Welcome to WebmasterWorld Guest from

Forum Moderators: ergophobe

Message Too Old, No Replies

How to Secure Wordpress Sites

32.4 million wordpress powered pages makes for a nice target

7:51 pm on Jul 28, 2008 (gmt 0)

Administrator from US 

WebmasterWorld Administrator goodroi is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:June 21, 2004
votes: 91

Lately hackers are less interested in being mischievous and more interested in making fast cash by burning your site in the search engines. Hackers are smart and have alot of time to look for exploits. When they find an exploit they can use it to hack wordpress sites and make alot of money in a few days. To avoid being hacked you should reduce that bullseye on your back which hackers are looking for.

Let me be clear - every situation is different. Your situation may not apply here. I am not claiming that every wordpress site is being hacked as I speak. I do think that if you make your living from a wordpress site, it would probably be smart to minimize hacking risks.

Upgrade Wordpress Version
This is a double edged sword. If you don't upgrade you are exposed to known exploits. If you do upgrade you are exposed to unknown exploits. The lesser evil are the unknown exploits since alot fewer people are targeting them. It sucks, the situation is not going to get better anytime soon.

Need to Know Basis
It was nice to have that wordpress link in the footer to let everyone know who powers your blog. Now it is a bullseye for hackers looking for new targets. Your users don't need to know you use wordpress, remove this beacon for hackers. While you are at it remove the wordpress version info from the code. This is even more dangerous since it tells the hackers exactly which exploits will open your site wide open.

Search and Rename
Taking the "need to know" concept even further, you should go search and rename anything (folders, databases, urls, etc) that starts with "wp-". You may not be able to rename everything on existing blogs. Try your best. The more unique and less cookie cutter your blog is, the harder it will be for hackers to find it and exploit it.

Prevent Access to Wordpress Folders
Once hackers find your blog they will try to get into your folders. Stop them! Using htaccess, only allow your ip address access to wp-admin (which is the most critical folder). Matter of fact be proactive and block any wordpress folders that don't need to be accessible. Also try to minimize access whenever possible, only allow access .html, .css, etc. This will help decrease the chance of hackers from abusing your blog.

Danger Plugins Ahead
By blocking those folders you closed the front door but plugins allow for a huge backdoor. Plugins can be comprised and turned into 8 lane highway of attack. Minimize the plugins you use and remove what you do not need.

Admins are Trouble
Many people have created a master user account for their blog with the username "admin". Don't be like everyone. Kill the admin account and rename it something unique. While you are at it make sure your password is not "password".

Template Time
Go through your template and start making everything unique. Give your site flavor. Instead of saying "blog comments" rename it to "readers thoughts". Instead of "blog archive" rename it "knowledge database". Again this is about avoiding the cookie cutter approach and minimizing the target on your back. ps - your template may include some files that can be exploited.

Avoid Untrusted Internet Connections
We love blogging 24/7. That free open wifi is very tempting. It is also an unnecessary risk. You can be exposing your username and password. Even if you are at a tradeshow, the hardwired internet kiosks are not secure. Only use internet connections that you fully control. Think I'm paranoid? I know someone that tapped an internet kiosk at an internet conference just to win a bet. What better place to get access to a large volume of powerful websites than an internet conference? Your information can be tapped by recording the data sent and also let us not forget through keystroke tracking

In general if you don't need it, get rid of it. If you need it, minimize it. If you can't minimize it, rename it. Most hack attacks are not custom attacks. It is more efficient & profitable for a hacker to automate attacks using common exploit. Raise your site above the cookie cutter level and avoid those automated attacks. Good luck!

10:59 pm on Aug 4, 2008 (gmt 0)

New User

5+ Year Member

joined:Oct 18, 2007
posts: 13
votes: 0

I use a technique that uses Google Alerts to watch for WP link injection. It caught my last hacked WordPress site the same day it was hacked.

Just go to Google alerts and set up a few Google alerts like this:
site:example.com porn
site:example.com casino
site:example.com pharmacy

Google Alerts will then send you an email as soon as Googlebot spiders the link spam. The spammers usually cloak the links so that only Google can see that the site has been modified.

A serious problem with WordPress is that it puts the WP version number in the header and makes it difficult to remove now. I tried to install a plugin to remove the version number, but it was giving me errors. It's irresponsible of the WP developers to make the version number so hard to remove on a platform that is hacked so often.

WP needs a security team.

[edited by: jatar_k at 2:21 pm (utc) on Aug. 5, 2008]

11:08 pm on Aug 4, 2008 (gmt 0)

Administrator from US 

WebmasterWorld Administrator incredibill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 25, 2005
votes: 94

I think the decent hosts partition off their servers that way and prevent the worst exploits.

Partitioning the accounts to have only permissions per user isn't the same as a virtual machine, not on linux anyway. Therein lies the problem is that the accounts aren't truly in a VM-style sandbox and if there are any internal vulnerabilities, someone gaining access via WordPress for instance could attempt to escalate privileges to root and that's when the fun starts.

I can't expect them to save me from myself. If they got into that business, they would lose customers.

Yes, but you can expect them to save the other customers from you!

For instance, when I used to run a hosting company and we found someone running an insecure form mail program that a spammer was hijacking we killed it and told them where to get a secure form mail program. The problem is leaving it run unstopped could get the entire server blacklisted, then companies can't email AOL, EARTHLINK, etc. and that's a pain to get off those lists.

This 32 message thread spans 2 pages: 32