I’m working on a project and am doing some research thanks

Unlike what most think.. The internet was not just created in 1995 or so .. The internet has existed since the early 60′s, it just was not in the general public then..

Even AOL has a copyright of 1986 and eWorld (Macintosh online service) was there before AOL and as a matter fact AOL bought it out in I think it was 1994.

James

Well over 100 customers are very happy that they purchased my WP Secured solution..

Fact is updating means nothing, the code is not encrypted and hackers have access to the code just like you do..

If you change how wordpress functions then it is very obvious that hackers can not hack it as they will have no idea what changes you made.

The past five years has seen the popularity of blogs grow in their use and as a means of making money. That’s the meat that computer hackers look to sink their teeth into. A recent report by the Congressional Research Service stated that the financial impact of computer hackers amounts to $226 billion annually. Another report calculated that hackers could be taking up to six cents of every Internet dollar of revenue.

Hackers recently discovered that WordPress Blogs featured an easy path for them to cause their trouble. Many WordPress Blog owners have had their blogs hijacked in a variety of ways. They’ve found ads on their WordPress Blogs that they didn’t place there. Others have discovered that when someone clicks a search engine link to be taken to their WordPress Blog they’re instead taken to a totally different page full of ads that are often obscene and featuring computer viruses.

Think about it ….

James

Clearly lacks any knowledge/experience of auditing code to find a vulnerability, then creating a custom exploit for that vulnerability, creating an agent to carry the exploit payload across Internet Protocols recognized by the target (blog on HTTP), and finally delivering and executing the payload.

It’s quite nearly impossible to “fake” an IP address, read anything about IP protocols and Kevin Mitnick to get a clue.

Updating your WP is the single best thing you can do… because exploits are custom built to exploit vulnerabilities in OLD versions. Once an exploit is made public, through honeypots, active logging, etc.. WP releases an update. See “Open Source” for basic background on how this works.

No offense James, you’ve put some effort and thought into your suggestions but without understanding what an exploit is and how a server/web app/system operates you’ll just be wasting your time.

I’d liken your ideas to this scenario.. A user spends a lot of time creating a custom password-login-prompt that is loaded every time a user wants to login to the admin panel.

Seems secure..

[ request admin ] => [ password prompt ]

But thats completely misleading. Here’s how the request really travels.

[ request admin ] ==> [ protocol setup OS-dependent ] ==> [ server finds requested file ] ==> [ server determines how to "handle" file (php) ] ==> [ server executes php binary or module ] ==> [ php opens file according to php config ] ==> [ requested file parsed by php ] ==> [ php includes wp-config.php to access database ] ==> [ php sends output/headers on tcp/ip connection established by server app ] ==> [ finally your password-protection is loaded and executed ]

Now that is entirely over-simplified, and you can see that there are around 15 different points in-between when the request is sent to the server and when the password-protection actually starts. All it would take is modifying file permissions, changing wp-config.php info, modifying how the server “handles” php, executing a OS-level/Server-level/Protocol-level/Application-level exploit and all that so-called “security” is completely circumvented.

happened to find it from a trackback I received and just now got to it in the moderation stack. (cant find the link?).

#5 limit access to your wp-admin directory using a .htaccess file

The AskApache Password Protection plugin tries to automate the task of securing your blog (not just wp-admin) by using .htaccess to configure your site. You can always download the plugin at WP, but if you are interested in the actual explanations of what the code does, check this post out, it shows the code.

I’ve been working on the new version for a month, so stay tuned.

The most important tips (in my experience) for keeping your blog secure that you mention above are ( 1, 4, 2, 5 )..

If you keep WP upgraded you are safe, but keep in mind that almost all the exploits that are used to crack a WP blog are actually exploiting vulnerable PLUGINS and THEMES.

So if you only use vetted plugins and a custom theme (delete everything else/unused) then you should be good.. Also, you mentioned using a dedicated host, and that is probably the best way to limit the potential fallout from a cracked blog from spilling over to all your other online stuff. Nice blog!

———————–
Thanks James, just what I was looking for.

I had one of my blogs hacked a couple of weeks ago. Luckily, it was one that I hadn’t spent a lot of time on so I just deleted and started it over.

It is a small price to pay to protect your business.

Again, thanks.

Lewis
——————-

Ok well I just purchased WordPressSecured and I have to say it is detailed. I have been using WordPress for years and have read and implemented the majority of the security tips out there.

But, I have never seen anything like this. I can see that I have some work ahead of me this week updating my blogs.

James I have to say thanks for a great product that delivers what it promises.

——————

I have to say, I’ve benefited James’ tips on this thread pasted right below were immensely beneficial in helping me secure my WordPress:
My wordpress blog hacked – again!

Several of my WordPress sites were hacked (as well as non-WordPress scripts, a directory script, and membership scripts I paid for). Some of the hacks were truly scary like one that used one of my sites as a launch pad to send out fraudulent Bank of America emails to extract innocent victims’ financial information. Crap like that could land the wrong person in jail!

The most common hacks were ones based out of Turkey, who took their grievances and disputes out online on such sites as one I set up to help pets in shelters get adopted. They’d deface my sites with images of soldiers, curses against Israel and Norway (what homeless dogs and ferrets have to do with these hackers’ grievances is beyond my understanding)

Anyway, after implementing James’ suggestions to secure WordPress, hackers were no longer able to penetrate my WordPress sites, though my server did report that hackers were still targeting them, sometimes slowing my sites down.

WordPress Secure would definitely be a wise investement. I say this, having already benefited from James’ /The RichJerksNet expertise in this area, without having it yet. Getting it all in one resource would be very nice.

1. Rename your admin username, ok fine that does not stop hackers from accessing the admin

2. Using a dedicated server has NOTHING to do with it, even dedicated and unsecured can still be hacked.

3. Keeping up to date means nothing, the hackers also have access to these updates and remember the code is not encrypted.

4. Limit access to your admin by IP .. Any hacker can fake your IP and the fact that most have changing IP’s this means nothing.. What you going to do block yourself from your own admin ?

5. WordPress version means nothing, it still has the same coding style as older wordpress.

6. remove unused plug-ins .. I agree

7. backup.. I agree but this should be done with any site not just wordpress

I fully read the post, fact still remains unless you take action yourself and changethe functionality of wordpress you will never ever stop the hacks. The hackers know exactly how wordpress is coded.. Unless you change how it functions, then they have no idea how to hack it as they will not have any knowledge of what you changed.

James