WordPress Security How To

Most of the information in this article is general and I recommend heading to blogsecurity.net for up to date information on WordPress security.

Blogging is supposed to be fun but it isn’t always like that. If you are hosting your own blog there is a great chance that one day a hacker may decide to target your site.

Upgrade

As good as it is, WordPress still has security issues. Upgrading to the latest version is a must if you want to lower the risk of getting your site hacked.

Upgrading today is really easy, thanks to excellent plugins like Instant upgrade. You have no excuse not to upgrade.

Folder access

Create empty index.html file (no content in it). Upload this file to your wp-content/plugins and wp-content/themes.

This will prevent anyone from looking over at what plugins and themes you have.

Secret Key

Edit your wp-config.php and change or create the SECRET_KEY definition. It should look something like this (alter the key value to your likening):

define('SECRET_KEY', '1234567890');

Active Plugins

If you have access to your database, check the table wp_options and look for the record 'active_plugins'. It will list all really active plugins on your blog. Hacker may upload a file to your upload folder and activate it as a plugin so you want to make sure there are no alien plugins listed there.

.htaccess

Check your .htaccess file located in blog's root directory. Normally it should contain only references to index.php file for suspicious activity.

File change notifications

You can install file change notifications for your blog, sending you an email whenever one of your WordPress files on the server changes.

Exploit scanner

Install WordPress Exploit Scanner plugin. It scans through all files in your WordPress installation and searches for malicious looking code. You want to check if any of the warnings contain links to sites you are not familiar with.

User registration

If you are the only registered user of you WordPress blog, turning off “Anyone can register” option in your General settings of the Admin panel is a nice precaution as this was the source of biggest troubles in the past.

Backups

Should the trouble still happen, be sure you have at least weekly backups of your blog. WordPress Database Backup plugin will automate this work for you, so no reason not to use it.

14 comments, newest first

Jump to main menu | Jump to comment form | Toggle comments

Come Rendere Wordpress Più Sicuro - News Tech 05.18.09 / 8pm

[...] [Via] Tags: aggiornamenti, content themes, Exploit, hackers, htaccess, Php, plugin, problemi, scanner, secret key, Sicurezza, sicurezza wordpress, theme, Wordpress Puoi seguite tutte le risposte di questo articolo attraverso il feed RSS 2.0. Puoi lasciare una risposta, oppure un trackback dal tuo sito. [...]
Calvin Foo 03.28.09 / 3am

Folder access

i think it would be simpler and safer by disabling the folder indexing in the server side setting.

Most hosting comes with some short of web interface login to your domain to control your website security features.
Wordpress Security Tip-Get Rid of Hello.php! | Dev Tips | Become a Better Developer, One Tip at a Time. 03.21.09 / 3am

[...] we will cover a quick Wordpress security tip. The other day while I was browsing some wordpress security notes, the article mentioned adding an index.html file to your plugin folder to prevent anyone from [...]
Noumaan 02.14.09 / 2am

At the moment Exploit scanner plugin works with wordpress 2.6 and no newer versions. But still it pointed out that some malicious script is somwhere on my site and I digged out the bad scripts. Thank you for this wonderful article. However it needs to be updated.
Jim 01.17.09 / 2am

Thank you for the suggestion about the blank index file in the plugin and themes folders. I've done my best to harden the site against attackers, but that one slipped right by me.

I have cPanel on my server (a VPS) and I have full root access. I'm curious if you know if whether settings things up in "folder permissions" of cPanel to deny access to folders without index pages (users get the "forbidden" message) would, in some way, hose WordPress?? I was tempted to do it like I do for one of my other static sites, but I wasn't sure if doing so would somehow mess up Wordpress or the .htaccess file it needs.
How To Make Money Online 12.29.08 / 3am

Great information Vladimir!
I had a few problems with my blog, and I realized
that I had forgotten to back it up since I installed
it on my domain, but I am not having any more problems,
and I went and backed up my blog. Thanx for the info
and thank you for reminding me to back up my blog!
Hauke 10.21.08 / 6am

When checking your .htaccess file make sure that you scroll all the way to the bottom - sometimes they put many blank lines in before their spammy re-direct code.
twominutesondefrost 10.12.08 / 5pm

Great post regarding the shortcomings over WP security.

Instead of making a blank index.php, I decided to force them to backtrack. The javascript code is "history *dot* go(-1)".

This should stop people from accessing folders you don't want seen. But the best way would be to somehow change folder permissions. I'm still working on that.
O bezpieczeństwie w Wordpress | Szlifowanie Wordpressa z lordpio 08.12.08 / 12pm

[...] przeczytaj artykuł brak pokrewnych artykułów Posted by lordpio on wtorek, sierpień 12, 2008, at 12:15 po południu. Filed under Artykuły. Tagged bezpieczeństwo, ciekawe adresy, niezbędny. Follow any responses to this post with its comments RSS feed. You can post a comment or trackback from your blog. [...]
WordPress Security 07.23.08 / 2pm

[...] made a dedicated page dealing with this issue. Go to WordPress Security Notes [...]
Check your website for virus attack ! 07.19.08 / 9pm

[...] Update: if you use WordPress read how to check WordPress sites. [...]
WordPress Security Notes » 70 Tricks 07.19.08 / 6am

[...] via Vladimir Prelovac Online! [...]
Susan 07.19.08 / 3am

I love the idea of the Exploit scanner. Thanks for the info! :)
Les 07.18.08 / 4pm

Nice tutorial Vladimir. Thanks. I noted that the link you provided is for a .htaccess file for a 2.1 site. He has quite a bit of extra stuff in there. Would you recommend using the same code for WP 2.6?

Have your say, text or video

About

Hi! My name is Vladimir Prelovac. I am a computer engineer by profession and an adventurer by state of mind.

Check out my current projects.

I wrote a book on WordPress Plugin Development.

I specialize in WordPress Solutions, SEO and Website Performance services.

Contact Me

Or, get my newsletter, RSS feed or twitter.

"I would love to change the world, I just don't have the source code yet."

Browse

Rants Leisure SEO WordPress

Work

Fun

Recently

Christopher on Low Bounce Rate WordPress Themes
(12 Comments)
Christopher on More links = less page rank?
(7 Comments)
May on Amazing Grace
(529 Comments)
Vanya on SEO Smart Links
(388 Comments)
asterisk.net.ru on WordPress Ping List
(103 Comments)

Come Rendere Wordpress Più Sicuro - News Tech 05.18.09 / 8pm

[...] [Via] Tags: aggiornamenti, content themes, Exploit, hackers, htaccess, Php, plugin, problemi, scanner, secret key, Sicurezza, sicurezza wordpress, theme, Wordpress Puoi seguite tutte le risposte di questo articolo attraverso il feed RSS 2.0. Puoi lasciare una risposta, oppure un trackback dal tuo sito. [...]

Calvin Foo 03.28.09 / 3am

i think it would be simpler and safer by disabling the folder indexing in the server side setting.

Most hosting comes with some short of web interface login to your domain to control your website security features.

Wordpress Security Tip-Get Rid of Hello.php! | Dev Tips | Become a Better Developer, One Tip at a Time. 03.21.09 / 3am

[...] we will cover a quick Wordpress security tip. The other day while I was browsing some wordpress security notes, the article mentioned adding an index.html file to your plugin folder to prevent anyone from [...]

Noumaan 02.14.09 / 2am

At the moment Exploit scanner plugin works with wordpress 2.6 and no newer versions. But still it pointed out that some malicious script is somwhere on my site and I digged out the bad scripts. Thank you for this wonderful article. However it needs to be updated.

Jim 01.17.09 / 2am

Thank you for the suggestion about the blank index file in the plugin and themes folders. I've done my best to harden the site against attackers, but that one slipped right by me.

I have cPanel on my server (a VPS) and I have full root access. I'm curious if you know if whether settings things up in "folder permissions" of cPanel to deny access to folders without index pages (users get the "forbidden" message) would, in some way, hose WordPress?? I was tempted to do it like I do for one of my other static sites, but I wasn't sure if doing so would somehow mess up Wordpress or the .htaccess file it needs.

How To Make Money Online 12.29.08 / 3am

Great information Vladimir!
I had a few problems with my blog, and I realized
that I had forgotten to back it up since I installed
it on my domain, but I am not having any more problems,
and I went and backed up my blog. Thanx for the info
and thank you for reminding me to back up my blog!

Hauke 10.21.08 / 6am

When checking your .htaccess file make sure that you scroll all the way to the bottom - sometimes they put many blank lines in before their spammy re-direct code.

twominutesondefrost 10.12.08 / 5pm

Great post regarding the shortcomings over WP security.

Instead of making a blank index.php, I decided to force them to backtrack. The javascript code is "history *dot* go(-1)".

This should stop people from accessing folders you don't want seen. But the best way would be to somehow change folder permissions. I'm still working on that.

O bezpieczeństwie w Wordpress | Szlifowanie Wordpressa z lordpio 08.12.08 / 12pm

[...] przeczytaj artykuł brak pokrewnych artykułów Posted by lordpio on wtorek, sierpień 12, 2008, at 12:15 po południu. Filed under Artykuły. Tagged bezpieczeństwo, ciekawe adresy, niezbędny. Follow any responses to this post with its comments RSS feed. You can post a comment or trackback from your blog. [...]

WordPress Security 07.23.08 / 2pm

[...] made a dedicated page dealing with this issue. Go to WordPress Security Notes [...]

Check your website for virus attack ! 07.19.08 / 9pm

[...] Update: if you use WordPress read how to check WordPress sites. [...]

WordPress Security Notes » 70 Tricks 07.19.08 / 6am

[...] via Vladimir Prelovac Online! [...]

Susan 07.19.08 / 3am

I love the idea of the Exploit scanner. Thanks for the info! :)

Les 07.18.08 / 4pm

Nice tutorial Vladimir. Thanks. I noted that the link you provided is for a .htaccess file for a 2.1 site. He has quite a bit of extra stuff in there. Would you recommend using the same code for WP 2.6?