Security Issues with VPS

wordpress

#1

I feel like I’ve installed every protection mechanism & yet my Wordpress site continues to get hacked. It’s not taking the site down anymore because of measures I’ve taken, but we frequently seem to max out memory limits & hacked files get in even though I change complex passwords & follow all of Dreamhost’s advice. I’m not going to have much of an argument for staying with Dreamhost the next time the site does go down as a result of one of these intrusions. Is there really just nothing else that can be done about this?


#2

In my experience, Word Press (WP) is the target of most exploits and hack attempts of all the platforms.

My non-WP site sees on average 100 or more WP probes per day. I block them using a comprehensive mix of header checks, UA filters, IP blocks and blocking certain behavior. I do this via htaccess but it can be done in htconfig or any combination.

I recommend keeping a diligent watch on your server logs, both error and access. Download the daily logs to your local machine and search manually for any remote requests to “wp” and keep record of the User Agent (UA) and IP address.

The UA will often be a fake browser. Look up the IP address. Any IP from another server farm should be blocked IMO, as there is usually no reason for servers from another company to access files on your server. Of course there are exceptions that must be allowed.

Sometimes the IP address will belong to a customer of an ISP. This is usually compromised and it is futile to block this IP. It will be discovered soon and the hacker locked out.

Eventually you will learn what to look for & what to block. But know that this is not sometime to just dabble with. This is an ongoing battle. The IPs and UAs change and it takes daily attention.

Such is today’s internet :slight_smile:


#4

Try Wordfence and/or Vaultpress?


#5

Hello, I hope you’ve had better luck securing your site.

A client’s site was hacked late last year. It’s not a very large site. They had agreed to take on the required maintenance; however, they neglected to update their software and plugins, and held on to a dated theme. So this was the cause of the initial hack.

I did everything that Dreamhost suggested, including changing all usernames and passwords, creating new admin users and deleting the others, completely removing the site from the server and uploading fresh Wordpress core files, reinstalled any plugins, making sure they were current, removed the uploads and re-uploaded only the images we needed, and installed a new theme (Genesis, with a custom child theme). We also set up a weekly scanning service that notified us when the site was hacked. Even after the above steps, the site was continually hacked, and on two occasions, brought completely down … within hours of my checking the site. I can only assume that they had enough time to create a back door; however, I don’t have the expertise or time to try to find out where that was. I found the Dreamhost Knowledgebase info too much for me to process. What we decided to do was sign up for Sucuri. I also thought their backup solution was good, too. So far so good. I sure wish I knew how these lowlifes continued to obtain access, though. Good luck if you’re still struggling!


#6

Most likely, the vandalizing code was in the database: the minute you restored the database from the old site, the hack was immediately back in place. Besides changing passwords, using fresh new files for WordPress+plugins+themes you have to clean up the database before restoring the site. Finding the offending code may require you to hire a professional.


#7

Thanks for the input everyone…while I definitely understand that this is a problem that’s associated with Wordpress…oh, and I’ve done the database wipes, password updates, plugin updates, malware detection apps, name it - but there’s 2 things that are leading me to believe that this is something Dreamhost can help with on the admin side.

  1. I am using the exact same Wordpress template for another less heavily trafficked site on the same VPS, but that one doesn’t get hacked.

  2. No matter what I do or how many times I clean up & start over, the hackers continue to target this specific site. Perhaps because it is related to the marijuana industry?

  3. I just can’t accept that this would be happening if I had the site hosted elsewhere, perhaps with a company with less of a ‘self-serve’ environment.

Problem is, my colleagues are somehow convinced that moving the site to Shopify would be the solution to all of these problems. That is a bad idea for too many reasons to list, but I am running out of arguments to stay with Dreamhost when considering all of the time & energy that continues to be burned up because of this issue.

Anyone know if there is a way to just block all access attempts originating from IP addresses outside the US?

Thanks.


#8

Absolutely! Get the IP Geo Block plugin.
I used to do more international business but these days I block all of the following countries:
CN,RU,KR,TR,VN,SG,UY,PH,PK
There is no business coming from those countries to me that justifies the time spent processing bogus requests from them.

There are several databases and services which link IP addresses to countries. YMMV but I’ve found that freegeoip.net and GeoIPLookup have good data at the price of a few milliseconds per hit for a live lookup. Compare to others where the IP lookup from a local database is very fast but often not accurate.

I use other protection against intrusions, bogus registrations, etc but my opinions on this are of no more value that that of others, so I won’t offer unless asked.

I would really like to know what database malware has led to the kind of issues that you’re having, as that’s a tougher kind of intrusion to protect against. Knowing what it is will help to identify tools that claim protection.

Good luck.


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.