grumblenz

The only client sites are both built and fully maintained by me as the clients have no idea. I was in NZ, now Australia and this site and owner are in Sacramento.

The registrant is Gary Brewer in California who uses GoDaddy and Enom (I use neither). The only common link is Hostgator. Different IP address.

Odd that he would set the contact email to [email protected] (My domain is like sausages99, so hard to confuse with another name)

Thanks lalitpanwar – Worked a treat!

Clarus – Look at https://blog.sucuri.net/ – Some alarming stuff happening. SQL injection attacks gone from 0 to off the chart in less than 6 months.

The overall issue is plugins that are coded on the cheap by freelancers. Like Walmart – they sell it, but it was made in China. RevSlider is ne of those – Made by a contractor who got low wages and simply does not care or have an interest.

I built my own .htaccess file from scratch and included some of 5g’s firewall from Perisable press. It stops all sorts of ‘actions’ such as directory exploration, sql parameters and a heap of others.

There is no plugin I know of that is as complete as the hand built one I made. Some do some things, but running 12 plugins for security (tried that) just slows the site and fails to adequately protect. No plugin can stop the server issuing a ‘Look here’ instruction. It has to be ‘between’ WP and the server. So the attacker says ‘I want to go to this directory’, the server says ‘sure’ but the .htaccess says ‘no entry’.

Servers just issue commands, WP, MySQL just respond to commands, so you need a ‘gatekeeper’ which is .htaccess.

You can’t build a waterproof house from the inside.

Whilst iThemes can build an .htaccess file, it’s another plugin slowing the page serve time. I’ve stripped out 8 security plugins, got faster page loads and editing .htaccess is easy in cPanel, so why use a plugin?

I use the free Cloudflare and have most sites on it with severe geo blocking. Interestingly, the research shows that SQL injection attacks come from : China, India, Indonesia and…………………USA.

Have a look at https://jam88.com/index.php/blog/ for the Soaksoak cure and more about (some of) my .htaccess rules.

PS – I use the Cloudflare geo blocking extensively – Makes a massive difference to the number of hacking attempts.

Personally, when I read any review I like to hear also about how well the product does it’s job, be it washing machine or plugin. That’s why I seek out reviews. Part of a review is ease of use, which you had issues with – Fair enough. What I took issue with was the missing other part of how well it did it’s job.

Anyway, as you rightly say – Let’s be positive and helpful. My facetious humour was evidently ascendant on that day.

iThemes does not play well with MainWP, so I removed it as MainWP is essential to me. I have tried Wordfence, and keep it as it immediately blocks bad logins – a useful feature.

However, the recent Soaksoak attack that hit well over 100,000 sites last year (and continues to hit sites via the RevSlider plugin) was missed by ALL ‘security’ plugins. This pushed me to investigate why.

Having removed Soaksoak from 5 of my 55 sites and from 30+ of another person’s sites, I explored how it happened and how to prevent it happening again.

6 weeks of on and off research led to:
No plugin can work because WordPress is underneath the server and cannot have the necessary permissions to instruct the server.

PHP and MySQL have no inbuilt security and can’t be made more secure

The best option is a very tight .htaccess file that prevents long parameters, directory browsing etc.

Coupled with CloudFlare CDN which serves results from a ‘local’ copy, this prevents the ‘source’ from being interrogated.

I have implemented this regime to great success on most of my sites.

Thank you Thomas – VERY much appreciated. I will add this code to my sites and change the permissions as you suggest.

I have cleaned up, now it’s about future prevention measures as the security plugins don’t cover the complete spectrum.

Thanks again!

Thanks for that Thomas. For us non php people, can you offer a copy/paste for this?

Cheers

For the time being, I offer this code. Create a file in wp-upload called .htaccess (use Notepad or cPanel) and paste this code. Should also go in the cache folder. Not 100% security but cuts the risk by 50% at least.

<FilesMatch “\.(php|php\.)$”>
Order Allow,Deny
Deny from all
</FilesMatch>

LOL – NO mention of whether it does it’s job properly or better – Based solely on the UI you declare it superior?

ROTFL

What theme Paula?

I suggest injection-guard plugin although I did hear that wordfence or sucuri (I can’t remember) has a tickbox to prevent php execution, thus limiting the damage to just uploaded files.

Thanks Tim – I quite agree it’s up to the user to keep things up-to-date.

I use MainWP across all my sites and update 2-3 times a week, so have an expectation higher than the ‘build and forget’ people.

Perhaps add the ‘No execution in Uploads folder’ as a selectable option in the next iteration of WordFence? Also, include an SQL injection defence – these seem to be the most common issues at present from what I see around.

TBH – No point in restoring the site as you just restore a vulnerable situation. Rebuild without the hacked plugins and themes as they are likely to be easy targets for a second attempt. Hence struggling with a different slider and a new theme that hates sliders.

@wfsupport

Working well with Woo is great but a security plugin should provide security. I realise there are many holes to be plugged but protection is the purpose of the plugin.

It does not (yet) provide protection from nefarious uploads or SQL injection attacks. It needs to as a matter of urgency.

My apologies for my shorthand.

[code]https://themeforest.net/item/mayashop-a-flexible-responsive-ecommerce-theme/2189918[/code]

MayaShop is a premium theme ($63) from a top author (according to ThemeForest)

I bought it 3 years ago and have applied all updates regularly. This problem was reported 2 months ago to the developer by someone else. The developer said it was duly fixed.

I applied updates 4 days ago and was hit 2 days ago.

The developer suggested I reinstall, check the database etc. (i.e. Start all over again)

I pointed out the ‘It’s fixed’ claim and asked why I got infected from a 4 day old install. I suggested they have either NOT fixed it (They are lying) OR there are MORE holes in their code.

I got no reply.

I will therefore use another theme.

The coding issue I believe applies to 50% or more of themes because, like Levi Strauss, Ford, Hanes etc. work is outsourced to cheap labour countries to increase profits.

Graphic designers are rarely coders and vice versa.

I believe the hackers who used to target MSWindows have now moved on and a new wave of back door attacks and sql injection attacks will escalate rapidly. After 3 years with no issues, I know of 4 in the last 2 months on my/friend’s sites – 5% of sites on a small sample.

MY OPINION
WPress REALLY needs to invest in a specific eCommerce version that is paid for and secure. A mangled blog platform is beyond it’s use-by date and we need a proper Apple style rigid architecture with consistent UI and coding / hooks. The current ad-hoc design and inconsistent coding conventions equals the disaster we are now witnessing.

PS – The theme developer was notified 2 months ago by someone else, supposedly fixed it, yet, on a 4 day old updated site, here we go again.

Enevato/ThemeForest were notified yet continue to sell it.

*If* the developer fixed it, then themes are a colander – full of holes.

Remove ALL unused themes and plugins via cPanel (Not just via the dashboard as they still remain on the server and provide access)

I have MainWP (Used to use InfiniteWP) and update every site with one click 3 times a week so I can tell you for sure it is not a lack of updating. It’s cheap coders working for theme builders.

Don’t buy ANY theme from that vendor again because they will be using the same coders.

Use another theme, change the main username and password on the site.

Backups I found, were also tainted somehow – Despite a restore from 2 weeks ago, my product slider has never worked again. I will have to rebuild from the ground up.

I have 8 different security plugins (including Wordfence and Securri) and it went straight past them all. There is a plugin that alerts when ANY file is changed. It’s a pain when you update sites and goes off when anything is done so I stopped using it. Time to dig it out. (File Monitor?)

It’s also a fundamental flaw in WordPress architecture – It’s a blogging platform wrestled into membership and ecommerce sites.

Long overdue for a secure ecommerce platform design built properly.