BrattDev

Thanks for all the information. I’m going to work my way through it and will let you know how we do. We have had to recover from a couple hacks in the past and were able to do so by cleaning up the db, replacing all WP files, and obviously changing passwords and usernames too in some cases. Since the sites haven’t been hacked since, we feel ok.

We will be monitoring more closely from now on, and have File Monitor installed to help us do that. The login limit plugin should help too. Both were enabled on these sites but I need to make the File Monitor plugin scan more frequently for changes to server files. My feeling is that the hack may have already occurred just before we installed the anti-hacking plugins and so further more obvious hacking was able to take place afterward.

Again, I really appreciate your help and feedback on this and will let you know if there are any further attacks once we’ve taken more precautions.

One thing this year has taught me is that WordPress out of the box is not nearly as secure as we had thought. I’ve worked with the “hardening WordPress” post and feel that some of this stuff should be incorporated into standard installation instructions. With the case of the Limit Login feature, I honestly think that should be built in to the core software at this point.

Ok, I found the hack in the access logs (or at least I’m pretty sure I did). The time corresponds to the time the bulletproof-security.php file was altered. I’m happy to send you a copy, AITPro, if you want to see it. They hit wp-admin/login.php a bunch of times, then got a bunch of plugin files including and esp BPS. I’m not qualified to judge how they managed to do this or what exactly they did but they left a lengthy trail over the 10 or 11 minutes it took them to hack the site.

Would you mind if I emailed the log excerpt to you for your expert opinion?

thanks again.

Thanks for all the info. I did a complete search of the hacked sites and unfortunately, there is no timthumb.php script on either one (I searched all variant file names too). We do have a couple sites that use that script — one was hacked months ago after the client went crazy with dicey plugins. The other has not been hacked, and I’ll contact the plugin developer to make sure the timthumb.php script has been patched.

But that leaves me more or less where I was. I don’t know how they got in so I can’t plug the hole (yet). I have a positive feeling about BPS but I really hate that hackers are motivated to hack it.

Here’s what I think I’m going to do — see what you think. I will change the main server password again. I will check the logs on both sites and see if there’s any hints. Reading log files isn’t my strong suit but I should be able to see something will report back if I find anything fishy. My server people should be able to help with this too.

So we’ll see what we can find out and let you know. I won’t sleep until this is resolved, or at least, not well.

Hi and thanks for getting back to me.

What threw me was that hacking incidents had been few and far between in the past few years (we keep our WP and plugin software up to date) but after installing BPS, we had two sites hacked in less than a couple days (about 2 weeks later) and in both cases, the hackers specifically hacked the bulletproof-security.php file and then left one other calling card.

In other words, they appeared to be targeting the BPS plugin.

I don’t see how the WordPress login could be compromised since I would never store that kind of information on the server. The sites hacked were so insignificant that I can’t believe any hacker would be interested in them. It isn’t every site on the server, just two out of maybe 20. Weird.

I’ll report this to our hosting people and see if they have any insights and look into “timthumb exploits” which I’ve never heard of. I’ll also keep an eye on the other 30 WP sites we maintain, which all have BPS on them now.

Another site was hacked today by hackers calling themselves FBI.

They also hacked the bulletproof-security.php file in the plugin’s folder and added a text file called fbi.txt at the root level.

Help! Do I need to deactivate BPS everywhere now? This is really a problem.

thanks!

PS I figured out what the number next to Plugins in the sidebar means — it was an un-updated plugin. That said, removing the plugin didn’t solve the problem. I still had to remove all the plugins….

After today, I think I’ve tried everything. I’ve looked at stray line breaks and memory limit and bad paths and permissions, and if anything, it’s slightly more broken (before, I was able to get plugins.php to load with Akismet and Hello.php in the folder — not anymore).

My solution, which I don’t like, is to migrate the site from the PHP 4.4.9 server to the PHP 4.4.8 server, which seems backward but that’s what works. I would love to know what’s different between the two but looking at phpinfo(), I see nothing. When I have the money, I’ll get a server running PHP 5 and we’ll see if it works. But not this week.

The troublesome thing for me is not knowing just what broke it. Without knowing that, I feel more reluctant now to recommend WordPress to clients, even though I love it when it works. But I’ve had too many white screens of death problems to want to recommend it except to lone bloggers and very small non-profits — and then, only with full warning about what it entails.

Anyway, it’s been entertaining reading people’s variously solved and unsolved tales of woe. I do think the white screen of death (WSD) is a major flaw and should be resolved somehow — or a list of more precise server requirements published (which if it exists, I couldn’t find). What does WordPress want! ??

Interestingly, I noticed that I got the same error (Server timed out) on a page on a completely different site (not even a wordpress site) that tries to load an image from the url rather than the path. I wonder what the plugins.php page is trying to do that the server doesn’t like?

Upgrading to PHP 5 is tempting but I have over 40 sites running on that server and I don’t want to spend the next few weeks cleaning up all the minor glitches that will likely occur if I do that. You kind of want to be ready for a major upgrade.

So I continue to ponder my dilemma and wonder why it is that when WordPress users encounter the “white screen of death”, those issues never seem to be resolved (or at least, the resolutions are not posted online anywhere). They just fade away. One assumes the people having the white page problems either switch servers, blogging platforms or solve the problem another way, without telling the online community how they did it. ??

Here’s another question that’s been bothering me — what does it mean if there’s a number (in a red circle) next to the Plugins link in the admin sidebar menu? On the site I am working on, there is a numeral 1 next to Plugins in the sidebar nav. Other WordPress sites don’t have any numbers showing next to Plugins. Just curious since the number doesn’t seem to correlate to anything that I can see. Any ideas?

Thanks for the reply. Regarding php 5, I was wondering whether or not that would be a plus. I’ve found conflicting reports on what version of php is best with WordPress 2.7 and it seemed like most people were saying php 4.

So you think if I got my server people to upgrade to php 5, that would help? The odd thing is, the server where WP works is running an earlier version of php 4 than the one where WP breaks. Very mysterious.