Posted on: September 5, 2009
Updates on: August 29, 2009
As the WordPress is getting popular and used by many people, now the hackers are also being active and involved in hacking wordpress site. I have recently received lot of request to fix the WordPress hacks. I would like to list some WordPress Security Tips to help you protect from hacks.
- Keep up to date with the latest WordPress Version: Always keep your WordPress site updated with the latest version of WordPress. The WordPress developers do not maintain security patched for older WordPress versions. In August 12, 2009, WordPress released version 2.8.4 as the security release. Older version of WordPress is more open to hacks.My Tips: Regularly update your WordPress site. You can use the plugin “WordPress Automatic upgrade” or Instant Upgrade Plugin Further, you need to keep your plugin and theme to be up to date as well.
- Populate wp-config.php Properly: Go through each line in wp-config.php, not only the first block for database configuration.My Tips: Use WordPress secret key generation tool to generate random salts for WordPress cookies. These keys are used to insure better encryption of information stored in WordPress user’s cookies. To make it more secure modify the the WordPress table prefix to something other than wp_. Adding random characters and numbers to the end of wp, such as wp52sk1_ obfuscates it enough but still allows you to recognize the tables as those belong to WordPress.
- Correct File Permissions: You should give the correct file permission and if you give full permission to files and folders then the hackers can hack it easily.My Tips: Set the permission as follows:All folder permissions should be set to 755All files permissions should be set to 644Files that you want to edit in the WordPress Theme editors permissions should be set to 666
Never ever use 777 for WordPress permissions
- Don’t Use the Default admin Username: WordPress is open source application and now most of people know that it has the administrator username as admin. This make it easy for hackers to to hack the password when they already know the administrator username.My Tips: Change the default administrator username admin to something else. Now i am going to show how to change the default admin username.You may use phpMyAdmin and paste the SQL command (the update line) to execute it.update wp52sk1_users set user_login=’myadmin’ where user_login=’admin';wp52sk1_ is the database prefex that I change. The default prefex is wp_Alternatively, you may edit the value manually using phpMyAdmin web interface.
Now your admin user is myadmin instead of admin
- Pick Secure Password for Admin: Changing your admin username to something else is not a guarantee that people will not be able to guess it. For instance, if you use your username as the displayed meta data in every post, or you enable author specific page in multi-author blog, you will reveal your user name to the world.My Tips With this assumption, you should pick secure password for your WordPress login. Combine upper and lowercase characters and numbers.
- Hide WordPress Version in the Header Tag: Although you have deleted the WordPress version meta data from your theme, you may still get WordPress version line in the page returned by the blog software. The culprit is, since version 2.5 WordPress has added the feature to generate this code. This will allow the hacker to know about the wordpress version you are using which will help them to hack it.My Tips: Add the following line to the functions.php file in your theme directory: (Create a blank PHP file with this name if your theme doesn’t already have one)<?php remove_action(‘wp_head’, ‘wp_generator’); ?>
- Nobody should be allowed to search your entire server: If you allow then the hacker will find the way to hack easily.My Tips; Do not use the following search code in the search.php in your theme folder:<?php echo $_SERVER [‘PHP_SELF’}; ?>Use the following instead:<?php cloginfo (‘home’); ?>
Also block WP-folder from being indexed by search engines, the best way to block them is in your robots.txt file. Add the following line to your list:
- Prevent directory listing: The problem in many cases, the default WordPress installation allows hackers to use their web browser as a file browser to look through the contents of the folder on your server. Normally it is harmless but some web hosts don’t even bother to turn off directory listing by default. This means that there are several things hackers can do. There might be loop hole in the theme and plugin you used for your site. The author of the plugin and theme might have made mistakes in their code that allow unexpected access, hackers can use your directory listing to find out if you have got those vulnerable files and then attack your site. Also people can browse the non-WordPress contents of your web server to discover folders and files that you might not be ready to announce that you thought were not accessible to the general public. Many directory listing feature a line in the footer telling visitors your server version. Hacker can cross-reference these version numbers with list of known vulnerabilities and bring your site down or gain illegal access.My Tips: Edit the .htaccess file and add the following line at the bottom.Options All –Indexes
- Protect WordPress Administration Files: WordPress administration files are in wp-admin directory of your WordPress installation, except wp-config.php.My Tips: Use .htaccess to restrict access and allow only specific IP address to this directory and file. If you have static IP address and you always blog from your computer, this can be an option. If you don’t know you IP address then you can find your IP my visiting the site: http://whatismyip.com/You need to put a .htaccess file in wp-admin and add the code. See the Example:Order Deny,AllowAllow from 22.214.171.124deny from all
Alternate Solution through user and password combination: There is another way to protect wp-admin directory with user and password combination. It also adds another level of security. Apache has complete information on authentication, authorization and access control. Example:
AuthName “WordPress Dashboard”
Require user adminuser
and then generate the encrypted password using the htpasswd command.
$ htpasswd –cm .htpassed adminuser
If you have cPanel then it is very easy as it has a feature called Web Protect which allows you to accomplish the same thing.
Note: if you find it hard to use it in code then just use this plugin AskApache Password Protect
Further, I recommend the plugin Login Lockdown plugin which record the IP address and timestamp of every failed WordPress login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery.
Note: the Htaccess and Htpasswd generator helps to create the necessary files with desired values.
Allow from all
- Take regular backups of your site and Database: No matter how hard you protect your site there might be some loop for hackers. There is never 100% security when it’s online.
My Tips: Take regular backups of your file directories as well as the database. So, if there is any problem then you can just upload the backup copy. Use WordPress Database Backup plugin or WP-DB Manager to backup your Database and User WordPress Backup Plugin to backup your upload directory (images), current theme directory, and plugins directory.
- Stop worrying about your wp-config.php file: During the server problem, i have seen in one of my friend blog that his wp-config.php file can be viewed in the browser and his database username and password are there and it can be hacked anytime.My Tips: You can secure your wp-config.php by adding the following to the .htaccess file at the top level of your WordPress install:<FilesMatch ^wp-config.php$>deny from all</FilesMatch>This will make it harder for your database username and password to fall into the wrong hands in the event of a server problem.
- Protect Your Blog With a Solid Password: Easy password with alphabetic and number can be hacked using the software easily.My Tips: Creating a strong password that is also memorable is one of the easiest defenses against being hacked. Use strong password my combining the alphabetic, numbers and symbols. There are a lot of online password strength checker that you could check.Also you might check lorelle’s article on blogherald called Protect Your Blog With a Solid Password , offering tips and tricks to help create a strong password that is also memorable, and how to deal with all the myriad passwords we seem to accumulate online.
- The following plugins will be very helpful:
- WordPress Exploit Scanner: It searches the files on your website, and the posts and comments tables of your database for anything suspicious. It also examines your list of active plugins for unusual filenames.
- AntiVirus Plugin: It is a smart and effective solution to protect your blog against exploits and spam injections.
- WP Security Scan Plugin: It scans your WordPress installation for security vulnerabilities and suggests corrective actions.
- Admin SSL Plugin: Recommended only for the advance users. It secures login page, admin area, posts, pages – whatever you want – using Private or Shared SSL. Once you have activated the plugin please go to the Admin SSL config page to enable SSL, and read the installation instructions.