Lev*tra link spam inserted into my header?!

How good is the security for 2.2.3?

How good are your security practices?

Did you leave theme files 777 and open to the world?

I don’t chmod my files 777 – it’s the standard 644.

any other ideas, then, Handy?

Not yet ??

If you look at the theme’s header.php on your server, is the timestamp recent enough that you might have web server logs for that time frame? If so, dig through those looking for mention of it.

Do you have the original files from that theme? How’s the header in the original distribution?

Unfortunately, the timestamp is that of when I deleted the link, so all I know is that it’s between July (my last backup) and October 11.

I created the theme myself – so the original doesn’t contain any spam.

I’m wondering if it has to do with these spam registered users, editing the theme isn’t allowed as a subscriber (which is what new users are set at), is there a way they could modify their access through the admin panel? Just the thought of it made me spend 2 hours deleting all those spam users from my database.

For the future, to stop those spam registerings:
https://www.village-idiot.org/archives/2007/01/10/wp-deadbolt/

Thanks much, Moshu – I am on the hunt for a plugin that will disable registration entirely. That one looks great, but there are so many e-mail addresses to block – it will take too much time and many would have to come through once in order for me know the addy to block them. :/

Don’t need a plugin, it’s built in. Under your options menu under General look under membership, uncheck the box that anyone can register.

instead of blocking by email, you may want to just set up an image verification on the registration page. Regular users won’t mind too much – since they’re already taking the time to register.

I get a fair bit of spam myself, and a few of these regged spam users but none of that has ever resulted in compromised code. If you’re concerned that the wp admin area is being compromised then the first thing you should do is limit access as much as possible.

a .htaccess file to allow only password access to the admin area is a good start, and something the good folks here suggest as part of any responsible installation. This way you’re relying more on your web server’s security than you are on PHP.

Wow – Jeremy, thank you. I’ve been using WP for a couple of years and never even had to look at that option before.

::blushing::

??

Ivovic – I am not .htaccess literate, how is that written in the file?

it requires that you generate a password hash too, so perhaps rather than fiddling with it manually, you might try a plugin which does it all for you.

I’m not endorsing this plugin, it was simply the most recent one I could find, so it’s very likely compatible.

What looks to be another cute little plugin will lockdown the login page for an hour, upon a number of failed attempts. This will dramatically reduce the chance of your password being compromised by brute force.

There’s plenty of information to be found via google on how to do the htaccess/htpasswd stuff manually if you like, though.

Also, if you’re really concerned about sending your passwords etc by clear text, you can go nuts and enable SSL on your admin area with this… though I don’t think it’s really necessary.

Also, your web hosting control panel may have a function allowing you to set passwords on directories. That might be a good way to go.

I am currently encountering this problem…i.e. spam inserted inti header, footer…what works best to prevent this?

Thank you

Hi there,
each time I try to delete the spam, if I update the file, it just all reappears after first taking me to a new page with a list of all the crap that is now going to be in the header. I am a blogger novice and am not sure how to get this problem fixed.

Thanks!

This thread is quite old. You may have been better off starting a new thread of your own.

What version of WP are you running?