Wordpress hacked

dee · Nov 2, 2017

lazarus said:
Hi, I cant get anything when adding this to the end /wp-json/wp/v2/users

Just a 403 error ?

You on latest wordpress version? *edit* try another endpoint like

/wp-json/wp/v2/posts

tifosi · Nov 2, 2017

sorry, duplicate post...

tifosi · Nov 2, 2017

I use WordFence which is pretty good for the free version. Also really hammer down the folder permissions. I run a server with mod-ruid2 which runs apache/PHP with the users ID instead of the webserver ID. Means the wp-content folder can be run with 755 instead of 775 or 777.

Also as has been mentioned rename the /wp-content folder to something like /assets - there's additional steps & wp-config.php settings needed. Links on the interwebs.

And also move the wp-login page, again interwebs for the code for the functions.php file.

I use my own bespoke skeleton theme https://github.com/ontiuk/iPressRD2 which also pretty much strips all the garbage that WP injects into the header - and telegraphs that it's a WP site - including bloody emojis.

Stephen

dee · Nov 2, 2017

@tifosi

Do you ever get screwed by wordpress updates with the functions file ?

tifosi · Nov 2, 2017

dee said:
@tifosi

Do you ever get screwed by wordpress updates with the functions file ?

The functions.php file is in the theme, so not applicable to core WP updates. I generally use it to create a standalone theme for personal/client projects - no page-builder garbage.

Stephen

dazc · Nov 2, 2017

dee said:
@tifosi

Do you ever get screwed by wordpress updates with the functions file ?

It is a good idea to a have a standalone functions file so theme updates and such don't have any effect. Just have one as plug-in

tifosi · Nov 2, 2017

dazc said:
It is a good idea to a have a standalone functions file so theme updates and such don't have any effect. Just have one as plug-in

For commercial themes e.g bloated multi-option page-builder themeforest offerings, and those in the WordPress repository that have the update theme option in WP admin, then yes, I recommend using the theme as a parent theme always and creating a child theme for development. For bespoke standalone themes, then it's not really required, though I do do it for client projects.

domaininvest · Nov 2, 2017

Wordfence looks very good, so I'm giving that a go.

lazarus · Nov 2, 2017

Hi @dee

Yes that worked and returned all my pages. I am on the latest version.

dee · Nov 2, 2017

lazarus said:
Hi @dee

Yes that worked and returned all my pages. I am on the latest version.

Strange. Unless you have a security plug in that blocks it

freddy · Nov 3, 2017

I run more than 2000 WP Sites, we had this really often. But since we use Wordfence it became better. You should really try it out.

dee · Nov 3, 2017

freddy said:
I run more than 2000 WP Sites, we had this really often. But since we use Wordfence it became better. You should really try it out.

2000 ! Holy wordpress.That's a lot of sites. I've already installed it on my sites. Seems fab. Securi seems to be the other one that comes up a lot as an option.