Has anyone used Sucuri?

[aroundincircles]

My WordPress site was hacked and used for spoofing/phishing despite following all of the rules for "secure" passwords.

I need to clean up the mess.

One thing I'm considering is Sucuri. Any opinions?

If you have any ideas on clean-up, I'd appreciate them as well.

Thanks.

 

[John Connor]

There are a number of plugins you can use. A reverse proxy may not even help at all.

Check out the following plugins:

Bad Behavior

Block Bad Queries (BBQ)

BruteProtect

If you use Cloudflare use the CloudFlare plugin.


Disable comment author links

Disable XML-RPC Pingback

Edit Author Slug

Login Security Solution

WordPress Simple Firewall

wp-bcrypt

WP-SpamShield

If you really want security I highly recommend the script ZBblock. If you go that route let me know so I can provide a custom sig. for WordPress. As WordPress needs a special bypass and your host may need a special bypass for datbase updates and cron. Do you have mod_security for your host? It's in cPanel. I make no less than 4 backups. You have a backup, right? Use your backup. Also, your host may make nightly backups, but it might be too late for that now.

If you don't allow comments then I would password protect the wp-admin folder. Do not password protect the wp-admin folder if you allow comments as it will block CSS from loading for commenter's.

Also, to make sure users can't use the website URL option add this code to the top of your theme's functions.php file found in wp-content.

<?php

add_filter('comment_form_default_fields', 'url_filtered');
function url_filtered($fields)
{
  if(isset($fields['url']))
   unset($fields['url']);
  return $fields;
}

https://wordpress.org/support/topic/remove-website-url-option-from-comments

 

[John Connor]

I should also add that even using a reverse proxy like Sucuri, CloudFlare, whatever that there is no guarantee you still are secure. The reason being is that robot probes will scan swathes of IP addresses and connect to you directly bypassing the reverse proxy. To mitigate this you should create the reverse proxy account then have your host give you a new IP address. Now change your DNS records in the reverse proxy. Also, someone can do a MX lookup and get your real IP address. So you have two options: Delete the MX record on the reverse proxy and use the WP-Mail-SMTP pluginin in WordPress and use an E-mail provider like gmail. Or use a SMTP relay server. I can give you the IP address info for gmail. It's like TLS// something. I had a hell of a time getting it to work. Also, if you have a lot of E-mail traffic in WordPress then gmail may not be something to use because they limit the amount of SMTP E-mails.

You should always check your logs and if you get a mouse fart sniff of an intrusion, block that IP right away. That is if it isn't too late. Use htaccess. The code is as follows:

<Limit GET HEAD POST>
order allow,deny
allow from all
deny from 10.0.0.0/8 <-- replace with the blocked IP. 
</Limit>

I would also block the head request:

#
RewriteCond %{REQUEST_METHOD} !(GET|POST) [NC]
RewriteRule .* - [F,L]

Bock user agents less than 15 characters in length:

RewriteCond %{HTTP_USER_AGENT} ^.{0,15}$
RewriteRule .* - [F]

There are other htaccess rules you could use. I would Google htaccess + wordpress.

I have a forum and WP site so I have learned a lot.

 

[aroundincircles]

Thank you both. I will sign-up for Securi once I get a new site up.

This mess started when I had to be moved from my initial server to another due to email issues. (I use Arvixe for hosting and Domain.com for registrar.) It seems the hack occurred with the move, but I can't prove it.

The hackers are sending via the "default" email address, which is my cPanel login name @ mysite.com. I don't know how to stop it other than changing my login, but one of the techs said that isn't possible. I've requested a move to another server which will change the IP as well.

As fast as I changed/fixed things, they were just as fast to undo them. After hours of this, I had enough and uninstalled WordPress from the site. The two emails associated w/WP and the site (one for an information form and another w/WP for the site) were also deleted. I hope that I didn't make more problems, but the frustration got to me.

Until I get a new login, however, the "default" email will remain, and I fear more problems.

It is a terrible feeling- creepy, in fact.

Arvixe seems to be having some tech support issues, and nobody is returning calls or emails. I was lucky to get through once yesterday am, but silence since.

I have been in touch with PayPay and let them the circumstances. I also put a generic index page on the site telling visitors what happened.

Other than this, I am not sure what else to do since tech support is non-existent.

Thanks again. I don't think I'll rebuild in WP after this experience. :/

 

[John Connor]

Sounds like a real crap host. I would go to Webhostingtalk.com and find a new host. I'm thinking about creating another site at stablehost.com. They have a coupon for WHT members which makes hosting one website like a $1.50 or something.

Far as domains, I recently transferred to Namesilo.

 

[Zahid Iqbal]

It will help you a lot

http://www.shoutmeloud.com/sucuri-security-wordpress-plugin.html

 

[kanavsingh]

i HAVE READ MANY NEGATIVE REVIEWS ABOUT SUCURI.. WON'T RECOMMEND IT

 

[Keshav]

You should read this

http://www.wpbeginner.com/opinion/s...s-block-450000-wordpress-attacks-in-3-months/

 

[Keshav]

You should read this

http://www.wpbeginner.com/opinion/s...s-block-450000-wordpress-attacks-in-3-months/

 

[John Connor]

i HAVE READ MANY NEGATIVE REVIEWS ABOUT SUCURI.. WON'T RECOMMEND IT

All caps... he serious!