Author Topic: How does Richweb secure your Wordpress site from potential hacking attempts?  (Read 4184 times)

Offline Doug Hazard

  • Richweb Staff (Admin)
  • Newbie
  • *
  • Posts: 28
  • CFB / MBB Junkie
    • http://twocentsradio.net
Richweb uses a two pronged method to secure and protect your Wordpress website.

First is our Richweb Wordpress Lockdown Plugin (in your WP Admin area, it's on the left as "RW Lockdown"; on your Plugins page, it's noted as "Richweb WP Lockdown".Also commonly referred to as "RW WP Lockdown").

The Richweb Wordpress Lockdown) plugin essentially locks down your entire site to keep anything outside of the wp-content/uploads directory from changing. This means that if you're trying to make any changes to your themes or plugins, while this lock is enabled, those changes will not be saved.

We're also in the beginning stages of having an automated process now running that will automatically check to see if a site is locked down... and if it's not, it will lock it down automatically.

Locking and unlocking the site is *very* easy to do. Simply log into your WP Admin interface... then on the left side, look for the "RW Lockdown" link on the left Admin navigation panel (will be towards the bottom). Click on that link. You will see the current status at the top (LOCKED or UNLOCKED). Select the radio button for the action you want to toggle and then click on "Submit".

EDITED TO ADD IN ON MAY 1st, 2015: We're in the process of rolling out Version 1.4 of the Richweb WP Lockdown Plugin, which will include even MORE information on the "RW Lockdown" link in your Wordpress Admin area. If you're not running this version, please contact us ASAP so that we can deploy this.

IMPORTANT NOTE: The Richweb Wordpress Lockdown Plugin is exclusive for Richweb clients and will not work on any other Hosting provider's servers. There is a server-side application that must be installed and running that works hand in hand with this plugin. If you attempt to use this plugin on any other NON-Richweb server, you will receive an error message referencing a "broken pipe".

SECOND IMPORTANT NOTE: If you have your Wordpress installation set to handle updates automatically, it will not be able to update itself while the Wordpress Lockdown is turned on (LOCKED). This is not a bug, it's a safety and security feature... again, designed to protect your site while you focus on what's important: running your site, instead of administering it.

For our customers that are on a standalone Wordpress powered server, we have a second method of also protecting your site.

We harden the "wp-content/uploads" and "/tmp" (everyone gets their own temp folder) folders to prevent any malicious PHP scripts from executing. You can see this in action by visiting the following link: http://twocentsradio.net/WP/wp-content/uploads/test.php (This is my own personal site - you can see that even we use our own recommended/best practices on our personal sites.)

When we secure your site to harden the Wordpress Content Upload folder, we'll also make sure your site has its own "temp" folder (where uploads are temporarily stored during any web based file upload process), which is in the "/tmp" folder. The same security restrictions we implement on the Wordpress Content Upload folder will also be present on this folder.

This does not guarantee that your site will never be hacked, however, it closes a couple of major areas that are often targeted for hacking attempts.

Again, just to reiterate (if you've got the Richweb WP Lockdown script activated): If you want to make any changes to your Wordpress site that does not involve content uploading (such as Themes, Plugins, CSS changes, Javascript changes, etc), you will need to UNLOCK the RW Lockdown.
« Last Edit: November 08, 2016, 12:13:09 pm by Doug Hazard »
Doug "Bear" Hazard
@BearlyDoug  |  @GridironHistory  |  @Hogville | http://gridironhistory.com

Co-Host of Two Cents Radio, powered by the SportsManCave.com Radio Network, Wednesday Nights from 8 PM to 10 PM Central, covering SEC and Sun Belt Sports.

Listen at SMCRadio.com and follow @TwoCentsRadio on Twitter!

Offline Doug Hazard

  • Richweb Staff (Admin)
  • Newbie
  • *
  • Posts: 28
  • CFB / MBB Junkie
    • http://twocentsradio.net
When do I need to LOCK/UNLOCK the site?
« Reply #1 on: November 19, 2015, 09:35:43 am »
When do I need to unlock the site?

If you're only making changes to your content or uploading pictures, videos, etc, using the WordPress Admin interface, you do not need to unlock your site. The only time you should unlock your website is if you are making changes to:
  • Any of the WordPress / Theme files directly (i.e., a CSS file, or a header file),
  • Adding or changing a theme,
  • Adding or updating a plugin, or
  • Performing an update to the WordPress application itself.
PLEASE REMEMBER TO RE-LOCK your site after you are done making your changes!
« Last Edit: July 11, 2016, 09:27:52 am by Doug Hazard »
Doug "Bear" Hazard
@BearlyDoug  |  @GridironHistory  |  @Hogville | http://gridironhistory.com

Co-Host of Two Cents Radio, powered by the SportsManCave.com Radio Network, Wednesday Nights from 8 PM to 10 PM Central, covering SEC and Sun Belt Sports.

Listen at SMCRadio.com and follow @TwoCentsRadio on Twitter!

Offline Doug Hazard

  • Richweb Staff (Admin)
  • Newbie
  • *
  • Posts: 28
  • CFB / MBB Junkie
    • http://twocentsradio.net
Data Richweb collects and how/why we use this information
« Reply #2 on: July 11, 2016, 09:54:59 am »
With version 2.0's release of the Richweb Wordpress Lockdown plugin, we're introducing a brand new feature that will help protect your site a bit more, as well as allow the Richweb staff to work more efficiently in the near future.

Let me preface this with a note that we are NOT collecting any information on your site beyond the CORE Wordpress information, our "richweb" user account and information on themes/plugins. On your Wordpress site, under the "RW Lockdown" link to in your WP Admin area, under the "WP Version Info" tab, you'll be able to see the information we collect on your site, any time you lock/unlock your site.

I am attaching two screen grabs from my own personal site to show you the exact information we collect.

There's three reasons for this:

First Reason: We care about the security and safety of your website. When the Lockdown is in LOCKed mode, your site is virtually unhackable. In the near future, we will implement a centralized system that will identify any site that has been UNLOCKED for more than X amount of time (we're leaning towards four hours), we will automatically issue a command to LOCK your site down.  Keeping your site LOCKED is crucial to ensuring that you won't be hacked.

On June 9th, 2016, one of our customers unlocked their site, and inadvertently forgot to lock their site back down. Later that evening, the first stage of a site hack took place. On June 11th, the hackers then completed the rest of that hack, and used that one site to launch an outbound attack against several other sites, in addition to "seeding" the hack in multiple places on our customer's site. We received several abuse reports early on June 12th. It took us nearly 10 hours to clean up that site to stop the outbound attacks and to re-secure the site back to its normal operational state.

The site hack occurred literally within hours after a major security issue was identified with Wordpress version 4.5.2. It's important to note that (as of this moment), we still have several customers running 4.5.2, however, because their sites are locked, they are not at risk of being hacked/compromised.

To summarize: If we find a site that's been left in an UNLOCKED state after a period of time, we will proactively issue a command from our central server to lock that site down.

Second Reason: When it comes time to proactively perform updates, we literally have to log into each of our customer's sites to ascertain who needs an update and who doesn't. With the fact that we now collect version information on Wordpress, the themes and plugins, and then store that inside of a central database, we will soon be able to run a quick command on our database to see who's running what version of Wordpress, a theme or a plugin. We will then have a once a week (maybe more often) check against the Wordpress.org servers to see if there are any sites that updates that need to be performed. We can then take that information, compare it to what's in our central database and then only log into customer's sites that need updates.

This will be a major time saving feature for Richweb, which will allow us to focus our time more wisely on tasks that aren't Administrative in nature.

Again, please review the two attached images below to see a sample of what we collect.

Third Reason: When a customer comes to us to manage their Wordpress based site, we often set up a user account by the name of "richweb". When a customer contacts us for assistance using the "wecare" email address, we currently have to do a password reset if we're not aware of what the current password is (usually set by one person on the Richweb team). When we do a password reset, it generates an email that gets sent to the entire Richweb Web Development team.

We now have a feature inside of our central database that allows us to store the passwords for our own account. In addition to that, we have the ability (by customer request ONLY) to store additional usernames and passwords, if desired. The password storage feature is NOT tied into your Wordpress system, so if a password gets changed on the site itself, it will not automatically update it on our side.

By storing the password for our "richweb" account, we can reduce the amount of emails our web team gets, and have easy access to view this information inside of our own infrastructure.

Some Final Notes:
It's important to note that no customer has access to the information stored in our central database, so you do not need to worry that someone outside of the Richweb team will see what you're running.

We've taken great pains to safeguard this information as much as possible.

This feature only works on a Richweb server. We may, in the near future, release a "Richweb Wordpress Version Info" plugin that will stand alone from the lockdown portion of the core plugin.
« Last Edit: July 11, 2016, 10:08:30 am by Doug Hazard »
Doug "Bear" Hazard
@BearlyDoug  |  @GridironHistory  |  @Hogville | http://gridironhistory.com

Co-Host of Two Cents Radio, powered by the SportsManCave.com Radio Network, Wednesday Nights from 8 PM to 10 PM Central, covering SEC and Sun Belt Sports.

Listen at SMCRadio.com and follow @TwoCentsRadio on Twitter!

Offline Doug Hazard

  • Richweb Staff (Admin)
  • Newbie
  • *
  • Posts: 28
  • CFB / MBB Junkie
    • http://twocentsradio.net
Richweb Wordpress Lockdown Plugin version history
« Reply #3 on: July 11, 2016, 09:59:53 am »
Starting with version 2.0, we will only keep the three most recent version notes inside the Richweb Wordpress Lockdown Plugin. The rest of the version history will now be posted inside of this thread.

Version 2.4.1 - Nov 10th, 2016
  • Bug fixes related to version 2.4 changes (Polling and remote locking).
  • Clean up of some un-needed HTML in version info.
  • Relocated older version history (4 entries) to the linked forum post (below).
Version 2.4 - Nov 1st, 2016
  • Added an API function to allow us to 'Poll' the status of users on the website (Online/Offline + Timestamp).
  • Added an API function to allow us to 'Lock' the website remotely.
  • Modified behavior on lock/unlock button functionality (now Javascript based).

Version 2.3.2 - September 21st, 2016
  • Implemented a check to see if CURL is installed. If not, provides directions on how to install it on every web server.
  • Fixed a missing image on the error/alerts tab.
Version 2.3.1 - September 7th, 2016
  • With the introduction of the database table in 2.3, I had to bump up the minimum supported Wordpress version from 3.4.0 to 3.5.0
Version 2.3 - September 1st, 2016
  • Implemented a logging feature to record who has locked/unlocked the site, recording their username, IP, the day/time and LOCK/UNLOCK status.
  • Minor tab and code adjustments.
Version 2.2 - August 2nd, 2016
  • Removed some unused functions (used in the past, but with recent updates, no longer needed).
  • Some additional PHP/HTML cleanup/tidying.
  • Combined the "About this plugin" and "Version History" tabs into a new tab called "About...".
  • Corrected an issue inside the CSS file with a typo on a class name.
  • Fixed a wording bug when locking/unlocking the site (Jacob Dunn identified this issue)
  • Relocated Wordpress Theme and Plugin error issues into its own tab. Provides better error handling, including paths to themes/plugins with issues.
Version 2.1.1  - July 29th, 2016
  • Improved error message display to show ALL issues at once, plus actual location of theme/plugin causing issues.
  • Corrected a PHP variable inside the error area (a Plugin error handler was using a Theme name handler.)
  • Due to improvements, version number update references were mislabled on line numbers. Now fixed.
Version 2.1  - July 18th, 2016
  • Enhanced error message section after you lock/unlock the site. This was a result of a few sites not properly locking down.
  • Added a "Text Domain" (slugname) entry.
  • Added the site's IP record (DNS Lookup) to both the Richweb Reporting utility, and to the "WP Version Info" tab.
  • Implemented an on-screen error check for Plugins & Themes having the same name under their "Plugin Name" & "Theme Name" (respectively) lines, causing issues while communicating with the Richweb Reporting system (which will return an error when locking a site).
  • Improved Error Handling/notification immediately when accessing the Plugin's main page. Errors that can stop successful reports to Richweb's Central reporting system will now show immediately for needed fixes.
Version 2.0  - July 12th, 2016
  • is_dir() returns an on screen warning if on screen errors are enabled. Now suppressing via @is_dir().
  • Added a Unique Site identifier for our new Customer Info Centralization system
  • Restructured information we're collecting for our central data system
  • Separating out the data we're collecting from the HTML output to provide better organization of the code internally. Improved documentation as a result.
  • Re-did the HTML layout for WP Version Info, so you know what data we're collecting for the purpose of being more efficient on updates.
  • Implemented and improved data submission tool into our central repository area.
  • Wording improvements to provide a more clear understanding about the primary nature of this plugin.
  • Fixed an unclosed HTML tag. Added WP_MULTISITE and NAME to the UNLOCK string.
  • Added links to "WP Version Info" & "Version History" to provide more info.
  • Changed button wording on Lock/unlock tab to provide better understanding of what each button does.

Version 1.9.1 - Oct 9th, 2015
  • On the file counter, the time estimate variables were flipped.
  • After working on a site that had over 57,000 files, we adjusted the time calculator/estimator.
  • Changed the position to the RW Lockdown link on the Admin menu to the top.
Version 1.9 - Oct 6th, 2015
  • Some features of 1.8 were inadvertently rolled back to 1.7 as a result of the emergency fixes in 1.86. Version 1.9 restores those features.
  • Added Server Hostname and Path to Wordpress installation under the "Need Help" section
  • Created JSON list of Core Wordpress info (version, theme info, plugin info, Richweb account status, etc) for a future Richweb Wordpress management feature. Output is commented out, for the time being.
  • Added file counters for Wordpress Directory.
  • Added a warning indicator if you have over 16,500 files in your Wordpress directory, noting approximately how long it will take to lock/unlock a site.
Version 1.86 - Sept 8th 2015
  • Emergency fix to a few parts of the plugin to allow it to integrate with the changes we made to the server-side Daemon. Emergency fix was inadvertently based off of version 1.7. Corrected and restored all features back in version 1.9.
Version 1.85 - Sept 4th 2015
  • Implemented additional security settings to prevent anyone from locking/unlocking a site they don't own/operate (MD5 Checksum checks)
Version 1.8 - June 1st 2015
  • Changed Admin Menu icon to indicate whether a site is locked or not. Now gives you a visual cue without needing to go into the RW Lockdown page itself.
  • Corrected Theme Counter under "WP Version Info". Was using incorrect variable name
  • Corrected one of the authors' name (changed "Dout" to "Doug")
  • Corrected a typo under one of the error messages ("Broken Pipe error message)
  • Added an Alert Icon to indicate potential configuration issues.
  • We now automatically update the Automatic Update Notification (AUN) system on each version update (in case the AUN system has an update itself).
  • We now tie in each Lockdown set up with a Richweb Client ID (needed for future Richweb Wordpress Lockdown Plugin features coming). We also strip out any HTML in this field for security reasons.
  • Enhanced security on a (now previous) potential concern between locking and unlocking the site.
  • Added Plugin name and Version info at the top of the Plugin itself.

Version 1.7 - May 6th 2015
  • Added an Admin Menu padlock icon.
  • Due to display issues on some sites, relocated Version History to within the Plugin itself, rather than externally.
  • Improved commenting within the Plugin itself to better identify what each section does.
  • Implementing an Update notification feature (requires one additional plugin - you'll see a notice for this at the top of the RW Lockdown page).
  • Added a readme.txt file to comply with WP Update guidelines and scripts.

Version 1.6 - May 3rd 2015
  • Modified Lock/Unlock form to indicate, visually, whether a site is locked or unlocked.
  • Implemented Wordpress style commenting (Per JD's request)
  • Implemented a lock/unlock image as well as the Richweb logo on all tabs.

Version 1.5 - May 1st, 2015
  • Added support for WP Multi-Site setup (Network Admin) functionality.
  • Added detection for whether Richweb's user account is present. If so, show email and account role.
  • Added detection for whether Wordpress installation is a Standalone or Multi-Site set up.
  • Added detection for Multi-Site set up and whether the Richweb User account is a Network/Super Admin or not.
  • Added "WP Version Info" tab.
  • New tab now includes Wordpress Version and current theme/version info.
  • New tab now lists all Wordpress themes and versions.
  • New Tab now lists all Wordpress Plugins, Versions, Activation Status (and if active AND MultiSite, Network Activation Status).

Version 1.4 - April 30th, 2015
  • Changed the layout of the Plugin itself.
  • Adjusted Plugin description to make it more readable.
  • Added "About" info on Plugin itself.
  • Provided ways to obtain support & more info.
  • Added Version History.
  • Modified the info on the forums to explain our Wordpress security a bit more in detail.

Version 1.3 - March, 2015
  • Updates to Description, Version, Author information and Author URI.
  • Added Version Tracking and Changes.

Version 1.2 - March, 2015
  • Changed the script to now allow for the Plugin to work from any directory Wordpress is installed in, rather than assuming that wp-admin is in the main root folder.
  • Cleaned up white space in script.
  • Reorganized HTML output to make this MUCH easier to see whether locked/unlocked (visual improvements)

Version 1.1 - March, 2015
  • Reordered the <label> part to ensure words are clickable for radio buttons to enable/disable

Version 1.0
  • Initial Development
« Last Edit: April 18, 2017, 08:32:01 am by Doug Hazard »
Doug "Bear" Hazard
@BearlyDoug  |  @GridironHistory  |  @Hogville | http://gridironhistory.com

Co-Host of Two Cents Radio, powered by the SportsManCave.com Radio Network, Wednesday Nights from 8 PM to 10 PM Central, covering SEC and Sun Belt Sports.

Listen at SMCRadio.com and follow @TwoCentsRadio on Twitter!

 

With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Warning: this topic has not been posted in for at least 120 days.
Unless you're sure you want to reply, please consider starting a new topic.

Note: this post will not display until it's been approved by a moderator.
Name: Email:
Verification:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
What NBA Player just left the Miami Heat to rejoin the Cleveland Cavaliers? (3 letters):