Stamphacks.com And The Bad Guys

Hi scb,
Agreed, the plugins make it more than just blogs. But it started as a blog development tool and this is what it is at its core.

And it has become so successful largely due to it's cost; free. Over the years they have made it easier to use so it also has that going for it.

Most all developers defend the tools they use, I spent 25 years dealing with engineering departments full of folks, some of whom are friends, debating this or that tool or platform. Hell, we nearly had a few jihads over these types of 'debates'. (I recall one such battle over JAVA with it's defending engineers wanting to move all our products and the entire company to it.)

But since I got ill, I no longer have to deal with these kinds of marathon meetings full of highly intelligent, compassionate people.

The folks I deal with now are not developers (like yourself) but rather people who are distinctly not engineers. And this forum is read by a lot of folks who are not developers or coders; so when the thread was started I felt it worthwhile to mention the WordPress shortcomings.

Thank you for offering to harden apastuszak's code, it is very kind of you.
Don

These days hackers have three main goals when they access to a site:

1. Set up a cryptocurrency miner
2. Inject Javascript code that will install some type of malware will either encrypt your data and demand a ransom to get the decryption key, or join a botnet
3. Set up a phishing site

All 3 of those things are profitable

At one point I had 4 different Wordpress sites on my hosting account: stamphacks.com, my son'y boy scout troop, my other son's cub scout troop, and my kids' school.

The only one that ever got attacked was stamphacks.com. I think something about it being Ukrainian does it. My brother lives in Canada and maintains a website for a Ukrainian day care center. That thing is constantly bombarded, and once was taken over and a new home page was added with some kind of huge full screen image with writing all over it in Arabic.

So it's either the Ukrainian connection, or the connection to my family that's being targeted.

I've gone through several hardening guides on the web. Right now I am running Wordfence on it and Jetpack, so I get some pretty good reporting when stuff goes awry. So far I have never had anyone actually get into the site. Just repeated attempts. The nice thing with Wordfence is that is alerts me daily if I have an out of date plugin or Wordpress version and weekly I go in and run the manual scan that checks my installed files vs what's in the Wordpress git repository to see if any of my files have been altered. My hosting provider doesn't offer shell access, so I am OK there.

These two plugins alone are more than possible cause for random high CPU/disk-usage warnings, LOL. Seriously speaking they are tools with some useful features, but just like everything else talked here, if you use them 'out of the box' or with random tweaking, they will likely do more harm than good. When you are on limited resources (ie. shared/cheap hosting) and/or without a caching system supporting it all, you really cannot afford doing 'live querying' or 'live logging' for every piece of data (the default of these tools).

If you are on limited resources (ie. cheap/shared hosting), then your best would be a bunch of well crafted "deny all but..." rules to your websites main .htaccess. For example it is more than likely that the only 'querystring' in your public pages will be 's=' - so everything else can be safely blocked. etc. And you really don't want any other bots than those of big names (ie. google, bing, yahoo and in your case yandex). And...

And yes, I know out there are tons of hardening guides. Most of them are written by folks who try to push/sell you their plugin/service. The advice in them is usually valid, but it really gives you just one side of the story (which often times creates a new set of problems).

-k-

Do you have a sample .htaccess you can send me?

Yep, random bits and pieces which you can easily add to your existing conf.

Just drop me an email & I'll guide you to set the rules properly (once again, if you don't know what you are doing, you will easily cause more damage than good).

-k-