Big Idea Mastermind WordPress based Website Defaced …

Posted in Hacking, Hosting, Webdesign, Coding & DTP

Yesterday — by accident(!) — I defaced a Big Idea Mastermind website; SORRY!

Defacing a WordPress based Website

Showing once more … that being with the right team, but not having basic knowledge about setting up a website (neither having backups) is a mistake many website owners make!

Imagine what else I could have done … (and didn’t do)

“What did you do exactly to deface their site? And Why?!”

Well … I was just researching something when I gained access to the installation … and reinstalled the whole thing, overwriting all site data and giving me admin access. By accident … cause I was only interested to know about a few of their site features.

How to prevent your WordPress Based Website from Being Defaced

And it’s so not necessary! It’s very easy to install a few additional (free) plugins to prevent your site from being defaced. I recommend these two plugins (both can be installed from your WordPress Plugin backend)

Plugin: WordPress Bad Behaviour

Bad Behavior is designed to integrate into your PHP-based Web site, running as early as possible to throw out spam bots before they have the opportunity to vandalize your site with their junk, or even to scrape your pages for e-mail addresses and forms to fill out.

Not only does Bad Behavior block actual vandalism to your site, it also blocks many e-mail address harvesters, resulting in less e-mail spam, and many automated Web site cracking tools, helping to improve your Web site’s security.

Bad Behavior runs before your software on each request to your Web site, so if a spam bot does visit, it will receive nothing, and your software never runs. This reduces the amount of server CPU time, database activity and bandwidth spent on processing robots which are just harvesting your site and delivering junk.

Bad Behavior rejects spam bots outright, sending an appropriate 4xx error code. This lets you filter them out of your server’s logs when you do log analysis, making them cleaner and more accurate and giving you better insight into the human beings visiting your site, rather than the spammers.

Bad Behavior is fully compatible with reverse proxies, HTTP accelerators, load balancers and content distribution networks. It is fully Section 508/WAI compliant. And it stores personally identifying information for a maximum of seven days, (it is usually not stored at all) making it compatible with virtually any corporate or government privacy requirements.

Bad Behavior is designed as a platform-independent package which uses a connector to integrate with a given software package (MediaWiki, WordPress, etc.). This lets Bad Behavior run on a very wide variety of Web applications, including personalized custom scripts you may have written. With some Web servers, Bad Behavior can even be used to protect static HTML pages.

Plugin: Better WP Security

Better WP Security takes the best WordPress security features and techniques and combines them in a single plugin thereby ensuring that as many security holes as possible are patched without having to worry about conflicting features or the possibility of missing anything on your site.

With one-click activation for most features as well as advanced features for experienced users Better WP Security can help protect any site.

Obscure

As most WordPress attacks are a result of plugin vulnerabilities, weak passwords, and obsolete software. Better WP Security will hide the places those vulnerabilities live keeping an attacker from learning too much about your site and keeping them away from sensitive areas like login, admin, etc.

Remove the meta “Generator” tag
Change the urls for WordPress dashboard including login, admin, and more
Completely turn off the ability to login for a given time period (away mode)
Remove theme, plugin, and core update notifications from users who do not have permission to update them
Remove Windows Live Write header information
Remove RSD header information
Rename “admin” account
Change the ID on the user with ID 1
Change the WordPress database table prefix
Change wp-content path
Removes login error messages
Display a random version number to non administrative users anywhere version is used

Protect

Just hiding parts of your site is helpful but won’t stop everything. After we hide sensitive areas of the sites we’ll protect it by blocking users that shouldn’t be there and increasing the security of passwords and other vital information.

Scan your site to instantly tell where vulnerabilities are and fix them in seconds
Ban troublesome bots and other hosts
Ban troublesome user agents
Prevent brute force attacks by banning hosts and users with too many invalid login attempts
Strengthen server security
Enforce strong passwords for all accounts of a configurable minimum role
Force SSL for admin pages (on supporting servers)
Force SSL for any page or post (on supporting servers)
Turn off file editing from within WordPress admin area
Detect and block numerous attacks to your filesystem and database

Detect

Should all the protection fail Better WP Security will still monitor your site and report attempts to scan it (automatically blocking suspicious users) as well as any changes to the filesystem that might indicate a compromise.

Detect bots and other attempts to search for vulnerabilities
Monitor filesystem for unauthorized changes

Recover

Finally, should the worst happen Better WP Security will make regular backups of your WordPress database (should you choose to do so) allowing you to get back online quickly in the event someone should compromise your site.

Create and email database backups on a customizable schedule

Other Benefits

Make it easier for users to log into a site by giving them login and admin URLs that make more sense to someone not accustomed to WordPress
Detect hidden 404 errors on your site that can affect your SEO such as bad links, missing images, etc.