Jump to content
UBot Underground

Secure Your Site And Your Stuff - Hackers Are Out There [Proof]


Recommended Posts

Every single day people try to hack my sites. Whether it's automated or I am actually targeted I am not sure but I speculate it's a bit of both. When I release new stuff for example I've noticed the hack attempts go up, sometimes dramatically.

 

Click on the image below to see some people trying to hack in from the last day:

 

post-4934-0-47893700-1413840603_thumb.png

 

Don't overlook security! Here are the steps I take to ensure nobody gets in and as far as I know nobody has yet.

 

1. Protect your downloads

 

This one should be obvious but don't just stick your downloads somewhere where they can be found. This is going to be the number one thing that will protect you. Most people don't actually know how to hack, instead they have trained themselves to be good at finding stuff.

 

The ideal solution is to use something like Easy Digital Downloads that protects your files. However, if you have to stick them somewhere that anyone can access keep these points in mind:

 

Without going into gruesome detail here is what people are going to do (and how to protect against it).

 

First thing they will probably check your robots.txt to see what you don't want the search engines indexing. So make sure you block search engine crawlers via htaccess instead of robots.txt

 

They are going to try and find folders containing uploaded files in Wordpress (assuming you're using WP). So don't use the Wordpress uploader you will need to make a new folder via FTP and stick it in there.

 

They are going to run a site: and may even go so far to crawl your site looking for certain file extensions so don't stick it somewhere that can be indexed or link to it anywhere. Use htaccess to block Google and other search engines from indexing the folder the file is in.

 

I know I've bought JvZoo products that have taken me to open pages so I think these points should help some of you out. Of course it's not foolproof as people can still share the URL!

 

2. Basic Wordpress Security

 

2a. Username

 

Don't use Admin as your username, as you can see in the picture above everyone is trying to get into the site using Admin as the username and it's not a username on the site at all (it can't even be registered because of WordFence more on this later).

 

Instead choose a username that is hard to guess, maybe something like @your_dogs_name_favorite_number or whatever. The point is that securing your username is just as important as securing your password.

 

Once you make the username you need to login and go to Users -> Your Profile and then change your Nickname and change the display name to be your nickname. Now when you make posts it won't show your username on the page itself.

 

But.... Were not done just yet. Because your username is still displayed inside of the source code of the page. Somebody who is actually targeting you may know this and can easily find it. Also some bots may be smart enough to try these names instead of Admin when running automated hacks.

 

You need to now change your "nicename" this appears inside of the database. So fire up PHP MyAdmin and find your Wordpress database. I think the table is called wp_users or something it should be easy to find and then simply change the nicename to something like your display name. If this sounds confusing just Google how to change wordpress nicename and I am sure there will be a step by step tutorial. Once you have completed this step your actual username will NOT show up anywhere for hackers to find.

 

2b. Password

 

This should be obvious but don't use an easy to guess password. Keep in mind that password security is more based on length than anything else. Without explaining everything and making this post way longer just refer to this XKCD comic: http://xkcd.com/936/

 

Of course the best solution is to use a password generator, and there is no reason to let it generate a password of 8 characters - make it way way more. I will say that my password is between 20 and 100 characters long.

 

Don't use the same password everywhere. Make sure that the password to your Wordpress site is unique, same with Cpanel, email and everything else.

 

Personally, I use http://keepass.info/ with a strong password to encrypt the database (use a saying or song lyrics or something long but easy to remember). Auto backup the keepass database to your favorite cloud backup service and give that a strong unique password as well (you will have to memorize this as well). Now you only need to memorize two passwords to access the rest of them. Write them down somewhere (you can't hack paper!) and stick them in your banks/mothers/sisters/cousins/wherever safe.

 

2c. Plugins

 

I don't trust most plugins (or themes for that matter). I personally use the least amount of plugins necessary and only will install something if I can't do it myself.

 

Some plugins though can really help your site. I personally use WordFence and a buddy of mine just told me about iThemes Security (you will need w3 Super Cache separately with this one) claiming it is better than WordFence and I value his opinion more than almost anybody when it comes to WP.

 

Since I haven't switched yet I'll just tell you what you need to know when setting up WordFence:

 

Under Performace Setup - enable basic caching (you will need to clear the cache if you make changes to the theme)

 

Under Options - most of the stuff should be setup properly you will just need to tweak things to your liking. Go through every option just to make sure.

Here are some of the things that I do though:

 

All basic non premium options (first 3 checkboxes)

Scan automatically and update automatically

You can set the alert settings to your own liking

Don't logged singed in users with publishing access

Scans can be set to your own liking

 

Firewall Rules:

 

Verified Google crawlers get unlimited access

Limit crawlers and 404 pages to your own liking

Lock IPs for 5 minutes when they break a rule

 

Login Security Options (IMPORTANT):

 

Enforce strong passwords

Lockout after 3 login attempts

Lockout after 3 forgot password attempts

Count failures over a period of (at least 10 minutes)

Amount of time a user is locked out (at least 30 minutes)

 

Tick these three:

 

Don't let WordPress reveal valid users in login errors
Prevent users registering 'admin' username if it doesn't exist
Prevent discovery of usernames through '?/author=N' scans
 
Under other Options tick the first 5 boxes.
 
This should make it so people can't bruteforce your site, crawlers don't eat up all of your bandwith, Google has unlimited access to your website, your website has caching enabled - it does quite a lot. Set it up once and it's pretty much set and forget. You should get emails when you need to update things like Wordpress or plugins and so on.
 
Okay this ended up getting pretty long so I'm going to leave it at that for today. Feel free to add anything else that will help!
  • Like 3
Link to post
Share on other sites

Very good advice, I'm in the same boat when it comes to hackers trying to get in the site, I had to disable password resets recently to stop some of the attacks.

Link to post
Share on other sites

make sure if you are running a dedi or a vps that you also have your php locked down with disable_functions and also secure your /tmp     probably more too  but its all i can think of at moment ;)

 

PS anyone needs professional server security hardening / cleaning then give me a shout (pm - my hosting company can take care of that for you ;)  )

Link to post
Share on other sites

Sometimes just changing the name of login.php via ftp then change it back when your done.

 

Can you elaborate a bit more on this? Do you mean you change login.php to something else? Thanks!

 

make sure if you are running a dedi or a vps that you also have your php locked down with disable_functions and also secure your /tmp     probably more too  but its all i can think of at moment ;)

 

PS anyone needs professional server security hardening / cleaning then give me a shout (pm - my hosting company can take care of that for you ;)  )

 

Yes, I didn't cover this stuff because tbh I am not very good at it. I usually follow a guide to secure this stuff. Usually something like this (I've actually used this one before and everything went well) http://feross.org/how-to-setup-your-linode/

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...