Using LetsEncrypt, hacker added UBH plugin to hack Wordpress sites


#1

Using LetsEncrypt, hacker added UBH plugin to hack Wordpress sites.

This should not be possible, we have many security plugins on our WP sites, and the lock is GREEN. Should not have been possible. Very disappointing.


#2

TLS defends against people eavesdropping on you and people pretending to be you. Is does nothing to improve the security of your site against hackers, that’s the job of regular patching, vetting your plugins before using them, and security auditing tools.


#3

We have automated upgrades on core, themes and plugins. We have many
security plugins in the sites. We only use wordpress.org themes and highly
rated, popular plugins.

Very disappointing results from “encryption”. My server admin says it only
encrypts the login page.

​Thanks,

Mary Luketich
President
BizWebShop.com http://www.BizWebShop.com
(512) 829-4169
​LinkedIn https://www.linkedin.com/in/bizwebshop | Facebook
https://www.facebook.com/BizWebShop/ | BBB A+
http://www.bbb.org/central-texas/business-reviews/web-design/bizwebshop-com-in-dripping-springs-tx-90052333


#4

This is not related to Let’s Encrypt (or any other CA you might use). If anyone’s told you that using SSL/TLS is a way to protect your server from being compromised, they’ve apparently been misinformed. SSL encrypts traffic while it travels between your server and your visitors so that no one else can read passwords or other things they send. That’s all.


#5

Popular and highly-rated Wordpress plugins are the most commonly exploited ones, so you’re vetting the wrong way. Very few 3rd party plugins are secure in any meaningful way, as even a cursory glance at https://wpvulndb.com/ would show. Wordpress itself is also routinely exploited with zero-days, so even perfect patching won’t save your site without significantly more defense-in-depth.

Regardless, that’s unrelated to Let’s Encrypt. TLS protects the people accessing your web site from outsiders. It isn’t in any way intended to protect you from your users or your users from you.


#6

Very informative. Thanks you for the depth of your answer.

​Thanks,

Mary Luketich
President
BizWebShop.com http://www.BizWebShop.com
(512) 829-4169
​LinkedIn https://www.linkedin.com/in/bizwebshop | Facebook
https://www.facebook.com/BizWebShop/ | BBB A+
http://www.bbb.org/central-texas/business-reviews/web-design/bizwebshop-com-in-dripping-springs-tx-90052333


#7

An analogy might be if someone got a tetanus shot and a few months later ended up catching the flu. Sadly, each form of prophylaxis only protects against one thing or a handful of things, and there are a lot of pathogens out there. The tetanus shot can still be quite useful and medically appropriate, but sadly protects only against one particular risk (or three, if administered in combination as DPT).

Or, if you prefer, you could imagine sailors taking vitamin B₁₂ pills along on their sea voyage, but still coming down with scurvy. Each vitamin prevents one nutritional deficiency but not others, but each one could still be worth taking in appropriate circumstances.

I’m very sorry that your site was compromised; that’s very frustrating. I wish we did have a technology on offer to protect against all of these Internet threats.


#8

Letsencrypt only protects server + browser conversations. For example, login credentials are encrypted + difficult to crack.

Letsencrypt has other effect on runtime environment.

Many exploit vectors exist in most runtime environments.

  1. Running an ftp server, rather than using sftp.

  2. Running old LAMP software - Linux Kernel + SSL + Apache + MariaDB/MySQL + PHP.

  3. Running old CMS software - WordPress (or other CMS) core + theme + plugins.

  4. Running ssh where users can login without keyfiles + are allows to set their own passwords, as most users use common + weak passwords across many accounts.

To secure your system, hire a Server Savant to access your system + close all potential exploit vectors (backdoors).


#9

Great response. Thank you.

​Thanks,

Mary Luketich
President
BizWebShop.com http://www.BizWebShop.com
(512) 829-4169
​LinkedIn https://www.linkedin.com/in/bizwebshop | Facebook
https://www.facebook.com/BizWebShop/ | BBB A+
http://www.bbb.org/central-texas/business-reviews/web-design/bizwebshop-com-in-dripping-springs-tx-90052333


#10

Mary

Your initial queries in fact betray possible reasons for why you were hacked. You said

We have automated upgrades on core, themes and plugins. We have many security plugins in the sites. We only use wordpress.org themes and highly rated, popular plugins.

and therein is the likely cause of your issues. First you should not be running “many” security plugins in a WP site. They don’t all play well with each other. Keep one active - say wordfence, and have another that you can use from time to time to test the site (such as Anti_Malware) or depending on the webhost one should have access to utilities such as ClamAV to scan the site contents.

Secondly, obtaining themes and plugins solely from the codex is anything but a guarantee of security. There are almost no security checks for entrants to the codex, and as they are all free, they are also mostly poorly maintained. Most products in the codex are from relatively junior coders, and many use vulnerable php scripts to drive their core abilities, or the developer has not set capabilities correctly (one of the most common hacks and I would suspect a strong possibility for the conduit of your hack).

Having auto updates is generally a good thing, but just because auto updates are in place has no bearing on vulnerabilities that are pre-existing in the core, themes or plugins, which are not cured. Among other matters, the WP core has been found in the last 2 years to have many xss and cross scripting vulnerabilities, some of which had been in existence for a long time.

But another aspect which trips up many wordpress users: they go to their theme & plugin pages, and in reviewing their installed lists they see all are up-to-date and so they believe they are secure. But there is a problem -> although one may have the latest theme or plugin version installed that does not mean it is actually is up to date for the current version of WordPress. Even some major plugins update infrequently, and even if they do it is no guarantee that they plugged all their incorporated 3rd party scripts in the update.

You should go to each product homepage, and confirm it is up to date for WP 4.6.1. If a theme or plugin uses scripts such as mediaelements, you should also be confirming they updated it as well since mediaelements recently also patched an xss vulnerability. After initial release it tends to be that most of the focus on updates is on introducing new features, rather then updating their 3rd party scripts, and hence one is still vulnerable.

These are a few observations that come to mind from someone who is both a theme developer and a webhost specializing in wordpress hosting. I hope they are helpful.


#11

Mary is correct.

Better to handle security at the server machine level than WordPress.

In fact, the more security plugins a WordPress site runs, the easier it is to DOS + take down + keep down, because all security plugins I’ve reviewed have bloated + resource draining code.

When sites clogged with slow code are attacked, repeated attacks cause the security plugins to drain all server machine resources, taking down the entire machine (all sites).

This is what causes hosting companies to suspend accounts due to heavy resource usage.


#12

You’re welcome.

Glad I could assist you.


#13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.