Friday, July 15, 2011

A Few Words about Wordpress Security

A recent widespread attack that has damaged many Wordpress blogs exploited the file permission of wp-config.php. The permission for that file absolutely must be 400 or 440. Search for yassine edder on Google, a scum that is running an automated script out of Tunisia. The hacker I will henceforth call "Asinine" hacked a friend of mine, who was terrified of losing everything. I worked for three hours to analyze and then undo every last bit of the damage. But now I know some things about Wordpress security. And I have added tens of thousands of IP addresses in Tunisia to my blacklist, just in case Asinine hops over to a different cafe.

I cannot stress enough the importance of setting the file permission of wp-config.php. Lock it down tight. Don't delay, do it today.

No one, and I mean no one, should install Wordpress without first becoming very familiar with the security requirements. There are precautions that should be established prior to going public with a site. Setting the file permission of wp-config.php is #1 on the list. Until it is set in a proper manner, the site can be hacked by any idiot from here to Tunisia.

Make regular backups of your Wordpress site. I prefer using the excellent Snapshot Backup Plugin for Wordpress by Jay Versluis. I don't know whether he is any relation to the Versluis who created the excellent HV Menu, but such a connection can only be flattering. Indeed, the reason I downloaded the plugin was because of the name recognition.

I use .htaccess rules to secure the archive files on my Apache server. This will prevent unknown parties from downloading archive files, which remains a security risk until or unless the archive is deleted.

Copy and paste the following into the existing .htaccess in the wp-content directory or create .htaccess there if it does not already exist.

The above code uses a whitelisting strategy. Replace the IP address 111.222.333.444 with your own static IP address. The code will prevent anyone from downloading the .tar file--or any file with the text "sql", "old", "ini", "bak", "gz" or "log" in it, except for someone at the specificed IP address. If placed into the .htaccess in wp-content, it will control access for all files and directories within wp-content. It does not affect the parent of wp-content.

Another way to protect archives, instead of using a whitelist, would be to demand that the downloader enter a password. This is also possible to do in .htaccess, but I went with the whitelist, because it's more convenient for me.

Incidentally, the same whitelisting strategy is highly effective for the .htaccess located in the wp-admin directory. Do not allow anyone except one IP address to access the adminstration log-in. This will lock down security on your Wordpress site. Wards off brute-force attacks and other games hackers play. It could be adapted for sites with multiple admins, as long as the IP address of each admin is known and remains static. Could be a problem with a mobile admin, though!


I wonder who traxodone@gmail.com is? That individual sent me an email mere hours after I had posted this:


Hi Igor,


I've find your blog through Google and I hope you can help my. My blog is hacked by this guy from Tunisia, how can I restore my blog and password for wp admin?


Kind regards,

traxodone


I wrote back asking for more information, such as the blog ID and some reasons I should volunteer my assistance. No response. Well, I can't help anybody that does not communicate. Said individual may well be the hacker responsible for the attacks.

2 comments:

Web Design Melbourne said...

this Yassine Edder fellow caused us some problems recently too, caused us to spend some dollars on cleanup/security... REAL pain.

Thanks for the security tips as well!
Any chance you can detail some of the steps you took to undo the damage to help interested readers like ourselves? (from Google search of his name I wouldn't be surprised if many more people are looking for help)

There's also a youtube video of this fellow which of course includes a lot of colorful language in the comments from the victims of his script

igor said...

Believe it or not, you're the first person to ask for the specific steps to undo Asinine's vandalism. I don't mind sharing the info, but was not sure whether anyone was interested until now...

For convenience, I will post the info in a new post in the "blogging" category, rather than this comment. The comment section does not have any kind of editing capability, I've noticed.

techlorebyigor is my personal journal for ideas & opinions