphone gave him no options. 0 -
Hello @Thunderchild, It's unfortunate to see that one of your accounts was compromised. That's never a good experience, and not knowing the source of the attack can be unsettling. I'd like to help get you moving forward in the right direction. Do you happen to know which version of WordPress was installed? One of the more common targets for hackers are outdated installations with unpatched vulnerabilities. If it was a brute force attack, the following thread includes some useful discussion on how to help prevent those in the future: Apache vhosts are not segmented or chroot()ed.Enable "Jail Apache" in the "Tweak Settings" area, and change users to jailshell in the "Manage Shell Access" area. Consider a more robust solution by using "CageFS on CloudLinux"
Here's a thread where this option is discussed in more detail: Feel free to respond to that post if you have any additional questions about that particular option and we can continue the discussion there.The MySQL service is currently configured to listen on all interfaces: (bind-address=*)Configure bind-address=127.0.0.1 in /etc/my.cnf, or close port 3306 in the server"s firewall.
Generally the best approach to address this warning is to add the following line to the /etc/my.cnf file so that MySQL does not listen to connections on all interfaces:bind-address=127.0.0.1
Last time i tried installing a third party firewall it nearly locked me out of my own server because a user trying to access emails over a none STARTTLS connection was upsetting it and his iphone gave him no options.
Do you happen to remember the name of the firewall application you installed? The most common one we see used with cPanel & WHM is CSF by ConfigServer. I'm happy to help troubleshoot any issues that arise post-installation if you'd like to give this one a shot. Thank you.0 -
The first site to be compromised was up to date wordpress wise but on logging in some plugins did require updating but this site has only been live for a few months so nothing was drastically out of date. Wordpress updates itself these days if it is a minor update. 0 -
Hello @Thunderchild, Do you happen to remember the name of the firewall application you installed? The most common one we see used with cPanel & WHM is CSF by ConfigServer. I'm happy to help troubleshoot any issues that arise post-installation if you'd like to give this one a shot. Thank you.
Yea that one. It made no sense to me. My provider has a firewall but apparently it's not much cop.0 -
Hello @Thunderchild, Generally the best approach to address this warning is to add the following line to the /etc/my.cnf file so that MySQL does not listen to connections on all interfaces:
bind-address=127.0.0.1
Thank you.
Where would i find this file and how do i open it? root@server [~]# cd etc bash: cd: etc: No such file or directory root@server [~]#0 -
Yea that one. It made no sense to me. My provider has a firewall but apparently it's not much cop.
Feel free to create a new thread here if you want to give it another go and have any questions about the installation/configuration process with CSF. While it's not an application we directly support or develop, it's widely used by cPanel administrators so you're likely to receive some good feedback/assistance.Where would i find this file and how do i open it? root@server [~]# cd etc bash: cd: etc: No such file or directory root@server [~]#
You'd use "cd /etc" in the above example. Or, just define the path when editing the file using your preferred command line text editor. EX:vi /etc/my.cnf
The following document is a good place to start when using Linux commands:0 -
Hello @Thunderchild, It's unfortunate to see that one of your accounts was compromised. That's never a good experience, and not knowing the source of the attack can be unsettling. I'd like to help get you moving forward in the right direction. Do you happen to know which version of WordPress was installed? One of the more common targets for hackers are outdated installations with unpatched vulnerabilities. If it was a brute force attack, the following thread includes some useful discussion on how to help prevent those in the future: Feel free to respond to that post if you have any additional questions about that particular option and we can continue the discussion there. Generally the best approach to address this warning is to add the following line to the /etc/my.cnf file so that MySQL does not listen to connections on all interfaces:
bind-address=127.0.0.1
Do you happen to remember the name of the firewall application you installed? The most common one we see used with cPanel & WHM is CSF by ConfigServer. I'm happy to help troubleshoot any issues that arise post-installation if you'd like to give this one a shot. Thank you.
Right this one is fixed.0
Please sign in to leave a comment.
Comments
21 comments