In the next lines we will see several things that you need to do in order to enhance your website's security.
Here is what I recommend to ensure high security:
1) Keep your computer/s secure and do not access your mail or websites from public computers and/or unknown open WiFI networks. Some of the open WiFI networks are made with the only goal to snuff for private information (but this is a subject for another article). On the same subject:
- Using of Antivirus software is mandatory - Here are the good once: Avira Antivirus (free or paid), Avast (free or paid), ESET NOD32 (only paid)
- Scanning with passive anti malware software - recommending MalwareBytes. DO NOT activate the paid version. Use it in passive mode and scan regularly your computer.
2) ONLY use plugins and themes from TRUSTED SOURCES.
Some commercial plugins/themes can be found for free on seemingly good looking websites where it looks safe to download for free. Nothing on these legitmate-looking websites appears to suggest that the plugins or themes offered there are infected with a very powerful backdoor script called 'CryptoPHP'.
What this CryptoPHP can do:
After being installed on a webserver the backdoor has several options of being controlled which include command and control server communication, mail communication as well as manual control.
Backdoors of this type are mainly used for illegal search engine optimization, also known as Blackhat SEO. The backdoor is a well-developed piece of code and dynamic in its use. The capabilities of the CryptoPHP backdoor include:
- Integration into popular content management systems like WordPress, Drupal and Joomla
- Public key encryption for communication between the compromised server and the command and control (C2) server
- Backup mechanism in place against C2 domain takedowns by using email communication
- Manual control of the backdoor besides the C2 communication
- Remote updating of the C2 server list
- Ability to update itself
So we HIGHLY recommend to ONLY use plugins from TRUSTED SOURCES.
Here is a list of some of the websites that distribute plugins with CryptoPHP backdoor:
The following websites host the actual plug-in and theme files used for direct download:
If you have installed plugin or theme from one of these websites it is very likely your website to be infected with CryptoPHP.
What you need to do is at least delate the plugin/theme and check that you have additional admin user added and all your website looks like it should for the search engines.
You can do that from Google Webmasters Tools > Fetch as Googlebot .
3) Install CAPTCHA on your login page and comments.
4) Keep your WP and plugins up to date. A lot of vulnerabilities are found every day in plugins and WP itself. The truth is that 99% of the websites are hacked trough such vulnerabilities.
5) Last but not least, if you are using static IP to connect to internet you can Lock down your WordPress wp-admin. To allow access from multiple IP addresses, replace 123\.123\.123\.xxx with your own IP addresses:
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.121$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.122$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>
Another way:
<FilesMatch wp-login.php>
Order Deny,Allow
Deny from all
Allow from 123.123.123.123
</FilesMatch>[/code]
If your IP address changes, you can protect your WordPress site by only allowing login requests coming directly from your domain name. Simply replace example\.com with your own domain name
Most brute force attacks rely on sending direct POST requests right to your wp-login.php script. So requiring a POST request to have your domain as the referrer can help weed out bots.
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{HTTP_REFERER} !^http://(.*)?example\.com [NC]
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteRule ^(.*)$ - [F]
</IfModule>
Followed you here from our mutual group on LinkedIn. Great post, thanks for the info.
ReplyDeleteThank you for the good words. I really appreciate it.
ReplyDeleteIf you have any questions or need an advice do not hesitate to contact me!