All of us warn WordPress core developers for forcing higher security and closing the loopholes. After January-February 2017’s brutal mass WordPress hacking, recently Google has delivered warning to upgrade WordPress to 4.7. Here is a guide for securing WordPress & server after anti-ISIS KurDish HaCk3rS visit. Of course, our one webpage suffered from SQL injection – Raspberry Pi DIN car computer. If you perform web search with “HaCkeD By MuhmadEmad”, still you’ll find hundreds of pages that have been hacked. As of February 11 2017, over 1 million pages has messages such as “Hacked By MuhmadEmad” or “hacked by NG689Skw”. Webmasters should be happy because harm was probably deliberately made lesser. The hackers simply targeting websites which has not been upgraded to WordPress Version 4.7.2, and simply editing WordPress posts. However, black hat SEO practitioners can insert links in your posts in future unless you take measure. Upgrade to WordPress Version 4.7.2 is easy fix. Of course you should review our security suggestions.
WordPress is Not Getting Upfated After Anti-ISIS KurDish HaCk3rS Visit
WordPress can be updating getting stopped being via update button with this error :
1 | The update cannot be installed because we will be unable to copy some files. This is usually due to inconsistent file permissions.: wp-admin/includes/update-core.php |
It matters how you installed WordPress. SSH to your server, run the following commands. If your WordPress is running on top of Nginx-PHP7 installed in our way on Ubuntu server, your FTP root will be at /usr/share/nginx/html
and username:usergroup will be www-data:www-data
. In that case run these commands :
---
1 2 3 | find /usr/share/nginx/html -type f -exec chmod 664 {} \; find /usr/share/nginx/html -type d -exec chmod 775 {} \; sudo chown -R www-data:www-data /usr/share/nginx/html |
Run automatic update with all caching off. If by chance site breaks, we have way to fix broken WordPress during update.
Securing WordPress & Server After Anti-ISIS KurDish HaCk3rS Visit
We are providing a checklist, you should try to comply to decrease risk in future :
- Use some cheap $7/month 6GB OpenVZ server like from VPSDime to setup automated backup and real time second working server.
- Read our guide to Geographically block access to specific WordPress files and directories.
- Use HTTPS, HSTS, DNSSEC, DANE and now normal security measures.
- Use Fail2Ban on Server and Fail2Ban WordPress Plugin.
- Do not use Twitter WordPress plugin which need Twitter App secret key. My 3000 Tweets has been deleted by the hackers via another WordPress site.
- Use WP Security Audit Log plugin
- Use OSSEC HIDS
- Try to hack your own server.
- Do not buy cheap security service
- Insert PHP, PHP Code Widget WordPress plugin can expose vulnerability.