CleanTalk's blog

Tag: security

How to Check wp-content for Malware with Security by CleanTalk?
WordPress powers a significant portion of the internet, making it an attractive target for cyberattacks. Ensuring the security of your WordPress website is paramount. One essential aspect of WordPress security is regularly checking your wp-content directory for vulnerabilities. In this article, we’ll guide you through the process of safeguarding your wp-content folder using the powerful Security by CleanTalk plugin.

Why Checking wp-content for Malware is Crucial?

Your website’s wp-content directory is a critical part of your WordPress installation. It contains themes, plugins, and uploaded media files, making it an attractive target for hackers. Malicious actors often seek vulnerabilities in this directory to compromise your website’s security.

Checking wp-content is vital because it allows you to:
1. Detect Unauthorized Access: Regular checks help you identify any unauthorized changes or suspicious files within your wp-content folder.
2. Prevent Malware Infections: Detecting malware early can prevent it from spreading throughout your site, damaging your reputation and potentially harming your visitors.
3. Maintain Website Performance: A compromised wp-content directory can slow down your site and disrupt its functionality. Regular checks help maintain optimal performance.
4. Protect Sensitive Data: Your wp-content directory may contain sensitive information. Ensuring its security safeguards your data and user information.
Introducing Security by CleanTalk

To streamline the process of checking your wp-content directory and enhancing your WordPress security, we recommend installing the “Security by CleanTalk” plugin. This comprehensive security plugin offers a wide range of features to protect your website, including:
1. Real-time Firewall: Defends your site against malicious traffic and hacking attempts in real-time.
2. Spam Protection: Blocks spam comments and registrations to keep your site’s content clean.
3. Malware Scanner: Regularly scans your website for malware, vulnerabilities, and unsafe permissions.
4. Login Page Security: Protects your login page from brute force attacks.
5. Two-Factor Authentication (2FA): Adds an extra layer of login security for administrators.
6. IP and Country Blocking: Allows you to block specific IP addresses or entire countries to prevent malicious access.
7. Security Audit Trails: Keeps a record of all security-related events on your site for monitoring and analysis.
How to Install Security by CleanTalk

Follow these simple steps to install and activate Security by CleanTalk on your WordPress website:
1. Login to Your WordPress Admin Dashboard: Navigate to your WordPress dashboard by entering your site’s URL followed by “/wp-admin” (e.g., “https://yourwebsite.com/wp-admin“).
2. Go to Plugins: In the left sidebar, click on “Plugins.”
3. Add New Plugin: Click the “Add New” button at the top of the Plugins page.
4. Search for “Security by CleanTalk”: In the search bar, type “Security by CleanTalk” and press Enter.
5. Install and Activate: When you see the plugin in the search results, click “Install Now,” and then click “Activate” once it’s installed.
6. Configure Settings: Visit the “Security by CleanTalk” settings page in your WordPress dashboard to configure the plugin’s settings to your liking. Be sure to set up the malware scanner to check your wp-content directory regularly.
7. Enjoy Enhanced Security: With Security by CleanTalk in place, your WordPress website is now fortified against threats, and your wp-content directory will be regularly monitored for vulnerabilities.
Security by CleanTalk at WordPress.

The Malware scanner checked and found an issue with wp-content.

The Malware scanner cured files at wp-content.

Conclusion

Regularly checking your wp-content directory is an essential part of maintaining a secure WordPress website. To simplify this process and ensure comprehensive protection for your site, we recommend installing the “Security by CleanTalk” plugin. With its wide range of security features, this plugin will help you safeguard your website, keeping it safe from threats and ensuring the integrity of your wp-content directory.

Don’t leave the security of your WordPress site to chance—take proactive steps today by installing Security by CleanTalk and regularly checking your wp-content folder for peace of mind and a secure online presence.
October 2, 2023
We Have Reset 178 Passwords That Might Have Been Compromised

While monitoring exposed password databases we found a leaked database that contained 178 compromised credentials of CleanTalk users among other data. These emails/passwords were compromised some time ago and after that were used to create a CleanTalk account by their owners. As soon as we found this potential vulnerability – we immediately reset passwords for all CleanTalk users related to these email addresses.

Please remember to be careful when clicking on third-party links or using unverified services or WordPress plugins. And be sure to check the list of your compromised passwords in your browser. If you use Google Chrome you can find it here: chrome://password-manager/checkup/compromised.

September 29, 2023
White Label Option for Anti-Spam and Security Plugins
We are proud to introduce the White Label option for our Anti-Spam and Security plugins. This option gives Unlimited plan users the ability to resell Anti-Spam or Security services to their customers under their own brand name. The Extra Package should be connected as well.

Here’s what you get
- Any CleanTalk and affiliate program mentions will be removed.
- Absolutely all links to CleanTalk.org will be replaced with your custom URL.
- The contact information of tech support will be replaced with yours.
- All Connection problems reports will be sent to your support email.
How to connect the White Label option for regular installation (not for Multisite)
1. Ensure your Unlimited plan and the Extra Package for your Anti-Spam or Security services have been purchased.
2. In the upper right corner of your Dashboard screen go to your Profile → Settings → Whitelabel Database.
3. Switch the White label option to On and fill in the following fields and press the Save button.
Congratulations! You can now invite your customers to their new control panel.

How to connect the White Label option for Multisite/Multiuser/WPMS

In case you are using a Multisite/Multiuser/WPMS version of WordPress, check out these instructions.
July 3, 2023
Our Investigation of the Hack of One Website (OR: How We Investigated a Hack of One Website)
We were contacted by one WordPress website owner with the issue of a website hack. Consequences of the hack were that their whole website content was deleted, meaning articles, pictures, plugins and themes were gone and visiting the website displayed a blank page. What was left in the folder «wp-content» was a single folder «uploads», new files in the root directory and many custom files «.htaccess» in other folders.

What measures were taken in the first place before restoring the website. To avoid future successful connections from the hacker, all passwords were changed, including database ones, authorization over HTTP was enabled, installation of any files and themes were allowed only over FTP.

What Has Been Done to Find Out the Source of the Hack

The main task was gathering information about how the hacker managed to get access to the website and delete all of its content.

The first step was saving the entire file system in a way where the files can not be created anew but to be saved in their current state (It’s important to know for identifying the creation time of the malicious files).
- saving nginx «access.log» on the date of the detected hack
- saving nginx «error.log» on the date of the detected hack
- saving nginx «syslog» on the date of the detected hack
Input data:
- logs «access.log» (200 MB) «error.log» (47 MB)
- website files
The local repository of Splunk was chosen for the log analysis, data sources were the files «access.log» and «error.log».

To determine the time when the website infection happened, the creation time of the suspicious files in the website folder was inputted.

The next step was selecting a set of lines from the log files within a certain time period and the server response 200, while requests from «admin_ajax» and «wp_cron» were excluded.

Thus, we found the hacker’s IP address that was able to get a response 200 for its POST request to this address: /wp-content/themes/seotheme/db.php?

Next, we analyzed every line of activity of this IP address within the same time period. Based on this data, we see that someone created this folder: /wp-content/themes/seotheme

Furthermore,
- the cybercriminal from the IP address 43.153.77.57 was able to get a response 200 to their POST request while forcing /wp-content/themes/seotheme/db.php?u and in the end a number of malicious files was created which were started being called;
- a set of files «.htaccess» was created and modified specifically for the Apache-like webserver to allow executing files;
- the file «index.php» was modified, added obfuscated malicious code;
- the file «plugins.php» was modified, added obfuscated malicious code;
- the file «pluggable.php» was modified, added obfuscated malicious code;
- there were some eval constructions in the files, and parsing them was impossible.
- It’s also impossible to know the origin of the folder /wp-content/themes/seotheme and the files in it, the reason is self-deletion of the malware results.
How to prevent future hacks:
1. constant monitoring of the website files for any new unknown files in the system,
2. aggressive response to status changes of the «.htaccess» files if you use an Apache web-server
3. force to implement any filesystem actions with a protected FTP account only, you can edit your wp-config.php by adding the code below:
```
define( 'FS_METHOD', 'ftpext' );

define( 'FTP_BASE', '/yoursitepath' );
```
March 6, 2023
Geolocation (сity) in the Security Log and email reports
Sometimes knowing the attacker’s country is just not enough, so now we added certain geolocation by IP to help you. The new feature will be added automatically to all Website Security plugin users.

You can notice it:
1. On the Security Log page.
2. On the Security FireWall page.
3. On the Blacklists Database Reports page.
4. In your email with Successful Logins With an Administrator Role.
5. In your email Weekly Security report.
Blacklists Database Reports page

Create your CleanTalk account
August 17, 2022
Custom text messages for Security FireWall Block Page

We’re glad to introduce the new feature of our Security Extra Package.

When you use Personal Black Lists (including blocking by country) users see a default message “This is the testing page for Security FireWall” but now you can change it. The message can include your email or phone number. In that case, you can collect data about the reasons for false positives.

How to create a custom message

Step 1: Go to your Dashboard => Security. Select your website and click on Settings.

Step2: Scroll down to Message for forbidden visitors and check it. After that you can type any text you want including emails and phone numbers. When finished just press the Update button.

That’s it! Your custom message is enabled and updated. After about 10 minutes you can take a look at your Security FireWall block page.

How to preview your block page

Step 1: Go to Dashboard => Security => Your website Settings (exactly like it was described above). Then click on Testing Security FireWall.

Step 2: After that, your Security FireWall testing page will appear. Here you can preview your custom message and edit it if needed.

Get your Website Security now

July 4, 2022
New feature in Website Security FireWall Log
Your website is regularly visited by different bots. The “bad” ones are blocked by your Security FireWall before they even reach your website, but what happens with the “good” ones like Google, Bing, and MSN? From now you can use Security FireWall Log to find out, what ”good“ bot visit your site and how many actions they provide there.

What exact information can you get:
- Date
- Website
- URL of visited website
- Bot IP
- Hostname (in case it can be defined)
- Browser used by bot
- Bot country
- Quantity of requests (hits)
- FireWall result
How it works

Step 1: Go to your Security Dashboard. Choose “Site Security” in the “Services” menu.

Step 2: Go to your Security FireWall Log:

In order to find information about some specific bot just type in the name of it (or part of the name).

From that page, you may decide whether you want to block one of these bots or not.

How to block bots by User-Agent

Feel free to block any bot using our special guide.
March 25, 2022
New features added to Malware Web Scanner
There are some new features in our Malware Web Scanner that we want to tell you about.
1. Public lists info
  Checks whether your website is mentioned in any of CleanTalk blacklists.
2. Redirects
  Сhecking your website for different types of redirects. For example http→https and redirecting for another server.
In case you haven’t used it yet – it’s absolutely free and is available by the link below.
December 1, 2021
Hiding your WordPress username from bad bots

Do you know how to hide your WordPress usernames from bad bots? We are glad to introduce you a new Security plugin improvement: from now CleanTalk allows you to hide WordPress username from bad bots brute-force.

Before this improvement became available some bots could learn WordPress usernames by their ID and use it to brute-force these accounts later. For example, a request like «‎https://blog.cleantalk.org/?author=007»‎ could return the username «https://blog.cleantalk.org/author/james_bond».

This option is switched off by default so in order to avoid vulnerabilities like that we highly recommend to switch it on.

Step 1: Go to Plugins → Installed Plugins.

Step 2: Go to Settings beneath the Security plugin.

And after that choose General Settings.

Step 3: Go to Miscellaneous section and find checkbox ‎«‎Prevent collecting of authors logins» and just check this box.

Step 4: Press the «Save Changes» button.

Success! That’s how quickly CleanTalk allows you to hide WordPress username from bad bots

If you have any questions, add a comment and we will be happy to help you.

Create your Cleantalk account – Register now and enjoy while CleanTalk Anti-Spam plugin protects your Clean and Simple Contact Forms from spam.

August 6, 2021
CleanTalk Security for WordPress: More informative log

We added new parameters in the Security FireWall Log.

CleanTalk WordPress Security Log shows a list of all the network requests blocked in the course of loading the page. Each request is displayed in its own row.

All of these requests will have next string:

-Page URL to which the request was sent.

Security FireWall blocks all requests from the most active IP addresses where massive spam and brute force attacks come from.
Security FireWall may significantly reduce the risk of hacking and reduces the load on your web server. All security logs are stored in the cloud for 45 days.

Your security log is here https://cleantalk.org/my/logs?cp_mode=security

Notice: Page URL is available starting with plugin version 1.17
Download the latest version here:
https://wordpress.org/plugins/security-malware-firewall/

Don’t hesitate to let us know if you have any questions or comments.

May 29, 2017

CleanTalk

Sign up / Sign in

Solutions

Anti-Spam for websitee

Filter fake emails

Hide contact data

Stop spam emails in Contact form 7 (CF7)

Stop spam in Elementor form builder

Stop spam in WPForms

Website malware scanner

WordPress Security & Firewall Plugin

Documentation

License agreement

Signs of Malware

Contact us

Create a support ticket