[Greg Acuna]

Hi All,

Our CBox site has been hacked twice in the past week. The webhost says it is more than likely due to problems with WordPress plugins. Have been uninstalling all plugins which aren’t totally necessary.

We originally created the site with the idea of using CBox/BuddyPress to have a social network, but due to the complexity of it in terms of watching after the site we decided to turn/hide all the social networking functionality, but we’re still using the CBox theme.

I’m deactivating all the plugins which come with CBox, but I’m wondering if there is a way to uninstall CBox, but still use the theme.

Also…if you have any suggestions on how to really keep the site safe I’d love to hear it. This has been a painful experience.

Thanks, Greg (www.planetearthlings.org)

[Ray]

Hi Greg,

Sorry to hear your site got hacked.

To uninstall CBOX, just deactivate the plugin, then you can deactivate and remove all the other plugins that came with CBOX.

You can keep using the theme, but you’ll need to manually check for updates yourself on GitHub:
https://github.com/cuny-academic-commons/cbox-theme

[Tom Davis]

Hi Greg,

A Cbox site I support was also hacked recently with what looks like similar results as your site.

Doing a Google search with the “site:” operator shows similar spammy results. ( site:planetearthlings.org ) Look several pages into the search results to see the spam.

I would not be too hasty to blame plugins – I feel like companies just start with that as a reason. We were totally up to date and we are just using the plugins we need. I could just as easily blame the hosting company – for me it is all a mystery.

I feel like I found all the bad code in the site, but only time will tell. Our plan right now is to hope we are good. But if we are hacked again, we will probably call on WordFence to clean the site and begin using that service – it is not all that expensive compared with the problems. I am not promoting WordFence, there are others – it is just what we decided. Not being a security or coding expert, sometimes you need to buy a little help!

Good luck!

Tom

[Ray]

Greg,

I forgot to mention your first point about staying safe.

I would disable access to WP’s xmlrpc.php. Unless you’re using specific functionality from the Jetpack plugin or if you blog with the WP mobile app, you do not need to enable this functionality, which can be used to post spam and attack administrator passwords.

Similarly, you’d want to limit login attempts to prevent password attempts on user accounts as well as disabling WP’s REST API functionality that was introduced recently into WordPress core.

WP Cerber is a plugin that you can use that has all this functionality.

For malware scans, any of the top plugins — WordFence, Sucuri and GOTMLS — are quite good.

[Greg Acuna]

Hey Tom & Ray,

Thanks so much for your detailed replies. I’m going to go through them step-by-step tomorrow and see what additional things I can implement. I have cleaned the site with WordFence and it did find several files which appeared to be hacked. I’m not sure if it was a problem with plugins or something with the host. Like Tom it is all a big unknown.

I’m definitely not blaming CBox…I really love the full suite of plugins and will definitely return to it as soon as we have someone working with us who can support running a social network.

Just hoping some simplification and a little care will stop this from happening again. Horrible to have to waste time cleaning something up when already burning the midnight oil to get our first game release.

Best wishes to the whole CBox community!

[Paul Schacht]

I’ve been the victim of multiple attacks recently, and while I don’t know that CBOX plugins are the point of entry, I can’t find any other vulnerability, and WordFence keeps shouting at me to update some of these plugins. I’m toying with updating manually by editing wp-config.php as Christian describes here but reluctant to create new headaches for myself by losing the CBOX team’s curation of these plugins.

A couple of puzzles about the curation, though: First, where does a plugin such as BP MPO Activity Filter fit in? It’s not listed on the CBOX dashboard as one of the plugins curated by CBOX. WordFence says it looks like it’s abandoned, since it hasn’t been updated since 2012 and hasn’t been tested with WordPress beyond WP 3.4.2.

Hence the second puzzle. If CBOX’s plugin curation is designed to ensure proper functionality, and CBOX 1.0.15 (which I’m running) has been tested for compatibility against WP 4.7.5, shouldn’t BP MPO Activity Filter have been tested against 4.7.5, and shouldn’t its plugin page indicate as much? (WordPress too seems to think it “may no longer be maintained or supported.”)

I take Tom Davis’ point above about the rush to judgment about plugins, but in my present situation, with nowhere else to look (including xmlrpc.php [deactivated]), a plugin that announces itself as not tested beyond 3.4.2 seems like something I should consider deleting.

Thanks for any suggestions you may have.

[Ray]

Hi Paul,

One way to strengthen your WordPress install is to disable PHP execution from the /wp-content/uploads/ folder.

You can view this article to find out how to do so:
https://blogvault.net/disable-php-execution-for-better-security/

Most malware gets uploaded there and executed. The problem is finding out how these files are uploaded there in the first place.

As for your second point, the BP MPO Activity Filter plugin is named as “Activity Privacy” on the CBOX Plugins page. That is most likely not the plugin causing the problems as the code is relatively simplistic.

The plugin that would cause the problem is something that has uploading functionality without any security restrictions.

You can find a full list of CBOX plugins, as well as their renamed deriviatives, in the source code:
https://github.com/cuny-academic-commons/commons-in-a-box/blob/master/admin/plugins-loader.php#L107

Let us know if you have any other questions.

[Paul Schacht]

Thanks, Ray! I’ve disabled php execution in wp-content/uploads. Fingers crossed.

[Author]

Posts