Category Archives: Security

How Can I Setup Password Protection With .Htaccess And .Htpasswd

Security

My WordPress site was under brute force attack, How can I setup a pop-up login interface with .htaccess and .htpasswd

Option 1

If your site host on cPanel, please following the follow steps

  • Log into your cPanel and click on the Password Protect Directories icon found under Security.
  • Choose Web Root (you may also need to select Show Hidden Files)
  • Click on the name of the directory that you wish to password protect.
  • Check the box for Password protect this directory.
  • Fill in Name the protected directory field. This will be the message shown to visitors when they try to login and can be anything you like.
  • Click on the Save button below.
  • Click Go Back.
  • Fill in a Username and Password at the bottom of the page, and click Add/modify authorized user.
Option 2
  • Create a file named .htpasswd and place it above your root directory, so visitors can’t access it.
  • Create an encrypted password using either a utility such as the command line program htpasswd or Online Htpasswd Generator
  • Place the generated .htpasswd information into the .htpasswd file.
  • Navigate to the directory where the file(s) that you would like to password protect lie.
  • Create/Modify a .htaccess and insert the following example code
    <FilesMatch "examplefile.extension">
AuthName "Member Only"
AuthType Basic
AuthUserFile /path_of_htpasswd/.htpasswd
require valid-user
</FilesMatch>

Brute Force Attack My WordPress Site. What Should I Do ?

Security, WordPress

My WordPress site was Brute Force Attacked and site is extremely slow. What Can I do now

option 1: You can install some security plugin such as Wordfence Security,Login LockDown

option 2:Password Protect the wp-login.php

  • Step 1: Create the Password File on your server – How Can I Setup Password Protection With .Htaccess And .Htpasswd
  • Step 2: Update the .htaccess File
    ErrorDocument 401 "Unauthorized Access"
ErrorDocument 403 "Forbidden"
<FilesMatch "wp-login.php">
AuthName "Authorized Only"
AuthType Basic
AuthUserFile /home/username/.htpassword
require valid-user
</FilesMatch>

    *replace the path of AuthUserFile with your own

How To Clear WordPress SoakSoak Malware

Security, WordPress

My WordPress site was attacked by SoakSoak Malware. There is a new user was created named as support_users_v-xxx with support @ wordpress.com. The xxx is some number from 100 to 999.Anyone knows whats happening and how to solve it

If you found a user name as following format support_users_v-xxx, then your site was affected by SoakSoak Malware via the RevSlider security hole. or you can check your site by following link

http://yourdomain.com/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php

If your website is vulnerable, it will show you the configuration file containing sensitive information about your website, including db username, password, salt and other things. Then you need to action as soon as possible.

The best way to clear your site and remove SoakSoak malware is replacing the infected WordPress files with the fresh clean original WordPress files. Also reinstall all plugins and restore your theme if you have backup.Also dont forget to update Login Credentials like database login,wordpress salted and etc..

WordPress hash online generator

if you dont have backup of theme, you can use security plugin like Wordfence Security.

How to avoid SoakSoak malwares in a WordPress website
  • Keep WordPress, Plugins, Theme and Server upgraded
  • Install security plugin like Sucuri Security, Wordfence Security – Auditing, Malware Scanner and Hardening
  • Block direct PHP access to any file inside wp-includes,upload directory,wp-content or if they are browsable
  • Always download plugins or themes only from WordPress.org or trusted sources.
  • Install Limit invalid login plugin like Login LockDown.This will protect your WordPress login against bruteforcing attacks. Most WordPress websites are hacked by bruteforcing the login. Also, never use default admin username. Username “admin” is common and easy to guess.
  • Use a web application firewall.
References

http://codex.wordpress.org/FAQ_My_site_was_hacked

Useful links

Website malware & blacklist scan (Sucuri)