Any Good Security Plugin Recommendations?

tyealia

tyealia

BuSo Pro
Joined
Aug 27, 2018
Messages
169
Likes
184
Degree
1
So it finally happened after 10 years, my first hacked site. They did something and created thousands of hidden URLs with /?en=5.55.4775921.2.16.77.cute+desk+chairs+under+%2450 style parameters appended to my URLs. Search console seeing a 500 page site getting 50,000 pages huge jump in indexing.

As I work to fix this, I am looking for recommendations for good security plugins for my other 14 sites. I have heard of secure, wordfence, and all the others. I am interested in some perhaps lightweight options that won't overburden my server. Also really interested in something that emails me if there are any changes to source files not caused by plugin updates.

Cheers!
 
When I do cleanup work for clients I use Malcure (https://malcure.com/) to initially scan before I start the cleanup process and then again afterwards to help ensure I've cleaned the site. The command line features help quite a bit and the desktop interface allows the amount of files to be scanned at once. As far as being notified if there's a change to site/core files. Wordfence is probably the best bet for a plugin type solution because of that whole cloud thing.

You could look into other central admin type solutions out there as well. On the Linux side, take a look at inotify (https://www.linuxjournal.com/content/linux-filesystem-events-inotify) I'm currently developing a set of tools using tech like that to detect those types of changes. The main issue with plugin and PHP type solutions is PHP, even cli scripts really aren't ideal (but they will work) for things like this.
 
I actually worked for both Wordfence and Sucuri (the 2 biggest WordPress security plugins). Sucuri went to shit after the Godaddy buyout a few years ago. Wordfence with the settings tweaked is the most lightweight and developed option out there.

Personally, I keep everything auto-updated and only use well-maintained plugins. Most hackers are scanning for well know and unpatched vulns so staying updated mitigates 99% of hacks out there. Nobody is going to burn NSA level unknown (zero-day) exploits on somebodies content site.

The pages you mentioned are often generated via the .htaccess file.

Most of these hacks are focused on plugin or theme vulnerabilities in WordPress. Your best bet is doing a diff check of a fresh WP core download vs your site's production files or just overwrite them all with a clean WP download.

Also, if you have a clean copy of your theme wipe out the one in use and upload the clean version.

Theme header.php and footer.php files are often targeted by injecting JS.

This will clear most shit.
 
Darth said:
I'm curious do you guys like @Ryuzaki @secretagentdad and @MrMedia actually run a security plugin like Wordfence?
Click to expand...
I do not. Security starts at the server level and with good FTP, MySQL, and Account passwords. I let managed server companies (KnownHost) handle it to stop port scanning, XML-RPC connections, etc. Past that, I use as few plugins as needed and only when they are run by companies that earn their living from supporting them. You can harden your installation by keeping certain files and version footprints unscannable. Vulnerable plugins and themes are people's main issues.

Edit: I also set up my own 2 factor authentication using .htpasswd before you can even load the login page, and if you fail that 3 times your IP gets blacklisted. It gets hammered a million times a month still, but eats up nearly zero bandwidth.
 
+1 Wordfence free and premium. Site performance is still 90+.
 
I used to run word fence a ton. It worked better than anything else.
Then, I got smarter and stopped using Wordpress. That continues to work even better.
99 site speed and never had a security issue since switching to exclusively static site generators.

Databases in general are more trouble than they’re worth.
 
voLdie said:
I actually worked for both Wordfence and Sucuri (the 2 biggest WordPress security plugins). Sucuri went to shit after the Godaddy buyout a few years ago. Wordfence with the settings tweaked is the most lightweight and developed option out there.

Personally, I keep everything auto-updated and only use well-maintained plugins. Most hackers are scanning for well know and unpatched vulns so staying updated mitigates 99% of hacks out there. Nobody is going to burn NSA level unknown (zero-day) exploits on somebodies content site.

The pages you mentioned are often generated via the .htaccess file.

Most of these hacks are focused on plugin or theme vulnerabilities in WordPress. Your best bet is doing a diff check of a fresh WP core download vs your site's production files or just overwrite them all with a clean WP download.

Also, if you have a clean copy of your theme wipe out the one in use and upload the clean version.

Theme header.php and footer.php files are often targeted by injecting JS.

This will clear most shit.
Click to expand...
Appreciate this insight. Going to give wordfence a shot. Whatever this hack is seems like the team at wpx did some cleaning and now something broke with those hacked URLs and their just redirecting to my own pages, but somehow google is ranking them, now all of a sudden I'm getting 3000 visitors a day from mixed and USA real traffic, ezoic ad revenue shooting through the roof, I am tempted now to not clean up these strange redirects and ride this google bug that has them pounding me with traffic. Though I do think if I don't fix it google will tank the site eventually. So damn strange. Ranking in top 20 for massive terms unrelated to my sites topic, This site is a sport info and aff site, no articles on any of the keywords below that im now in the top 20 for.
JW1rfws.png

jWEJzQq.png
 
tyealia said:
Though I do think if I don't fix it google will tank the site eventually.
Click to expand...

It'll happen soon enough.

It also could be a blackhat spammer testing something on a competitor's domain to see the effects before they introduce it on their own domain. So you could just be a test guinea pig. People don't just tend to make you a bunch of money for no reason.
 
CCarter said:
It'll happen soon enough.

It also could be a blackhat spammer testing something on a competitor's domain to see the effects before they introduce it on their own domain. So you could just be a test guinea pig. People don't just tend to make you a bunch of money for no reason.
Click to expand...
The hackers original intent was to rank his affiliate style random text pages and get some income from them.
When wpx cleaned and deleted whatever scripts were there, and subsequently all the hacked Non indexed pages, Rankmath which I have installed, by its design automatically registered the missing hacked pages and created canonicals for all of them to legitimate non related pages and indexed all of these links.
Those canonicals, where the original hacked pages were not ranking, are now for whatever reason being ranked/indexed by google and sending me massive traffic, this piece was not part of the hackers original intent but is instead a canonical bug.
I have two choices, 1. Try to fix this bug, and remove all these thousands of canonicals 2. let this low level site have its freak flag fly, make me a couple of thousand in ad revenue before it gets manual actioned or tanks. in my 15 site portfolio its probably #12 in regards to traffic (before this hack) So it possibly getting banned would not be a noticeable hit to my bottom line
 
Most of this stuff comes from plugins and themes that are either badly written or just compromised. This is at the PHP interpreter level and has nothing really to do with SQL Injection most of the time. A compromised plugin/theme will allow things like the ability to upload code to the server and execute it. I can upload a ".gif" (file extensions aren't magical) file with PHP code in it and execute that. Just like with most hacking attempts, we're not talking about someone sitting in a dark room pummeling site after site and all of a sudden "I'm in" after a flurry of keystrokes, but it never fails to amaze me how many people think that their compromised site is the work of some mysterious hacker, working in darkness to undermine their site. No, they got hit with some automated bot, script kiddie shit and think they have a real hacker on their hands. If you put a new site online, in less than an hour you'll see these types of attacks in the logs. Just having well known plugins and themes aren't enough. Check this out from Contact Form 7: https://secure.wphackedhelp.com/blog/contact-form-7-plugin-vulnerability-exploit/ Most managed hosting is not going to protect you from all this and can/will suspend your site until you can clean it up. Managed hosting isn't the complete answer. I owe a TON to managed hosting companies for all the work I get from users that want to run away screaming because their sites keep crashing and all the hosting company can say is shit like "add more RAM, we don't do swap files here".

A good cleaning of WordPress starts with removing wp-admin and wp-includes, reinstalling core and making sure the core checksums verify first. Use the command line and just run the "rm -rf wp-admin" commands and the like and use wp-cli as much as possible. I won't even begin to do this with just a cpanel, that's like using a screwdriver as an excavator and is just straight up masochism. I turn down a TON of work where sites are on shared hosting and I can't get to a console with root access.
 
You must log in or register to reply here.
Back