Protect Your WordPress Blog from Hackers
Posted by: Jeff in Security, tags: wordpress hacking, wordpress securityIt’s no secret that there’s a constant threat from the loser hacker types for anyone that has a presence online. As security increases, the cyber-thugs try to improve their methods to make sure they can remain a nuisance.
On WordPress sites, the most common threat is the hacker editing your theme files and inserting their spam links.
Know If You’ve Been Hacked
Unless you specifically look at the code of your site, you may not even know that you’ve been hit. If you look at the HTML of the header and footer, and see any links that look suspicious, there’s a good chance that a hacker has been there. Many times they’ll insert links related to pharmacy/drug sites, credit card offers, insurance or refinancing/loan offers.
Looking at the Links
I use the FireFox browser, and it’s quickly becoming the browser of choice for many users. If you use FF, you can look at the links that are currently active by clicking ‘Tools’, ‘Page Info’, and finally ‘Links’.
You’ll then see the current outgoing links links listed. You should also take a look at all theme files and WordPress core files. Look for anything that appears suspicious. If you know absolutely nothing about code, you can compare it to another site, possibly a fresh WordPress installation, and see if there appears to be anything out of the ordinary.
Fixing the Problems
‘An ounce of prevention’ definitely applies here. Keeping your WordPress installation, including the theme and all plugins updated is the first step in maintaining the safest site possible. The ‘automatic updates’ feature of version 2.5 of WordPress is a Godsend. One click and your plugins are updated to the latest and greatest.
You can also secure the site further by disabling the navigation of directories on the entire site. This will prevent users from seeing what plugins that you have installed, and keep prying eyes away from other sensitive data. This can be done by adding the following to your .htaccess file (located in the root directory). This is a simple text file that was probably created when WordPress was installed (if not present).
OPTIONS -INDEXES
Also, you can secure the ‘WP-Admin’ folder by allowing access by only certain IP addresses (yours).
Insert the following, again, into your .htaccess file :
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Example Access Control"
AuthType Basic
<LIMIT GET>
order deny,allow
deny from all
allow from xx.xx.xx.xx
allow from xx.xx.xxx.xx
</LIMIT>
Lastly, some people will delete the ‘theme-editor.php’ file from the ‘WP-Admin’ folder, if they can’t limit access to the ‘WP-Admin’ folder to only certain IP Addresses. It should also mentioned that, as with any secure site, you should periodically change your password…and DON’T USE ANY COMMON WORDS OR PHRASES THAT CAN BE GUESSED!!
Entries (RSS)
Powered by FireStats