Wordpress Security Tips and Hacks
- Posted in How To's, WORDPRESS
- 116 Comments »
We all agree that having a secure wordpress weblog should be our first priorities when keeping a successful blog. In this post we’d like you to share your knowledge and help us create the Wordpress Security guide to keep the bad guys out.
Below are 10 security tips that you can easily implement on your WordPress blog. Please share one or more life-savers you use permanently to help protect yourself from WordPress security issues.
1) Nobody should be allowed to search your entire server.
- WPdesigner advices us to NOT use this search code in the search.php
<?php echo $_SERVER ['PHP_SELF']; ?>Nobody should be allowed to search your entire server, or? Use this one instead:
<?php bloginfo ('home'); ?> - Block WP- folders from being indexed by search engines, the best way to block them in your robots.txt file. Add the following line to your list:
Disallow: /wp-*
2) Directories should not be left open for public browsing
There is a potential problem letting people know what plugins you have, or what versions they are. If there is some known exploit that is linked to a plugin, it could be easy enough for someone to use it to their advantage. Make an empty wp-content/plugins/index.html file or just add this line in your .htaccess file in your root:
Options All -Indexes3) Drop the version string in your Meta Tags
A large number of WordPress themes have the WordPress Meta Tag that show the version of WordPress that is running on your blog which is an easy way to get your blog prone to hackers if you didn’t upgrade to the security-enhanced file permissions on both which is pointed out by Matt Cutts. Another solution involves a plugin that sets up a secondary new version.
This tag is in the header.php file that displays your current version of wordpress.
- <meta content="WordPress <?php bloginfo(’version’); ? />" name="generator" />
4) Protecting your Wordpress wp-admin folder
Attackers can use bots for a brute force style of attack that simply guesses the admin password until they come up with the correct one and login. There are a couple of solutions out there, we will highlight each below.
- Limit access to wp-admin folder by IP address- This solution is to restrict which IP’s can access the wp-admin folder via .htaccess. This has one drawback is you may have to update your .htaccess folder if your internet provider assigns you a dynamic IP address, you move to another location or you have authors at other locations.
- AskApache Password Protect- The plugin is simple, it adds a 2nd layer of security to your blog by requiring a username and password to access anything in the /wp-admin/ folder. All you have to do is choose a username and password and you are done. It writes the .htaccess file, without messing it up. It also encrypts your password and creates the .htpasswd file, as well as setting the correct security-enhanced file permissions on both.
- Login Lockdown plugin- records the IP address and timestamp of every failed WordPress login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery.
5) Stay up to date
You need to keep your on your plugin/widget, theme, and Wordpress versions updated. Also, subscribing to the plugin/widget/theme Author’s RSS feeds makes keeping up with them much easier.
6) Take regular backups of your site and Database
You always have to take regular backups of your file directories as well as the database. WordPress Database Backup plugin creates backups of your core WordPress tables as well as other tables of your choice in the same database.
7) Update your wordpress to latest version
Probably the first thing you should do! Install the Instant Upgrade Plugin or the Wordpress Automatic Upgrade Plugin. Make sure you back everything up before performing the upgrades.
8 ) Use SSH/Shell Access instead of FTP
It is one of the best tips i found here.If someone gets a hold of your FTP login information (which is usually not encrypted and easy to get), they can manipulate your files and add spam to your site without you even knowing about it! Using SSH, everything is encrypted including the transfer of files, etc.
9)Stop worrying about your wp-config.php file
Keep your database username and password Safe by adding the following to the .htaccess file at the top level of your WordPress install:
<FilesMatch ^wp-config.php$>deny from all</FilesMatch>This will make it harder for your database username and password to fall into the wrong hands in the event of a server problem.
Protect Your Blog With a Solid Password
Creating a strong password that is also memorable is one of the easiest defenses against being hacked. There are a lot of online password strength checker that you could check.
Also you might check lorelle’s article on blogherald called Protect Your Blog With a Solid Password, offering tips and tricks to help create a strong password that is also memorable, and how to deal with all the myriad passwords we seem to accumulate online.
more tips, only in german
1. http://wordpress-buch.bueltge.de/wordpress-sicherer-machen/30/
2. http://wordpress-buch.bueltge.de/wordpress-templates-sicherer-machen/31/
and a plugin (http://wordpress.org/extend/plugins/replace-wp-version/#post-2859) for replace the wp-version. The version of WP is also in the Feed!
very useful tips
Hey nice tip…till now, like a stupid, i gave security a back-seat
First lines are cut and pasted from a SP post…
credits?
Milo
I guess you mean WPdesigner’s website, and yes a link was given to them. I guess you didn’t notice it.
Noupe, that’s because Milo saw your unedited post. You only changed it once you had a comment in regards to stealing content from another user. SP also stands for Small Potato, the owner/author of WPDesigner.
Robert, I completely agree with you. I just find it ironic that it’s a resource to help you “craft clean usable websites.” Which is probably why I almost never view this site with css enabled and the ads disabled. Too much garbage littering what the site is truly about: it’s content.
You have almost the same amount of space delegated to ads as there are for content. Horrible placement, that’s for sure.
Jordan
The link to wpdesigner’s website was placed the first time this post was published and the link was originally there.
Noupe.com is not stealing other people stuff, if you have ever checked our previous posts you will find it clearly that we always add links and credits to original sources.
Our site’s focus is to inform our readers about the latest tips and techniques in web-design and we never say that these tips are ours unless they realy are.
P.S i like your website’s design http://www.atourworst.org it reminds me of http://www.redcrownstudio.com Using almost the same colors, same right placement of the logo, same footer, same navigation bar. Overall the same look and feel
Noupe is definitely a cool and innovative site and credits are given to where it belongs :)
Its realy easy to know if Noupe gave credits or not.
Just go to http://www.wpdesigner.com/2008/01/30/wordpress-tips-part-1/ and you will find that a trackback link was added on the same day Noupe published this post which is on Feb17, this means its one day before these lazy commentators create this buzz out of nothing ;)
Nice Tips Noupe, keep going :)
#9 gives me an instant server error message on a Plesk-managed server!
Good tips otherwise though
Nice tips but do u have any other tips related to abnormal use of HTTP_REFERER
This is a very important step for blogs, that I missed. I was infected with a trojan virus, and I didn’t see it ( i work on a mac) but when PC users visited my posts.. there were some serious problems, with a virus trying to infect their machines, so I have learned my lessson, fixed the problem said sorry to the my great visitors and now security is a must.
These tips have been vital to my blog.
Thank you
Chad
I would also add that a WP plugin developer should add something along the lines of:
[code]
if(preg_match('#' . basename(__FILE__) . '#', $_SERVER['PHP_SELF'])){
header($_SERVER['HTTP_HOST']);
exit();
}
[/code]
to the top of there plugins to help with the security.
Great article, but shouldn’t item #9 be:
deny from all
?
The instruction as listed on the post generates an INternal Server Error every time.
*Sorry, forgot to wrap in code tags
Great article, but shouldn’t item #9 be:
deny from all
[code]
deny from all
[/code]
The instruction as listed on the post generates an Internal Server Error every time.
really nice list here. as for the ssh tip – bravo. it’s one of those really nice things that is super convenient as well as secure. soon, you find yourself using ssh for nearly every server admin task you can think of.
Hey nice tip…till now, like a stupid, i gave security a back-seat
the best tips i read, thanks for sharing
Thank you for the tips. I’ve been looking for something like this post for a while. You really made it simple and basic.
Thanks again,
Monica
Great tips. I recently let my blogs go without an update for 6 months. I came back to them to find numerous parts hacked. Adsense ads had different affiliate IDs, pharmacy and spam through posts and comments. Even folders full of spam files on the server. Basically every possible hack had been done to them.
Wordpress is a high profile app and blackhats are always looking for the exploits then scanning the web for people who have unpatched blogs. Not safe.
Hi.
Thanks for the wonderful tips. One of my sites got hacked, so I was really worried and searching for how I could make blogs more secure and hence stumbled upon your site.
Thanks!
Mnis
It should be added that a “disallow” in robots.txt does not provide any security at all. A malicious bot can simply choose to ignore it and your server will be helpless.
Even people with the best of intentions can sting you by accident. There are programs which can act like bots, but adhere only to the rules for browsers. wget and curl are two examples.
If somebody wants to download all your articles for off-line reading and uses such a downloader clumsily set to follow each and every internal link it finds at your site, you may just be in trouble.
Both wget and curl will only stop if they encounter either a 404 (not found) or a 403 (forbidden). In that they behave like browsers who also don’t look at robots.txt.
So – if any of your internal links lead into sensitive territory, make sure the target is password protected.
nice tips noupe …
Very nice tips there buddy, you covered almost all the aspects on wordpress security.
thanx for this topic i love it
Hi, Thanks for the great write-up:
Regarding 9, if I put that code in .htaccess, it does not allow me to log in as well.
Is that the correct command? Could you confirm?
Also, to disable the directory browsing, you mentioned “Options All -Indexes” command. Would this disable the search engine crawling as well?
Thanks again, JK
thanks for this TOPIC i really love it ^^
Nice write up, but you have to use SSH, just in case.
Most of the people left their blog directory scannable in serahc engine and publicly browsable. This is big security hole for any blog…..
informative post, lovely.
.htaccess is the simplest way for me
thanks for collection, ill digg this
As far as passwords are concerned, I highly recommend a password manager like KeePass Password Safe.
It generates passwords and maintains them in a secure database. I don’t even try to make passwords memorable or reasonably short (most my passwords are now 25+ characters of completely random garbage).
The auto-type function means just hitting a key-combination and having it find the proper password and using it.
You, of course, now have to protect your password safe from loss. Not because it isn’t secure, but because you are depending on it. That’s fine by me.
There are several of these types of programs. I chose KeePass because it also has a Linux version (KeePassX).