Wordpress Hacked

Tican

Tican

Tican

Soldato
Joined
14 Apr 2003
Posts
5,708
Location
Leicester
Hi there,

Been running Wordpress on a couple of my websites, due to the ease to link it up to Twitter, the SEO plugins, ease of adding new news etc.
They got in via SQL injection - but not sure how - how can I find out which plugin it was? It was fully up to date, including plugins.

Anyway, I cannot risk this happening, but I do not have the skills to do a website/CMS from scratch. What is the best free(or cheap) CMS around for the following applications:
An online radio website (one which was hacked)
A music e-zine/Review website
and a website for a music festival - can be pretty static.

Thanks in advance
 
If you are going to use third party plugins then you always run the risk of poorly written code exposing a vulnerability. How up to date a plugin is doesn't have much of a bearing on security. SQL injection means that one of your plugins is not sanitising and escaping data from the user so if you have a rudimentary understanding of php you should be able to find and plug the hole.

Moving to another CMS may solve the problem but its a programming error so whatever you use, there is a chance that someone else will have made the same mistake.
 
I'd definitely read up on hardening security of your WordPress installation before moving to another CMS.

E.g. http://www.problogdesign.com/wordpress/11-best-ways-to-improve-wordpress-security/

You also get online tools that install a plugin to monitor your files for changes so you get notified the second something is starting to happen:

http://www.websitedefender.com/

Additionally make sure you're making complete backups of your website and it's data and TEST the reproduction of your website from these backups.

Having up to date backups that can be restored quickly and easily is a godsend for when something get's hacked and you want to make sure you've not lost anything.
 
I haven't got a clue with php to be honest :( Plus I can't get the site back, as the updater I used only seemed to have the backup of the hacked version (Can't log into admin even after changing passwords and stuff?!)
 
When I last had no option but to run wordpress (it's very functional at the end of the day), I set up a secure wordpress build (this tutorial is close to what I'd do myself - http://wp.tutsplus.com/tutorials/security/20-steps-to-a-flexible-and-secure-wordpress-installation/)

Then set up modsecurity as a cheap (free) alternative to a webapp firewall. This is about as secure as wordpress gets and should protect against most bad code. If you don't have the knowledge to configure modsecurity without google (ie. you don't know enough to configure it effectively) then your best bet is finding application as a service hosting where they'll do it for you.
 
You must log in or register to reply here.
Back
Top Bottom