Register free!

The Green Industry's Resource Center



Reply
 
Thread Tools   Display Modes
  #1  
Old 01-22-2013, 02:36 PM
greg8872 greg8872 is online now
LawnSite Senior Member
 
Join Date: Jan 2012
Location: Upper Arlington, Ohio
Posts: 275
Important Word Press reminder

Just a reminder, if you are using WordPress, make sure you at least once a month, if not once a week apply any updates to the core, plugins and/or themes.

Also, if you are not using a plugin or theme, not only deactivate it from the site, remove the files and folders from the server. In the root of your wordpress install, after every update look for "readme.html" and DELETE IT, it tells hackers what version you are running. (try it, go to http://mydomain.com/readme.html if you have WP)

I just came across a WP site, that is version 3.2.1 (current is 3.5) that doesn't have any extra plugins or themes installed, yet it was hacked. How do I know what was installed? Part of the hack was a pretty powerful hack script that let me view all files on the account, which means if I wanted to, I could have also looked at database login and fully access the site's database, all from within the SINGLE hack file on the server.

This tool not only lets you read, but also lets you write anywhere that a regular script file can write to (if you are on a cPanel environment, the default is any file on your user account, INCLUDING email still sitting on the server.) And it does have a nice built in tool to find ALL writeable files and directories that it can.

So yes, it is easy to set up, just keep it cleaned and updated. If you have SSH access and know how to use it, right before you do any updates, run a command that will list any .php file modified since the last time you ran it. Look for anything you don't recognize and check it out!!!

Remember, there are sites out there that list what vulnerabilities are on each version of WP and the popular plugins and they know what to look for (ie, the readme.html I mentioned earlier).

And if you are hacked, remember, you have to check most everything on your account, not just where you found the hacked files.

-Greg
Reply With Quote
  #2  
Old 01-29-2013, 08:58 AM
greg8872 greg8872 is online now
LawnSite Senior Member
 
Join Date: Jan 2012
Location: Upper Arlington, Ohio
Posts: 275
I'll try to remember to post to this thread any updates when I apply them...

Current version if now 3.5.1 which includes some fixes to some security vulnerabilities.
Reply With Quote
  #3  
Old 02-19-2013, 09:41 AM
greg8872 greg8872 is online now
LawnSite Senior Member
 
Join Date: Jan 2012
Location: Upper Arlington, Ohio
Posts: 275
A good blog post by a friend of mine:

Should you upgrade WordPress?
February 19, 2013 by Tim Priebe

http://www.tandswebdesign.com/2013/0...ade-wordpress/

My personal comment on Tim's article:
It is better to have a WP install that breaks from an update and have to fix it than to sit with an exploitable copy and then your ISP shut you down for send hundreds of spam of having a phishing page placed on your site you don't know about.

Last edited by greg8872; 02-19-2013 at 09:49 AM.
Reply With Quote
  #4  
Old 02-19-2013, 10:16 AM
PaperCutter PaperCutter is online now
LawnSite Bronze Member
 
Join Date: Sep 2006
Location: Northern VA
Posts: 1,469
good tips, thanks!
Reply With Quote
  #5  
Old 04-12-2013, 10:55 PM
greg8872 greg8872 is online now
LawnSite Senior Member
 
Join Date: Jan 2012
Location: Upper Arlington, Ohio
Posts: 275
Still at version 3.5.1, but wanted to let those who use WordPress know about the following...

Huge attack on WordPress sites could spawn never-before-seen super botnet
Quote:
The [hackers] are using more than 90,000 IP addresses to brute-force crack administrative credentials of vulnerable WordPress systems
http://arstechnica.com/security/2013...-super-botnet/

So if you haven't lately, make sure you are up to date on everything, and anything you don't need removed, Make sure you have strong passwords on all WP user accounts (as well as your hosting account logins)

PS, if you have trouble making up stong passwords, when I have to change a bunch, here is what I use... http://www.pctools.com/guides/passwo...word_generator
Reply With Quote
  #6  
Old 04-12-2013, 10:57 PM
newguy123 newguy123 is offline
LawnSite Bronze Member
 
Join Date: Sep 2012
Posts: 1,051
Thank you sir.
Reply With Quote
  #7  
Old 04-13-2013, 08:52 AM
jrs.landscaping's Avatar
jrs.landscaping jrs.landscaping is online now
LawnSite Silver Member
 
Join Date: Mar 2012
Location: Maine
Posts: 2,428
Thank you
__________________
Reply With Quote
  #8  
Old 08-02-2013, 12:39 AM
greg8872 greg8872 is online now
LawnSite Senior Member
 
Join Date: Jan 2012
Location: Upper Arlington, Ohio
Posts: 275
Just released, Version 3.6
Reply With Quote
  #9  
Old 08-18-2013, 05:53 PM
tinman's Avatar
tinman tinman is offline
LawnSite Bronze Member
 
Join Date: Feb 2003
Location: ga
Posts: 1,348
Always stay updated... and back up weekly at least
__________________
Follow Me on twitter
Reply With Quote
  #10  
Old 08-30-2013, 03:44 AM
AdvanceTreeCare AdvanceTreeCare is offline
LawnSite Member
 
Join Date: Jun 2013
Location: Virginia Beach, VA
Posts: 12
My host / web guy has a monthly service that backups the web site, monitors files for updates, and if there's issues with the updates breaking the site he fixes them for free. I'd suggest checking into those types of services as there seems to be updates all the time.
__________________
_____________________________________
Advance Tree Care Service in Virginia Beach, VA
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump





Powered by vBulletin® Version 3.8.6
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Copyright ©1998 - 2012, LawnSite.comô - Moose River Media
All times are GMT -4. The time now is 12:50 AM.

Page generated in 0.08394 seconds with 7 queries