Can WP Install be hijacked

Is that true ?

No, not at all. That’s just something some coders tell people to scare little children into behaving. It’s just nonsense really*.

Sorry, I couldn’t resist the last part.

A stock WordPress installation by itself can’t be trivially hacked, meaning there are no published vulnerabilities out there for version 3.4.1 at this time.

However, there are some poorly configured and insecure servers out there, and developers (both experienced and utterly clueless) have inadvertently released plugin and theme code that can compromise your installation.

Give this a read as a common sense introduction to WordPress security.

https://www.studiopress.com/tips/wordpress-site-security.htm

Then give this a read for some more permission based info.

https://codex.www.ads-software.com/Hardening_WordPress

*Anticipating what the coder may say:

– Yes, I am a WordPress moderator which means I’m a volunteer just like everyone else.

– Yes, I think WordPress is up there with the invention of paper and the wooden pencil.

But what I’ve written is true and with a little research you can verify that yourself.

Jan
Just as I thought…. I have been using WP on many of my sites and clients and they told me this I just couldnt believe it.

They suggested removing all dynamic content other than text and image tags, so there goes the menu etc.

Thank You
Dave

They suggested removing all dynamic content other than text and image tags, so there goes the menu etc.

Get new coders..? Kidding! ??

Without knowing the full context of that conversation, it’s really hard for me to weigh in.

If the context is in regards to a theme or theme provider there may be something to that. As I’ve mentioned, some themes and plugins have been problematic.

But do some research, keep your backups up to date, follow those best practices and you should be alright.

He sent me some file that said wp-includes text with a bunch of jumbled code in it and said that was the problem. However it didnt reference a specific wp file like wp-config, the include is a folder ? Send me your email and I will em it to you

I used Artisteer for the theme creation part

He sent me some file that said wp-includes text with a bunch of jumbled code in it and said that was the problem.

What’s the path and file name? Sounds like that site was already compromised. There should be no jumbled files in wp-includes.

If the site is compromised already then you’ll need to work through these links.

https://codex.www.ads-software.com/FAQ_My_site_was_hacked
https://www.ads-software.com/support/topic/268083#post-1065779
https://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
https://ottopress.com/2009/hacked-wordpress-backdoors/

Additional Resources:

https://sitecheck.sucuri.net/scanner/
https://www.unmaskparasites.com/
https://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html

Send me your email and I will em it to you

Sorry, but support is via the forums only and not email.

Already checked by 5 different ways and no problems found

I also asked for the file under the includes that he found that in
there is nothing under the includes folder

A fresh WordPress installation is somewhat vulnerable when the database configuration page is open because it allows the user (or hacker) to create an admin user if they can provide the correct database information (that’s the hard part that might thwart a hacker). Once there is one user, the page doesn’t show up anymore. It’s probably not a huge vulnerability, but I wouldn’t leave my new WordPress site in the initial user creation and database connection phase for long.

@avreidy

What you are referring to is part of the normal installation procedure. Almost every SQL driven, web-based application will ask for the same type of database and user details during installation. It’s not a WordPress vulnerability.

but I wouldn’t leave my new WordPress site in the initial user creation and database connection phase for long.

That is very good advice for all web-based applications, including WordPress. Once you start the install routine, you should see it through.

There is no issues with the install
I have scanned with several different programs and reinstalled theme etc etc

This coder said there was jumbled code in the wp-include ???
Thats a folder not a file, so I have NO clue what he is referring to

I checked it in my software program also, NADA

This coder said there was jumbled code in the wp-include ???
Thats a folder not a file, so I have NO clue what he is referring to

You’re right, the /wp-include/ is a directory.

If the coder says there is jumbled code in there, he should be able to provide the file name that contains that jumbled code then it could easily be check against the source file in https://www.ads-software.com/latest.zip

It may all be a false alarm but checking really is easy to do.

Exactly