Advice to word press dreamhosters

I’ve been analyzing my access and error logs for over a month now and I can make a few comments about good wordpress practices. From my 6 dreamhost wordpress installs on 3 different dreamhost machines I have seen a litany of bad behavor in general and bad wordpress behavior in specific. Before I go ANY further I want to make clear that DREAMHOST is awesome for allowing access to access logs and error logs and what I’m about to write must be happening on EVERY shared host in the business.

I started writing a site specific perl program with a mysql database to process daily and hourly access logs and error logs. My goal was to play whack-a-mole and use .htaccess to shut off bad people from accessing my 5 wordpress blogs. Since I started on January 19th, I’ve banned 350 ip addresses, and 8 subnets (where I have a collection of 5 or more trolls on a single subnet). So far, about 25% of banned address return to try (unsuccessfully) again to get more info.

many of the trolls are not specific to wordpress ,like trolls trying to access phpmyadmin, trying to access directories that were deleted 5 years ago, trolling for crossdomain.xml, looking for /cgi-bin/cvename, trying to go up the directory structure (/…/…/…/) imbedding HTTP in the php request, trying to encode php in the php request, trying to encode href, or weirdly trying to type +result:++ into the php request; a large number of trollers use the HTTP head command to see what’s happening on your files; how about /.google-analytics/ga.js as a request? In a month, I think I’ve seen a lot or requests unrelated to people actually using the website.

I have seen some VERY specific wordpress attacks:

  1. Lots of attempts to poke at wp-login; this usually starts with a signup troll that starts wp-signup.php, then moves on to wp-login?register and pokes around some. Next I’ve seen repeated attempts to crack passwords on wp-login. Repeatedly I’ve seen 1373 attempts in 30 seconds to crack wp-login. Since I started, I’ve installed the login lockdown plugin to close this hole.

  2. crud on the end of a wordpress php command, ESPECIALLY plugins that are unusual. If you use a plugin that isn’t popular expect to see if it will pass a command to google search (this appears to be the holy grail of wp-hackers, since it will then possibly execute a php command. Lots of php? requests to probe how the command is handled, also php?dhjdjd=href(hhhh) When you see php?=base64_decode it’s an attempt to inject code into your wordpress site and become part of your php program (and therefore have your priviledges as owner

  3. WordPress structure probing - where is wp-login? have you renamed wp-admin? Let’s look at wp-content/xmlrpc.php and see what we can find out. How about wp-includes/wlwmanifest.xml what can it tell me about the file structure?

  4. Probing for previous wordpress hacks, over the last 10 days I’ve seen over 10 attacks by someone probing for every theme that every supported timthumb. Within 20 seconds I get 150-200 requests for timthumb on every theme imaginable.

What you can do to protect yourself:

ON PANEL at dreamhost:

  1. Under users edit the user that runs your website and enable ‘Enhanced security’. This will make the default file permissions on your website harder for people who aren’t YOU to see what you have. specifically you are protected from other admins on your shared website.

  2. Optional: I would disallow FTP and force everyone to use SSH, also under the user edit in panel.

On wordpress as an administrator:

  1. UPDATE WORDPRESS and keep it updated. Most bugs are fixed and updates are transmitted, please update your version of wordpress

  2. Delete unused themes - people are probing unused themes for ways to crack your wordpress and take control away from you. If you have 30 unused themes, your exposed to 30 potential threat areas.

  3. delete unused plugins - again lots of unused code lying around to be probed by people.

  4. Create an admin account with your name and delete the account called ‘admin’. This is what trolls look for to password crack. Use a password on your admin accounts that wordpress doesn’t think is weak.

  5. Install a plugin called ‘login lockdown’ which will protect you against people trying to break into your accounts.

  6. Install a plugin called ‘file monitor plus’; this seems to be a pain-in-the-ass plugin when you first install it, but it will save your life if you use it. It records ALL changes to ALL files on your website. It reports once an hour. If you are hacked, you’ll get a report within an hour that specific files have been added, deleted, etc.

A few things to be aware of:

wp-config.php needs to exist in the main wordpress directory, but it contains your database information. It’s used by programs on word press but should NOT be accessed by users. One way to stop this is to edit .htaccess in your website account (/home/user/website/) and add this to the end:

protect wpconfig.php

order allow,deny deny from all

While your at it you might want to stop people from seeing htaccess:

prevents people from seeing ht access

<Files .htaccess>
order allow,deny
deny from all

without going into excruciating detail, this htaccess command will disable people from seeing your directory structure:

disable directory browsing

Options All -Indexes

I’m wondering in a longer time frame whether dreamhost could put in some security checks like 1200+ requests to wp-login in less than 5 minutes might be excessive? or anyone trying to insert php code would be permanently banned from dreamhost?

-Bill Kelly

wp-config can actually exist one directory up from the WP install.

Also, .htaccess is unreadable by default on our servers. (As are all files starting with .ht, in fact.) You don’t need to explicitly deny access to them.

I found that somewhat problematic as I’ve investigated various forms of strengthening wordpress, putting wp-config up a level is on the same solution plane as my mis-assessed placement of passwords in a secure user, if someone code injects PHP then looking a directory level up is trivial, and the whole issue is somewhat goofy, because WordPress has it’s database password as a Global variable, which means the code injecter simply needs to ‘echo’ it.


I though about placing that suggestion in new wiki i helped write Hardening Wordpress on Dreamhost, but I didn’t think it sufficiently strong enough.[hr]

Thanks I’ll edit the wiki.



Just for clarity, while DreamHost stops people from accessing .htaccess directly, it doesn’t prevent malicious PHP script inserters from editing .htaccess, so people can’t access .htaccess directly and therefore the command I suggested above in .htaccess is useless, but as we’ve seen from timthumb, .htaccess isn’t safe if other components are compromised.

I always put something like

defined('ABSPATH') or die;

at the top of my wp-config.php this way trying to include it in some injected php code fails. You could try to curl the file but that can be locked down to the webdirectory using .htaccess or disallowing it if you don’t need it with disable_functions and open_basedir.

ABSPATH is defined in wp-load just before it tries to access wp-config so it shouldn’t affect your Wordpress install.

Of course if a hacker suspects you’ve tried this little trick he/she might define the constant and get past…


Use a random string and define it as a constant. I’ve been playing around with this for themes and plugins in WP:

for f in $(find ./wp-content/plugins/ ./wp-content/themes/ -iname "*.php"); do if [ $(grep -c WP_SECURITY_CD6U2T43EDE $f) -eq 0 ]; then sed -i '1i<?php defined("WP_SECURITY_CD6U2T43EDE") or die("Error 404: Not found"); ?>' $f; fi; done

Then pop this in your [font=Courier]wp-config.php[/font]: