[Plugin: BulletProof Security] BPS File Targeted and Hacked

Also currently BPS is recommending the standard WordPress file and folder permissions. This will change in .46.5. If your web host allows 705 folder permissions then your should change folder permissions from 755 to 705. I have tested this extensively and WordPress is not breaking nor are any plugins breaking. There are more and more hackers exploiting Group Permissions to inject code so Group Permissions should not be on checked or allowed.

All of these folder and file permission recommendations work fine on GoDaddy hosting, but they may not work on other web hosts. There are many different factors involved with how each web host handles files, php, etc like DSO, mod_php, suPHP, suExec, etc so give them a try and if stuff breaks then revert back to the WP standard permissions recommendations.

X means unchecked or off or not allowed
On means checked or on or allowed

705 Folder Permissions
Owner Permissions – Read On – Write On – Execute On
Group Permissions – Read X – Write X – Execute X
Public Permissions – Read On – Write X – Execute On

604 File Permissions
If your web host allows this then 604 permissions are recommended
Owner Permissions – Read On – Write On – Execute X
Group Permissions – Read X – Write X – Execute X
Public Permissions – Read On – Write X – Execute X

Mission Critical Files that should be locked down. These files below are targeted for code injection and if your host server is compromised and if these files have 644 permissions then a code injection hack will be successful. These file permissions will cause conflicts if editing of any of these files is needed from within WP or by a plugin and the permissions will need to be manually temporarily changed when necessary. Normal operation of WordPress works fine with these file permission settings.

root .htaccess – 404 – BPS will not be able to edit or write to the root .htaccess file with the built-in File Editor.
root index.php – 400
root wp-config.php – 400 –
root wp-blog-header.php – 400

404 File Permissions
Owner Permissions – Read On – Write X – Execute X
Group Permissions – Read X – Write X – Execute X
Public Permissions – Read On – Write X – Execute X

400 File Permissions
Owner Permissions – Read On – Write X – Execute X
Group Permissions – Read X – Write X – Execute X
Public Permissions – Read X – Write X – Execute X

Thanks

Thanks for all the information. I’m going to work my way through it and will let you know how we do. We have had to recover from a couple hacks in the past and were able to do so by cleaning up the db, replacing all WP files, and obviously changing passwords and usernames too in some cases. Since the sites haven’t been hacked since, we feel ok.

We will be monitoring more closely from now on, and have File Monitor installed to help us do that. The login limit plugin should help too. Both were enabled on these sites but I need to make the File Monitor plugin scan more frequently for changes to server files. My feeling is that the hack may have already occurred just before we installed the anti-hacking plugins and so further more obvious hacking was able to take place afterward.

Again, I really appreciate your help and feedback on this and will let you know if there are any further attacks once we’ve taken more precautions.

One thing this year has taught me is that WordPress out of the box is not nearly as secure as we had thought. I’ve worked with the “hardening WordPress” post and feel that some of this stuff should be incorporated into standard installation instructions. With the case of the Limit Login feature, I honestly think that should be built in to the core software at this point.

My pleasure. ??

Well WordPress is pretty darn secure right out of the box, but yep there are a couple of ways someone can shoot themselves in the foot if they are not very familiar with “hardening WordPress” and using general “best practices for securing a website”. ??

The new BPS .46.5 root .htaccess file incorporates the wp-admin folder forbidden rule that the WP guys put together under “hardening WordPress”. And it contains a massive amount of new thoroughly tested Exploit filters.

Having a secure .htaccess file is not enough website security protection in my opinion. You also need to add a very restrictive custom php.ini file for your website, lock down your files and add additional security monitoring, logging and tracking.

Thanks.

AITpro, thank you for the information. My site had an attack which left some malware in my index.php, home.php etc. I noticed it as “they” kept modifying my htaccess to produce a 500. I re-installed WordPress and most of the plugins from the original source files and cleaned out my theme manually. The attacks did not stop so I installed BPS. This went well for a while until I moved servers. I must have “woken up” something as the attacks started again in spite of BPS installed. The funny thing was the site went down each time I let https://sucuri.net perform a test. Strangely enough the site stayed up when I set the root htaccess to WordPress standard and Sucuri said the site was clean. After reading the above texts I deleted BPS and re-installed it from scratch. Now I could test with sucuri and the site was certified clean. I then modified the permissions on index.php etc. according to your suggestions. This was yesterday and the site is still up.

Depending on which hacker or hacker group has hacked your website you will have varying levels of disaster recovery to do. If your site gets hacked by a “defacer” hacking group then you will have minimal things to clean up and a restore of your website is usually not necessary. Unfortunately, the majority of hacker groups will ensure that even if you remove the hacker code that you can find then most likely you will not find all the backdoor scripts that they have uploaded to your website, which means they still have full control of your website and can do anything they want anytime they want to your website.

This was yesterday and the site is still up.

If you are very lucky then you got all the hackers code already, if not…

BPS is designed to keep hackers out, but if they have already hacked your website and already have their files inside your website then there is very little BPS can do because they are already past the BPS defenses.

If you have a good backup of your files and your WordPress Database i recommend that you restore your website from backup. If you do not have a good backup then you should download all your website files and download your WP database, then delete all your files and delete your old database, then re-install a new WordPress site and import Only your content tables back into your new database.