You are on page 1of 5

How to Stop Your WordPress Blog Getting Hacked

Unbeknownst to most people who set up a WordPress powered website, they are also putting up a big banner saying, "I am ripe for hacking." While the situation is better than it was two years ago, WordPress is still a major target for hackers and some of the problems like lack of proper escaping (relatively simple to fix) seem to have been forgotten about.

An example of a hacked WordPress blog. The WordPress hackers are more or less comprised of two groups: people who want to use hacked WordPress sites as cloaked link farms and hobbyist hackers – often from Turkey. If you have a relatively good knowledge of HTTP and PHP, you can probably hack a WordPress site within 30 minutes by using software vulnerability lounges like Milworm to find out about vulnerabilities.

Removing Footprints – Stop Hackers Finding You
1 – Remove the Footer Credit – Most WordPress templates will come with a link back to WordPress in the footer saying, "Powered by WordPress". If you don't want to get hacked, this absolutely has to go. It is used as a marker by hackers who query search engines to compile lists of WordPress sites. This is known as dorking; implying that people who leave such footprints on their sites are dorks. Removing this will probably stop you from getting hacked as your site will probably not be found once it is removed. If you would like to give credit to WordPress for

$type) .php and delete the meta generator tag. To remove the RSS generator. #echo apply_filters('the_generator'. $type) . this gives away the version you are using so is particularly dangerous.php and delete the link to WordPress. 2 – Remove the Meta Generator Tag – Most WordPress templates will also come with a HTML tag in the head like this: <meta name="generator" content="WordPress 2. To remove the meta generator. open up wp-content/{name of the theme you are using}/footer. 3 – Remove the Generator Tag in the RSS Feed – WordPress also gives away which version you are using in the RSS feed with a generator tag like this: <generator>http://wordpress.7</generator> Again. e. It will look like this: view plaincopy to clipboardprint? and search for the function called the_generator (around line 1858). echo apply_filters('the_generator'. get_the_generator($type). } 4 – Remove Other Footprints – There are a number of other ways that someone might be able to tell that your site runs on WordPress. All a hacker would have to do is look up a hack for your version of WordPress and if you are vulnerable (some vulnerabilities require certain server settings or environments) they will take you down. open up wp-includes/general-template. } and place a hash (#) in front of the word echo. get_the_generator($type).tld/wordpress/ and if you have links to specific WordPress files names. To remove the footer credit. open up wp-content/{name of the theme you are using}/header. function the_generator( $type ) { 2. so it looks like this: view plaincopy to clipboardprint? 1. you could link to them on your about page. RSS feeds are another way in which hackers compile lists of sites which they might be able to attack. such as wp-login.g. "\n".php.7" /> This has to go too as it gives away what version of WordPress you are using. WordPress Logins . 3.making a free publishing platform in some other way. The later can easily be found using a search engine. "\n". http://domain. 3. function the_generator( $type ) { 2. such as installing it at.

So if your wp-content/plugins/ directory is browsable. it will not give them an output of the folders and files in that directory. Simply add Options -Indexes anywhere in the .Two file names that are visible on all WordPress installs will be the the wp-content/ directory (where WordPress stores media) and the wp-comments-post. This may be used to target sites that use a particular plugin or if you have enemies someone might use it to find a vulnerability specific to one of your plugins.php. There are a few reasons for this. index.htaccess file. Locking Your Install Down 5 – Disabling Indexes – Disabling indexes means that when someone navigates to a directory on your server.html in the root directory. You can do this by adding the following line to . when someone loads a directory. There are also ways in which someone can detect what platform you are using if the platform uses unique directory names. For those who are not using Apache. So. as WordPress does. it is not possible to block all directories that should to be blocked.htaccess file in that directory.phps or index. you are going to be giving away what plugins you are using. It is unlikely anyone uses these methods to find WordPress blogs to hack. Due to lack of security. If you ever need to enable indexes in a directory. Due to WordPress' architecture. but they are considerations you can take if you want to be extra careful. many sites have their plugins directory indexed: Plugin directories If you are using Apache as a web server (the most popular choice) you can disable indexes by adding one line to . You can change the name of the wp-content directory in the WordPress admin under settings > miscellaneous. This is particularly important as a number of WordPress hacks target vulnerabilities in plugins. you can put an index. Also make sure you have deleted the licence.txt and readme.php~. if you are partial to botches.htaccess in the root of your WordPress install – that is the main directory with index. giving away your database credentials. 6 – Blocking Server-side Directories – Blocking directories that contain files that are only needed by your server is an essential aspect of any site's security.htaccess: . other options will be available for your sever.php in it. To change the wp-comments-post. These files can get indexed by search engines for easy targeting. The main directory to block is wp-includes/. Alternatively. accessed by undesirables.html. These can be uploaded to the server. your server may start outputting PHP files literally Some text editors will create backup files like. you will need to edit your template to use a different URL and forward the new URL to wp-comments-post. they will just be shown the index.html file in all directories you don't want people to be able to browse. including:    If your server has a problem with PHP (like if someone removes the Apache PHP module).php. all you need to do is add Options Indexes to a .php.

8 – Move the Config Data – As mentioned above. This can be done from cPanel. This will look something like: view plaincopy to clipboardprint? 1. wp-includes/conf.php Create a new file in a directory (e. Renaming the admin directory is also a good idea.R=301. . you will just be telling people where you have moved your config. you can password protect the directory.g. 3. require_once( 'wp-includes/conf. This opens up the problem of someone opening up your wp-config.*$ .L] 7 – Hiding the Admin – Securing the administration is important as it is an easy place where your username and password can be yoinked. The best thing to do is:    Copy the contents of wp-config. First of all. A search on Google shows a number of sites with their database credentials ripe for the picking: sitting ducks 9 – Database Encoding – In wp-config. this isn't an easy job for those who do not have a decent understanding of PHP.php' ).RewriteRule ^(wp-includes)\/. It is advisable to use UTF-8 as other character sets are vulnerable to SQL injection since WordPress doesn't use multi-byte character escaping. Otherwise. By default it is wp-admin/.*$ . Using a secure connection for your admin is important because without it your login credentials will be banded around the internet as plain text.php) and paste the contents into it Require the location of the new config location./ [NC. separate each directory with a pipe like so: RewriteRule ^(wp-includes|another-dir)\/. <?php 2. However.L] To block further directories.php. Alternatively.R=301. some text editors will make backups of your PHP files which can be opened by anyone. I believe this can be setup from there. you are able to select your database encoding.php file and snafing your database credentials. ?> 4. If you do not know how to do this you will need to get someone to do it for you or ask your hosting company.php  It is essential that your new config file is in a directory that you have blocked from outside access using the method in point 6. Save the new wp-config. If you have cPanel. you will want to put the admin on an encrypted connection (SSL). They will also be stored in your server's log files as plain text – not good if a malicious individual or a disgruntled server admin gets access to your server. or if you have server problems your PHP files could be output as text./ [NC.

Although with plugins like pennispress getting into the official directories. you can run into serious trouble by installing plugins and using themes without checking them for malicious code. it is difficult to know who to trust these days :| .10 – File Permissions – Use the below file permission for optimal file system security: Directory Permission .Themes and Plugins . If you don't know PHP. I'd recommend only installing plugins and themes which are listed in the official WordPress directories as I'd image those are veted for nasties.Last but not least./ 755 wp-admin/ 755 wp-content/ 755 wp-includes/ 555 WordPress Trojan Horses 11.