If you are running WordPress blog software (and it’s not upgraded to the latest version) you might have been a target for hackers who are looking to take over blogs for search-engine optimization (SEO) of other sites they control, traffic-redirection and other bad purposes.
Most of the attacks consist in using SQL injection and XSS cross-site scripting and that is because the user input isn’t filtered properly by the software. Some of the attacks use bots which can create hundreds of spam pages on your blog automatically, place a backdoor (so the hacker can come back at later time) or steal users passwords.
Hackers are taking advantage of the open-source nature of the software to look and analyze the source code of a specific software they want to attack and test it for potential vulnerabilities. Then the developers and users have to detect, track down, and shut down the vulnerabilities in the code that those attackers are using.
The pattern seems to be the same: when a new hole is found, it’s broadly exploited, then developers rush out a patch and/or a new release. Most of the damage inflicted by the automated exploits can be reversed with an upgrade but in some cases you can be left with thousands of spam pages and images to clean up (and they are usually well hidden). If the attacked software is very popular (and that attracts hackers too) – like WordPress – then thousands of installs can be compromised.
Chances are that a blog owner realizes late that his blog was hacked that why it is important to keep up with the latest upgrades and security patches from WordPress.com and keep an eye on your blog: monitor the statistics, the blog usage, have frequent backups and track other security blogs for news about any security holes one of them is BlogSecurity.net.
Always upgrade your WordPress installation to the latest version (also any latest security patches released should be installed). Be aware that if you installed WordPress from within Fantastico package then most probably you won’t have the latest version in the package (it seem Fantastico guys takes their time in updating their package with the latest versions of the software they put in that package – WordPress included). Faster than them in updating their software the guys from SimpleScripts (Fantastico and SimpleScripts are usually offerend by many hosting companies to their subscribers).
How you secure your WordPress installation?
- Your “plugins” directory is NOT secured by default!
- Choose a strong password!
- Use security-related plugins!
- Rename the administrative account!
- Backup your database!
- Log all your $POST variables!
- Plugins that need write access!
- Encrypt all communication within “wp-admin” directory! (if possible)
- Tighten up the file permissions!
- Of course, update your WordPress!
And that means there’s no “index.html” or “index.php” file in that directory so anyone can SEE what plugins are you using by just going to “www.yoursite.com/wp-content/plugins”. It is easy to stop this by creating a blank HTML file named “index.html” and put it in that directory. Job done!
Don’t use an easy to be guessed admin password (your several characters small name, your wife’s name, pet names, etc)…choose a longer password and try to combine it with numbers and upper/lower case letters (even other characters like #,$,%,^…). And change your admin password regurarly!
Some of these security related plugins may help you:
A lot of attackers and automated tools will try and determine software versions before launching exploit code. Removing your WordPress blog version may discourage some attackers and certainly will mitigate virus and worm programs that rely on software versions.
You can get this plugin from here (download it as PHP file – not TXT – and put it in your “plugins” directory, then activate it)
Or you can use Replace WP version plugin.
- Login LockDown
Login LockDown records the IP address and timestamp of every failed WordPress login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery. Currently the plugin defaults to a 1 hour lock out of an IP block after 3 failed login attempts within 5 minutes. This can be modified via the Options panel. Admisitrators can release locked out IP ranges manually from the panel.
Download it from here.
AskApache Password Protect adds some serious password protection to your WordPress Blog. Not only does it protect your wp-admin directory, but also your wp-includes, wp-content, plugins, etc. plugins as well. Imagine a HUGE brick wall protecting your frail .php scripts from the endless attacks of automated web robots and password-guessing exploit-serving virii. Forget spam, these millions of zombie bots are too outrageous to ignore, they are attempting known (but strangely outdated) exploits looking for known vulnerabilities against blogs and other Internet software. Sooner or later some poor blogger is going to miss an upgrade and become a victim to this type of video-game-like-attack.
Get it from here.
- WP Security Scan
Scans your WordPress installation for security vulnerabilities and suggests corrective actions: passwords, file permissions, database security, version hiding, WordPress admin protection/security, removes WP Generator META tag from core code
Download it from here.
- Use WordPress firewall!
A weblog platform is vulnerable to hacking attempts which is where their unique firewall protection for WordPress will give you peace of mind (so they say).
The firewall script supports PHP and MYSQL making it an ideal partner for WordPress. No matter what version of WordPress you are using the Firewall Script will make your blog secure (protecting your blog from SQL Injections, Coding Errors, Cross Site Scripting (XSS), Cross-site request Forgery (CSRF), Password theft (IP Lock), Comment Spam, DDoS Attacks, Customized wordpress ruleset (blocks all exploits)).
Download Firewall software now to make your WordPress installation secure against web based attacks (this software is not free!).
You can do this in the MySQL command-line client with a command like “update tableprefix_users set user_login=’newuser’ where user_login=’admin’;”, or by using a MySQL frontend like phpMyAdmin.
You should backup your data regurarly (that includes the database). Encrypting the backup, keeping an independent record of MD5 hashes for each backup file, and/or placing backups on read-only media (such as CD-R) increases your confidence that your data has not been tampered with.
One good utility is WP-DBManager and can be downloaded from here or WP-DB-Backup which can be downloaded from here.
Or you can use the MySQL database manager of choice: phpMyAdmin (how to use this as a backup tool read here)
Standard Apache logs do not offer much help with dealing with security forensics.
So, to log all $POST variables sent to WordPress you can use this plugin called Postlogger (download it from here).
If you happen to be using this plugin, and actively logging all $POST variables, and your WordPress install is exploited, you will be able to go back and actually see where and how the exploit occurred. Armed with that information, you can take the data to the WordPress developers.
If a plugin wants write access to your WordPress files and directories, then first read the code to make sure it is legit or check with someone you trust and is more savvy than you. Other possible places to check are the WordPress Support Forums and IRC Channel.
You can secure and encrypt all of your communication and important WordPress cookies using the Admin-SSL plugin. Works with Private and Shared SSL. This plugin can be downloaded from here.
Some of WordPress’ cool features come from allowing some files to be writable by web server. However, letting an application have write access to your files is a dangerous thing, particularly in a public environment.
From a security perspective, it is best to lock down your file permissions as much as possible and to loosen those restrictions on the occasions that you need to allow write access, or to create special folders with more lax restrictions for the purpose of doing things like uploading images.
Like I said above, keeping your WordPress installation up to date is one of the most important measure against hackers. And it’s not complicated to be done either (backup everything before upgrade!).
Learn more about Hardening a WordPress installation here, on WordPress website.
To test your WordPress blog for weaknesses Blogsecurity website developed an online WordPress scanner.
You can try it out here.
*NOTE: Before using this scanner you need to install a plugin (named “wp-scanner”) they offer and can be downloaded from here! Activate the plugin, scan your blog, then deactivate the plugin to prevent others scanning your blog again.
Now that you have SECURED your blog (hopefully you did implement those above measures, did you? at least most of them…) please read more how others were attacked and what did they do to fix this. Or just read how can YOU be attacked by different means.
- WordPress Security Issues Lead To Mass Hacking. Is Your Blog Next? (even Techcrunch covered this and that means this is serious)
- Did your WordPress get hacked?
- WordPress hacked!
- I was hacked
- WordPress hacked: googlerank.info
- WordPress hacked. Upgrade NOW!
- WordPress hack causes website to be removed from Google
- WordPress hacked, site penalized
- Widespread WordPress Hack, Steals Search Engine Traffic
- WordPress 2.3.3 Security Retro-Fit
- WordPress Hack: Recover and Fix Google and Search Engine or No Cookie Traffic Redirected to Your-Needs.info, AnyResults.Net, Golden-Info.net and Other Illegal Sites
Mircea Goia was born in Romania and immigrated to US in 2005.
He lives in Phoenix, AZ and works as web developer. Aside, he works also on several entrepreneurial Web projects.
He shows a keen interest in commercial Web development such as social networks, viral marketing and online video.
His artistic hobby is filmmaking with special interest in directing.