learningmore

Removing Wordfence code from my .htaccess resolved the issue.

= removed =

I’ve been posting in that thread, but I started this topic to see what security WordPress has when it is first installed, without “hardening” or using SSL or buying a dedicated server.

Other than common suggestions, theWordPress Hardening Security recommends:

• Use SFTP (which makes sense, I do.)
• Change file permissions– but do we need to do this on a new install? Does WordPress have secure permissions out of the box?
• Secure your WP-Admin directory: But they note this will break Ajax functionality, thus requiring a different method of securing WP-Admin “correctly”, which I guess is referenced at the bottom of the Security page: How to secure access to directories

I guess from what I see, there are common sense ways to secure yourself but to really “harden” wordpress, you need to go outside wordpress and start becoming familiar with .htaccess files, directory passwords, or contacting our server hosts to learn how to implement SSL.
Is there a simpler, well-known, common way of securing WordPress?

Tanci,

So you have modified the actual Theme pages themselves?

Yes, I would think when the theme is updated your files would be overwritten. I may be incorrect and I’ll let others chime in. I didn’t see anything on the Theme Development page. It seems there is a Lesson in Customizing Template Files, but the anchor link just brings you to a general guide about modifying themes, but not a step by step lesson.

Thanks for your response! So the main way we are getting hacked is through Themes? I was hacked by a feature or an image resized INSIDE a theme. Is there some way to tell what themes will be modifying my secure install- such as, are theme plugins allowed to make directories writable?

I would think it would take a LONG time to navigate through all the directories to compare the dates to see if they have been modified recently. Is that what you do, or do you have an application to check modified dates? I’ve found external site services that offer the option to check my site for modifications but they cost more money than I am willing to spend.

JarretC, how are the hackers uploading plugins to our website if it isn’t vulnerable in the first place?

Also, what would we be searching for in the javascript of the theme files? I’ve heard people saying to search for binary code, but normally it is written like normal code. I’ve also heard others saying the theme could be modified to reference external .js files from other websites.

When I was hacked, when I opened the index.php files, they looked normal in a text editor until I opened it in a raw text viewer.. then I saw the binary code at the top which google was translating.

Does WordPress have any other up to date methods of securing the site other than “change your password, update wordpress, maybe use SSL if you can get the server configured”?

it’s always best to always have a backup and always update your wordpress. this reduces the vulnerablity of being hacked

True, but my website was up to date. theotherlex, would you get in touch with me you find out your issue? I’m curious to see what is going on.

UPDATE: FIXED IT!

I chose to use a different theme and now my index page is back. I was using the “Lightword” theme. Now I am using the Mystique 2.5.1 by digitalnature.

How did it go? I replaced all the WP core files, excluding the wp-config, Wp-includes.

After reinstalling, my main blog index page is completely blank.

The other option in the ‘My Site got Hacked’ page is to completely replace all the files from backup.

Im running 4.2.1 and also did a reinstall from my WP control panel. I can view individule posts, just not the main index.

Let me know what you find out.