Phisherman? Securing Wordpress. I don't want your account


[UPDATE July 20, 2008] I permanently solved my problems with wordpress by moving to movable type.

If you wound up at this page from a fraudulent email. I apologize. My site was being used to try and harvest account numbers. I believe my hosting company and I have rectified the problem. If you recieve an email or have any questions email me.

I switched to wordpress back in the day because it was in active development compared to geeklog and it was much more secure than php-fusion. The last two weeks though, it has proven troublesome as nefarious folks have breached my wordpress sites. They used the breach to put up phishing files, mostly preying on Bank of America customers. First and got hit. I found out from my hosting company, bluehost, because they suspended my account. It's kind of a medieval process with a lot of support tickets.

Then, worse, I got emails from strangers in the community who were spammed with phishing emails that referenced files on my site. Here's a a picture of the email scam and some of the PO'ed notes I recieved. I don't think people understand that this just happens. It surprises me that they think the phishers are so naive as to use a single level of social separation. Like I'd phish with my own site.

What to do? Lock things down. There a number of sites on securing wordpress and the subject is very googlable. Here's what I came up with and some old ideas.

  • php.ini, disable allow globals and error reporting
  • disable "anyone can register"
  • use .htaccess files to password protect /wp-admin, /wp-include and any sensitive php files
  • delete extraneous users
  • make passwords MUCH more complicated (saved in firefox anyway)
  • rename xmlrpc.php to something else (old news)
  • disable comments, pings & trackbacks (old news)
  • use SSL which I can't right now until I shuffle some domains around

From: xxxx
Sent: Monday, June 30, 2008 5:33 AM
Hey Jim.. Mind explaining this to me? I take it your a phisherman? Nice.. Reported to appropriate authorities... Enjoy!

Sent: Monday, June 30, 2008 7:06 AM
Subject: RE: Set Your Online Security Preferences.
Jim, Your website is being used to spoof the Bank of America to enable criminals to steal from people. See email below. Mouse over the "sign on" link and you'll see your website address.