

TELL HN: Many sites at Bluehost got hacked today (including their CEO's blog) - marcelo-br
http://blog.sucuri.net/2010/06/bluehost-ceo-blog-and-others-exploites-by-domainameat-cc.html?fee

======
raimondious
One of our clients on Bluehost was hacked in the last few days too, but not
with this. We noticed today, but I'm not sure when it happened. Here's the
script.

<http://rayschamp.com/misc/spammer.html>

------
crikli
A client of ours has eight WP blogs on Bluehost; none of them were affected.

------
epochwolf
Ouch.

How many times do I need to tell people not to use wordpress? :P

~~~
rumpelstiltskin
Maybe you should tell them to secure their wordpress install instead:

1\. Put an IP lock on the login page via .htaccess so that it can't be
accessed from anywhere else but your IP - this one change alone can stop a
significant percentage of intruders.

2\. Add this line to the .htaccess file at the top level of your WordPress
install - <FilesMatch ^wp-config.php$>deny from all</FilesMatch> \- it'll make
it harder for your database username and password to fall into the wrong hands
in the event of a server problem

3\. Create an empty wp-content/plugins/index.html file. Otherwise, you leak
information on the plugins you're running. One of the easiest ways to break
into a wordpress site is to hack through outdated/unsecure plugins. So don't
let anyone see what plugins you're running to begin with.

4\. In the header.php file for your theme, look for - <meta name=”generator”
content=”WordPress <?php bloginfo(’version’); ?>” /> \- this line reveals the
version of your install. Again, hackers look for wordpress sites that haven't
updated to the latest version, so delete this line and don't reveal your
site's version.

5\. Remove 'Really Simple Discovery' and 'Windows Live Writer' -
[http://falcon1986.wordpress.com/2009/07/15/remove-
unwanted-w...](http://falcon1986.wordpress.com/2009/07/15/remove-unwanted-
wordpress-header-elements/)

6\. Block injection of malicious code with these 2 steps -
<http://wpcult.com/wordpress-security-hacks/>

7\. Whenever wordPress patches a security hole or releases a new version,
apply it/upgrade to it immediately

The above steps should stop everyone but the most dedicated intruder. This is
a lot more efficient than boycotting wordpress altogether.

~~~
epochwolf
First off, thanks for giving out instructions for securing wordpress.

> Maybe you should tell them to secure their wordpress install instead

Hence the ":P", my comment was mostly in jest.

> 3\. Create an empty wp-content/plugins/index.html file - otherwise you leak
> information on which plug-ins you run

It's better to just disable indexes on the entire site. That prevents anyone
from poking around.

    
    
        Options -Indexes FollowSymLinks
    

> This is a lot more efficient than boycotting wordpress altogether.

Wordpress has a history of being extremely vulnerable. I don't know how much
of it is user error and how much of it is related to the way php is normally
configured and used.

PHP invites uploading malicious scripts. Something like Ruby on Rails (or
Django) has the code for the application loaded into ram. Static files are
served out of the public folder, away from any code. This makes uploading
malicious scripts useless, provided someone hasn't turned on php or cgi for
the public folder. (Which you should never do) Every php application I've seen
or worked on has mixed code with static files and the webserver had write
permissions to every folder in the application. Additionally, anyone that
doesn't abstract from the database with a query generator or an ORM is asking
for sql injection.

That is why I don't care for wordpress. :)

(Am I bitter? Oh yes, most definitely. :P)

~~~
rumpelstiltskin
I can understand your bitterness, one of my earliest wordpress sites got
hacked. I just feel that the benefits of wordpress (ease, flexibility, SEO
etc) far outweigh the risk of getting hacked.

------
j_lagof
You mean yesterday?

