Wordfence: Site Compromised

So, while I’ve been busy hardening my blog site blog.udance.com.au, by stealth, hackers appear to have been busy on the WordPress site attached to the main domain udance.com.au. The tell-tale signs suggest that the site appears to be compromised.

As there’s no content yet on this site, the easiest thing to do is blow it away and build the site again, this time taking due care to secure the site properly. It pays to be vigilant right from the start. Once hackers get their hooks into a site, it can be almost impossible to eradicate issues with a high degree of confidence.

Useful tip: If you aren’t in a position to secure a site immediately, consider deleting its CNAME record from your DNS hosting provider. Through your reverse proxy, your site will still be available on the LAN, but will not be available externally. In the example below, the test CNAME record was removed from Cloudflare. Attempting to access the site threw up the messages shown.

Alternatively, for a more controlled approach, consider adapting your reverse proxy. Here’s a Caddyfile code block I use to redirect internet traffic to my status page, while still allowing LAN access to a site. Refer to the post Incident Management for more information on Statuspage.

(splitaccess) {
  {args.0}.udance.com.au {
  encode gzip
  import dnschallenge
  
  @internet not remote_ip 10.1.1.0/24 10.1.2.0/24
  redir @internet https://udance.statuspage.io{uri} temporary
  
  reverse_proxy http://{args.1}
  }
}

In use, it might look like import splitaccess test 10.1.1.201 # test.udance.com.au

Keep Reading

PreviousNext

Comments

Leave a Reply