Jul
18

WordPress Security Notes

Blogging is supposed to be fun but it isn’t always like that. If you are hosting your own blog there is a great chance that one day a hacker may decide to target your site.

Upgrade

As good as it is, WordPress still has security issues. Upgrading to the latest version is a must if you want to lower the risk of getting your site hacked.

Upgrading today is really easy, thanks to excellent plugins like Instant upgrade. You have no excuse not to upgrade.

Folder access

Create empty index.html file (no content in it). Upload this file to your wp-content/plugins and wp-content/themes.

This will prevent anyone from looking over at what plugins and themes you have.

Secret Key

Edit your wp-config.php and change or create the SECRET_KEY definition. It should look something like this (alter the key value to your likening):

define(’SECRET_KEY’, ‘1234567890′);

Active Plugins

If you have access to your database, check the table wp_options and look for the record ‘active_plugins’. It will list all really active plugins on your blog. Hacker may upload a file to your upload folder and activate it as a plugin so you want to make sure there are no alien plugins listed there.

.htaccess

Check your .htaccess file located in blog’s root directory. Normally it should contain only references to index.php file for suspicious activity.

File change notifications

You can install file change notifications for your blog, sending you an email whenever one of your WordPress files on the server changes.

Exploit scanner

Install WordPress Exploit Scanner plugin. It scans through all files in your WordPress installation and searches for malicious looking code. You want to check if any of the warnings contain links to  sites you are not familiar with.

User registration

If you are the only registered user of you WordPress blog, turning off “Anyone can register” option in your General settings of the Admin panel is a nice precaution as this was the source of biggest troubles in the past.

Backups

Should the trouble still happen, be sure you have at least weekly backups of your blog. WordPress Database Backup plugin will automate this work for you, so no reason not to use it.

Subscribe to RSS or by Email

8 Responses to “WordPress Security Notes”

  1. Hauke
    October 21st, 2008 at 6:03

    When checking your .htaccess file make sure that you scroll all the way to the bottom - sometimes they put many blank lines in before their spammy re-direct code.

  2. twominutesondefrost
    October 12th, 2008 at 17:24

    Great post regarding the shortcomings over WP security.

    Instead of making a blank index.php, I decided to force them to backtrack. The javascript code is “history *dot* go(-1)”.

    This should stop people from accessing folders you don’t want seen. But the best way would be to somehow change folder permissions. I’m still working on that.

  3. Susan
    July 19th, 2008 at 3:23

    I love the idea of the Exploit scanner. Thanks for the info! :)

  4. Les
    July 18th, 2008 at 16:34

    Nice tutorial Vladimir. Thanks. I noted that the link you provided is for a .htaccess file for a 2.1 site. He has quite a bit of extra stuff in there. Would you recommend using the same code for WP 2.6?

Trackbacks/Pingbacks

  1. O bezpieczeństwie w Wordpress | Szlifowanie Wordpressa z lordpio
  2. WordPress Security
  3. Check your website for virus attack !
  4. WordPress Security Notes » 70 Tricks

Leave a Reply

You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>