New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
@budingyun I don't know what LF_BOGON is but if it is what i think it is - you can safely remove it. It's 2013, there is almost no bogon (i.e. unallocaeted) ipv4 address space lest.
Thank you for the tips.
@jhadley -> Protecting yourself against Wordpress hackers -> Just use Drupal instead.
Not quite, but I enjoy Authy. Free two-factor authentication for products (thanks Rage4) and has a WordPress plugin, takes minutes to setup.
Smartphone apps similar to an RSA SecurID, or upgrade to their free Basic plan to get SMS texts for basic cell phones to login to your blog.
Instant free two-factor authentication.
I personally just implemented & tweaked mod_security rules sent by LiquidWeb, that will block the IP after a few failed attempts.
Takes a minute to add the rule to modsec2.user.conf, another to modify modsec2.conf (for stronger filtering) , and a second or two to create / chmod the directory settings used by ASL rules.
I'm using something similar to what @Kris suggested on Gatsby. Albeit using Google's two factor authentication.
Hand vetting plugins and themes also greatly helps in preventing this sort of crap.
One thing I recommended to wordpress and they shot me down was random directory names per install for themes and plugins. It ends the ability to use a search engine to locate wordpress installs and go straight to a compromised plugin. IE every wordpress install would be different.
Pretty sure you can do this with plugins and re-name them as you like, and just make sure Indexing is off / pop an index.php in there so names aren't revealed.
Would be good to have the ability to be able to re-name the wp-plugins/ and wp-themes/ directory to something you'd like, and just set it as a flag in config.php.
Not perfect as some would probably echo their location within the page, but it would avoid an easy sweep through Google / harvesting to exploit as you've mentioned.
In the meantime, mod_security, Authy and renaming plugin-directories (have to re-enable them) is working quite well for me.
oh well, can someone access my wp-admin?
I'm lost
Just .htpasswd protect that.
Layers of security are good when it comes to these things.
I like to think of security on WP as venn diagrams, each helps in some ways.
Use limit_except (Examples here: http://wiki.nginx.org/HttpCoreModule) because if, as Igor says, is evil.
http://wiki.nginx.org/IfIsEvil
@MikHo preventing a data leak
I have tried it, but some tutorial which is for Apache, not working for Nginx.
For example, deny all ip except one to pass.
I can only use whitelisting from the Nginx conf files
location /wp-admin { # block one workstation deny 192.168.1.1; # allow anyone in 192.168.1.0/24 allow 192.168.1.0/24; # drop rest of the world deny all;
}
something like that?
disclaimer: most of it is a copy/paste from the interwebs
They started spamming to aol and yahoo now. before was just russian addresses. they create php files with obfuscated mailing code, either mail() or using sockets with smtp. then they POST to the php files commands from bots/openproxies
Igot the best solution!!
Don`t use wp -.-
Don`t use wp -.-
It's hard when you sell shared hosting and 80% use wp
75% of the accounts on my shared server are WP...
It could be worse. They could be running Joomla.
drupal
@Mun - I was joking earlier when I recommended Drupal. I have a few years of experience with Drupal and I hate it. It's horrible, it takes forever to set up a web site and every time you add a new feature or fix something, two or three other things break in return. Drupal is a nightmare, the community is horrible and the Drupal Association is corrupt and rotten to the core. And the Obama administration spent 8 million dollars to redo the whitehouse.gov website in Drupal. It's kind of expensive for a free CMS.
http://buytaert.net/whitehouse-gov-using-drupal
I like everyone here hates wordpress, but to tell you the truth it is actually rather nice. It is clean / and lean by most regards. Yes there are some certain things that are iffy, but there massive plugin base usually have a fix.
I'll openly admit I use and like WP as long as it's not overloaded with terrible plugins.
I'm using wp with just one plugin.
[azonenberg] wordpress is an unauthenticated remote shell that, as a useful side feature, also contains a blog
http://www.bash.org/?949214
DISCLAIMER: Just trollin. Wordpress is nice.
Haha.
I wrote a guide on using fail2ban to stop bruteforce/dictionary attacks on WordPress installations:
http://abdussamad.com/archives/616-Stop-Brute-Force-WordPress-Login-Attempts-with-Fail2Ban.html
Brute force is easy, limit logins plugin.
However the latest attacks are only using an IP once making blocking an individual IP on failed login pointless
@bnmkl that made me giggle
Wordpress is a disease.