It's instructive to watch the various malicious bots troll through your server looking for vulnerabilities. Woe betide you if they find one! Even Wordpress.com has been hacked. Prior to that, at the beginning of this year, a significant number of stand alone Wordpress installations were hacked when their owners did not update to the newest security release.
Here's how you can recognize a malicious bot. If you are using Cpanel, go to "Error Log". You'll see a whole list of page fetch errors (this is a good way to see any mistakes or broken links in your code too). But if you see something like:
[Tue Apr 05 20:24:48 2011] [error] [client 62.149.231.222] File does not exist: /home/[your account]/public_html/[domain_name]/websql
[Tue Apr 05 20:24:47 2011] [error] [client 62.149.231.222] File does not exist: /home/[your account]/public_html/[domain_name]/admin
[Tue Apr 05 20:24:46 2011] [error] [client 62.149.231.222] File does not exist: /home/[your account]/public_html/[domain_name]/dbadmin
[Tue Apr 05 20:24:44 2011] [error] [client 62.149.231.222] File does not exist: /home/[your account]/public_html/[domain_name]/lists
then you have a malicious bot trolling your domain.
How did I recognize this as a malicious bot? Look at the files it is trying to access: lists, dbadmin, admin, websql - they're nothing I uploaded to the server and they all look suspiciously like paths to either phplist or my database front end.
What to do if you find a malicious bot?
I block the ip (again, from your Cpanel "IP Block").
Since I control several servers, I find it interesting to see the same ip wandering across servers to different addon domains, looking for vulnerabilities. Once I identify one bad ip, I block it on all the servers.
The nice thing about Cpanel's IP Block is that it edits the .htaccess file of each of your addon domains to Deny from xxx.xxx.xxx.xx. If you have a lot of addon domains, this is much easier than going into each domain one at a time and editing the .htaccess file.
Happy hunting!
Comment
Thanks for the kind words, Marcus. Another thing I do when I have a single individual using Wordpress (this does NOT work for Buddypress or any multiuser installation) is to use "Password Protect Directories" from Cpanel to make the entire wp-admin directory off-limits.
It means that the wp-admin user has to enter 2 sets of user-pw (usually I make them the same) but it insures that if another Wordpress vulnerability is found, that installation can't be hacked anyway.
That last vulnerability (at the beginning of the year) wasn't discovered and corrected until after many, many wordpress installations were hacked, so this has become routine for me when I install single-user Wordpress.
© 2024 Created by Daniel Leuck. Powered by
You need to be a member of TechHui to add comments!
Join TechHui