Wow! It’s been a week of WordPress hacking MySQL backups and google trawling.
Late last week I was working on oscMax and getting along quite well when I went to write a blog entry and discovered that my blog pages had been converted to some islamic protest site.
Now just to make one point clear I am indifferent to religion, whatever works for you is fine, just dont try to force me to follow you because you must be right!
That said, this entry is about the crippling effect of a hack and links to what I read and used to rectify it.
Things I did wrong:
- WordPress was out of date an older 2.8.6 mu install (multi user because at one time I was going to host other blogs, but that has not happened)
- MySQL backup had been failing for some weeks after I did a password change (I knew what it was but let it go as a minor concern that I would get to, eventually)
Things I had done right:
- The area of the site that could be accessed was a sub-directory and the uploaded rubbish was contained within one directory
- I have rsync backups of the application directory running on a schedule
So I firstly closed up the site, renamed the compromised directory and contacted my ISP support to check logs. Their logs rotate to quickly and one of the security team was over-zealous and ‘helpfully’ removed all the files that were compromised…. without noting the date/time stamps on the files for me to be sure of when the hack occurred. I had noted that the files I saw were consistent with only being in place within the previous 24 hours but as he did not keep a list I dont know what else(if any) he found and deleted.
I’ll write up some separate blogs on the various topics I encountered on this week long journey elsewhere, for the moment these are the references that I have used this week that I found helpful. Most from WordPress codex:
Have a read of this first (dont do anything, read & think first): WordPress FAQ My Site Was Hacked
Download the latest version of WP from WordPress Download
For multi-user equivalent do this after installing WP: Create A Network
When it does not work: Debugging a WordPress Network
Noting that I updated this section with one of my issues: Debugging a WordPress Network « Other Lesser Known Issues
Have a read through this for ideas: Hardening WordPress « WordPress Codex
There are others that I am still reviewing, in particular the security oriented plug-ins, filter for the WordPress category for my latest posts on this topic.
My site is still not working the way I want and I found that the latest version for MU (or Network as it is now called) is apparently very dependent on Apache or other server settings. On SME Server it will not work (yet) while on my hosted site it works first time. Lost around 3 days on that issue alone.
Trying to reinstate the WordPress 2.8.6 mu from the WordPress Archives fails because the mu archive is the same as the WP archive. I’ve manually extracted the database tables/entries that I needed.
And of course I have changed lots of passwords and done lots of chmod’ing to tighten up the access.
I too have a WordPress install on SME 8 Final. But I am having some issues. I can not update or install any plugins or themes. So far, everything else seems to be fine. I am sure I have some security holes now that I have been trying to fix permissions to get my uploads working, but they still don’t. I will of course, repair all the security impunities once I have solved the update issue. I would definitely like to check out the security plugins you list, but I am wondering if you could assist me first on the wordpress install. It was installed through SMESiteMaker into /opt. The open_basedir have been set, so that shouldn’t be an issue. Neither should any PHP upload size restrictions.