A friend of mine recently sent me a post about a recent WordPress attack on those who host their own blogs. Fortunately, my blog came up clean on the blog cache scanner link pointed out on one of the linking blog posts. But the post highlighted a need to identify methods that need to be implemented by blog owners to help them stay on top of potential threats.

I must say that it still amazes me how, in an environment such as the Internet that allows for so much productive creativity, there are still individuals that insist on putting a huge efforts into destroying the work of others. Just imagine what a better place the Internet might be if that same energy was put to a more productive use.

That said, let’s review some easy steps to keeping your blog secure.

WordPress modifications

Modify the META tag for the WordPress version
With each version of WordPress, hackers make an attempt to find a problem with that version that will help them exploit the blog and possibly destroy it’s contents. Many hackers use a method of searching blogs and determining the version number. If the blog has not been updated to the latest version, they know exactly what hacks they can throw at the blog to break in. A large number of WordPress themes have the WordPress Meta Tag that show the version of WordPress that is running on your blog which is an easy way to get your blog prone to hackers. This tag is in the header.php file that displays your current version of WordPress.

<meta content="WordPress <?php bloginfo(’version’); ? />" name="generator" />

or, if you have the latest version

<meta name="generator" content="WordPress <?php bloginfo('version'); ?>" /><!-- leave this for stats -->

It is recommended that this line be completely removed.

Recommended plug-ins

Activate the Akismet plugin
Just as spam is a very large problem with email, spam comments are just as big an issues for blogs. This plugin comes packaged with most WordPress installs and should be activated immediately. Akismet checks your comments against the Akismet web service to see if they look like spam or not and lets you review the spam it catches under your blog’s “Comments” admin screen.

WordPress Automatic Upgrade
Keeping your WordPress version up to date is critical to staying on top of hacker attacks. The WordPress team have usually been very quick to fix a vulnerability once it has been identified. Wordpress Automatic Upgrade allows a user to automatically upgrade their WordPress installation to the latest version provided by WordPress.org using the 5 steps provided in the WordPress Upgrade instructions. This plugin will even backup your database tables prior to the upgrade and provide the option to download them to your local computer.

WP_DB_Backup
In the event that someone does break into your blog, it is comforting to know that you had the fore sight to backup all of those valuable posts before it was destroyed. All of your WordPress database tables should be backed up on a regular basis. WP-DB-Backup allows you easily to backup your core WordPress database tables manually or on a scheduled basis. You may also backup other tables, not related to the core WordPress install, in the same database.

WP-DBManager
We really like this plugin as it has many more features than any other database plugin we have seen. But this can be a down side to this plugin as well due to the power that some of the features have over your database. This plugin manages your Wordpress database allowing you to optimize the database, repair database, backup database, restore database, delete backup database , drop/empty tables and run selected queries. Supports automatic scheduling of backing up and optimizing of database.

WP Security Scan
Sometimes a vulnerability can not be easily detected, as pointed out in the post referenced at the beginning of this post. So a tool that you can refer to , that will check the integrity of your blog is always a helpful item to have in your arsenal. This plugin scans your WordPress installation for security vulnerabilities and suggests corrective actions. It examines the strength of your passwords, file permissions, database security, version hiding and WordPress admin protection/security.

AskApache Password Protect
Adding additinal password protection to critical areas of your blog will certainly discourage hackers. This plugin doesn’t control WordPress or mess with your database, instead it utilizes fast, tried-and-true built-in Security features to add multiple layers of security to your blog. This plugin is specifically designed and regularly updated specifically to stop automated and unskilled attackers attempts to exploit vulnerabilities on your blog resulting in a hacked site.

Login Lockdown
Sometime, hackers will use a ‘bruteforce’ method of attacking a site by have an automated program continue to try and login to your Administration panel. Login LockDown records the IP address and timestamp of every failed WordPress login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery.

WordPress Scanner
This is another security scanner that requires a plugin to be installed, but is then processed through an external site to determine any vulnerabilities. It is still a work in progress and the developer has made a call to security professionals to enhances its features. We have not yet tried this method and recommend proceeding with some caution if you are a beginner.

Recommended Server preparations

Control what is Indexed
One method is to block WP- folders from being indexed by search engines by adding an entry in your robots.txt file. While this will not discourage all bots, it will prevent your critical files from being indexed in popular search engines. Add the following line to your robots.txt file:

Disallow: /wp-*

Do not allow Directories to be Browsed Publicly
To test this, go to the following web address (http://yourblogurl.com/wp-content/themes/) replacing the ‘yourblogurl.com’ with the website address of your blog. If a list of directories is displayed of the themes you have installed, this means everyone can see this and you need to make a slight change to protect this directory.

Secure your directories by adding a blank index.html file to important directories such as:
/wp-admin
/wp-admin/includes
/wp-content
/wp-content/themes
/wp-content/plugins

Be careful with this one though. In /wp-admin the default file name is index.php, but depending upon you server configuration, your system may look for index.html before index.php. If so, adding an index.html file to the/wp-admin directory could result in a blank page when you access your admin area without a file name ( http://yourblogurl.com/wp-admin ). If that is the case, simply add the index.php file name to the end of the URL ( http://yourblogurl.com/wp-admin/index.php ) when you access your admin control panel.

Limit access to the WP-ADMIN folder
This solution is to restrict access to the folder to only specific IP addresses using a .htaccess file. I recommend this for the more advanced user and should only be used if you know for a fact that you have a static IP address. Otherwise, you risk locking yourself out of your own WP-ADMIN folder. Most users will probably have a dynamic IP address that changes frequently, so this modification may not be suitable.

Recommended Web Sites

WordPress Security Whitepaper
The BlogSecurity website publishes a WordPress Security Whitepaper online and keeps this fairly up to date. They are due out for another update soon, but the methods stated are sound and helpful. The comments are a helpful guide as well.

WordPress Blog
The developers blog at WordPress is fairly quick at announcing and addressing potential threats relating to their platform. Subscribing to their blog is a good way to make sure you are up to date on the latest developments.

References

Noupe Blog - Security Tips and Tricks
Has your Website been Hacked
WordPress users - Watch Out!
WordPress Tip - Remove the Version code