In an earlier article entitled - ”Are your applications secure?,” I talked about SQL injection threats. It’s a threat that refuses to simply go away.
Just this morning I stumbled upon a thread on a web hosting forum - about an OP (original poster) who had his shared account terminated by his web hosting provider for being hacked twice. He was clearly the victim of the hacks, but the host deemed the OP was responsible for keeping his sites safe, so that his sites would not affect other clients on their server.
The site in question was a WordPress site - with a couple of plug ins activated – nothing out of the ordinary. It was duly noted that WordPress sites attract a lot of hack attempts, and the more popular they are (lots of traffic), the more attempts. Obviously, the OP needs to find another web hosting provider, but his troubles are probably far from over. Should he install the same plug ins on his site at his new host, the hack will most likely reoccur. Why?
One of the plug ins the OP alluded to was - Penny Auction, on which a “hack advisory” was recently issued by ngenuity-is.com.
Recommended plug ins that help fight intrusion attempts:
Login LockDown - Login LockDown records the IP address and timestamp of every failed login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery. Currently the plugin defaults to a 1 hour lock out of an IP block after 3 failed login attempts within 5 minutes. This can be modified via the Options panel. Admisitrators can release locked out IP ranges manually from the panel.
WordPress Firewall 2 - This is an updated version of the popular WordPress Firewall plugin, with fixes for all known bugs and a few new features!
This WordPress plugin investigates web requests with simple, WordPress-specific heuristics, to identify and stop the most obvious attacks. There are a few powerful, generic modules that do this; but they’re not always installed on web servers, and usually difficult to configure.
This plugin intelligently whitelists and blacklists pathological-looking phrases, based on which field they appear within, in a page request (unknown/numeric parameters vs. known post bodies, comment bodies, etc.). Its purpose is not to replace prompt and responsible upgrading, but rather to mitigate 0-day attacks and let bloggers sleep better at night.
WordPress Security Scan - checks your WordPress website/blog for security vulnerabilities and suggests corrective actions such as:
- File permissions
- Database security
- Version hiding
- WordPress admin protection/security
- Removes WP Generator META tag from core code
- Set the interval of how often to check for updates; hourly, twice daily or daily.
- Sets WordPress to check for updates more often meaning you get to know about updates sooner.
- Get emailed about core, plugin and theme updates.
- Chose if you want to be notified about active only themes and plugins updates.
- Remove upgrade nag message to non-admin users.
- For advanced users there are a number of filters and actions you can use. More coming soon.
This plugin is a fork of Update Notifier. This plugin was forked because there seemed to be no further development on the existing plugin and there was no way to contact the original author to ask about taking ownership. WP Updates Notifier has the following improvements over Updates Notifier:
- Completely rewritten from the ground up using best practises for writing WordPress plugins
- Code wrapped in a class so better namespace.
- You can set the cron interval, allowing for more frequent checks.
- Update checks trigger WordPress internal update check before notification.
- Allows you to set the ‘from address’.
- Makes use of the Settings API.
- A number of available hooks and filters for advanced users.
- Active support and development.