Last night I found out the hard way why WordPress security is so important. My site got hacked/hijacked and the result was that every single internal link auto-forwarded to a porn site that tried to install toolbars, trojans…the lot.
I know that this has happened to at least one other blog that I visit, and probably lots more. The reasoning is probably down to unsecure file permissions within the WordPress files on my server. (Possibly something to do with the fact that WordPress have released version 2.5.1 with ultra important security fixes?)
So after deleting everything from the server and installing WordPress afresh (which of course came with its own problems of trying to remember all the plugins that I had installed etc) and importing a backup, I took control of my blog again.
But it got me thinking. I’ve been online for half my life. I’ve had a website of some description for a decade. I should know about and implement security features. I shouldn’t have had to find out the hard way how important it is to keep my files safe from attack.
I’ve compiled a list of all the steps that you should take to protect your WordPress installation from malicious hijacking, after all I’ve been researching it for the past couple of hours to make sure that it never happens again.
Probably the biggest one on the list, and the one that can cause the most problems if you’re used to editing themes and plugins through the WordPress dashboard.
None of your files should be set to 777 (all users read, write and execute). By using the WP Security Scan plugin you can automatically see which folder do not have the correct permissions and fix them with a click. The plugin also points out any other security issues on your site. It’s an essential plugin for your site, and if you ask me it should be included with WordPress rather than Hello Dolly.
USER – ADMIN
Your default user in WordPress is more than likely ‘Admin’. The same goes for the thousands of other WordPress blogs out there. So it’s not that difficult to guess, is it? So the obvious answer is to delete the user ‘Admin’. But WordPress won’t let you delete the default user, so what can you do about it?
This is where phpMyAdmin comes in to play. Don’t worry too much if you’ve never used it before, it’s quite simple as long as you follow these steps.
- Log into your phpMyAdmin through your cPanel.
- On the left-hand side of the window, you’ll see a list of tables like wp_options, wp_users. (the wp_prefix may be different if you’ve set this up as a different value when you installed WordPress).
- Click on wp_users.
- A table will load in the right-hand frame, select the checkbox shown next to user_login.
- Select ‘Browse’ from the tabs at the top of the page.
- This then shows the table with all of your registered user’s details. You want to select the little pencil next to the name Admin to change this to a name of your choice.
- Once you’ve changed the name to something else, press Go at the bottom of the screen.
- That’s it – you’re done. The user ‘Admin’ no longer exists.
The robots.txt file on your server gives instructions to search engine robots (like GoogleBot). Remember that however, not all search engine robots are good ones that play by the book, some will completely ignore your robots.txt file. But you can still add the following code to yours to stop all of your wp- folders being indexed by search engines.
Ok, this one’s a giver. We all know that passwords should be long and contain numbers, letters, and symbols. But that’s hard to remember. But the amount of people who use the word ‘password’ as their password is incredible, and again it’s not that hard to guess, is it? Remember the MySpace password exploit? It threw up some interesting data on how people pick passwords, including the word ‘password’.
The easiest thing to remember is that you should keep your FTP and WordPress login password completely different and try and choose a password which is really hard to work out, but means something to you – like an acronym of you and your partner’s names plus your anniversary date. You could use a random password generator online to create a password, although you’ll probably have to get your browser to remember it for you!
Okay, so the geeks among us get excited when a new version of WordPress is in the pipeline and upgrade straight away, but some people wait a few weeks to ensure that any problems are ironed out among other reasons. It may be a personal choice, but upgrading to the newest version of WordPress straight away also protects your blog as there are always security updates included in the upgrade. Try installing the WordPress Automatic Update Plugin to make upgrading your installation easy as pie.
Similarly, publishing what version of WordPress you are running is a danger in itself. You won’t realize that you’re letting the whole world know which version of WordPress you are running until you yourself check your page source. If there’s a Meta tag showing which version of WordPress you’re running from, remove it from your header.
Login LockDown records the IP address and timestamp of every failed WordPress login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery. Currently the plugin defaults to a 1 hour lock out of an IP block after 3 failed login attempts within 5 minutes. This can be modified via the Options panel. Administrators can release locked out IP ranges manually from the panel.
Login Lockdown plugin
That says it all really, doesn’t it?
By default, anybody can access your plugins by going to www.yourblog.com/wp-content/plugins/ and viewing every plugin that you currently have installed. By either including a blank html file in your /plugins/ directory or switching off directory listings via your cPanel users will not be able to view these folders and files, and possibly any security risks that they have.
DON’T USE FTP
Use SSH/Shell Access instead. It’s possibly not the easiest thing to do in the world but it’s one of the best moves you can make. If you can, disable FTP completely.
If you’ve got anything else to add, please feel free to leave a comment.