Yesterday on my article about keeping your blog alive when your writing skydives , I mentioned cleaning up your blog from link leakages. I also included that I found invisible links led to pharmacy and viagra websites had been installed invisibly just before the “</body>” tag.
Now how those links managed to reside within my blog, I don’t know for sure. But Andrew Rickmann suggested me to google for “wordpress security scanner ” to find what might have caused it and how to prevent it happen in the future.
As the result, here are the pre-emptive procedures I commenced to harden my WordPress installation . You might want to see if there are anything you may also need to do before similar or worse infiltration happens to your blog.
- I changed my password – Password crackings is one of the methods used to hijack blogs . And if they got through, the worst possibility is they could replace your password with theirs so you wouldn’t have control of your blog. And the only option left is reinstalling your blog and hopefully you have a backup of your blog’s database. Here’s a good suggestion from WordPress on how your password shouldn’t be . As a result, my password is now three times stronger (not longer) and more varied.
do not use your own name for your password, do not use a dictionary word (from any language) for your password, do not use a 4 character string of numbers as your password. Your goal with your password is to make the search space as large as possible, so using numbers and varying capitalization all make it more difficult, statistically, to brute force a password.
- In case someone is using brute force to break in, I already had the login lock down WordPress plugin installed, which locks down login function for a period of time when there are certain numbers of failed login attempt within a range of time. The plugin also records the IP address and timestamp of every failed WordPress login attempt.
- I had my plugins upgraded – Similar to WordPress installation, plugins need to be updated over time decrease blog security risks. Some of them need write acces to WordPress files and directories. This can be exploited as a security hole. When a plugin’s upgrade is available, install it immediately and delete the plugins you don’t use .
- I restrict access to my wp-admin directory – I did this by adding a .htaccess file inside my wp-admin directory and made the directory accessible only from a certain IP address. Here’s the code I used:
allow from xxx.xxx.xxx.xxx # This is your static IP
deny from all
- As well as wp-admin directory, access to my wp-config.php has also been blocked . Add the following codes to the .htaccess file inside the wp-admin directory:
Deny from All
- Everytime WordPress release a new version upgrade, they list blog security holes found in the previous version. Crackers can take advantage over the information to break into outdated WordPress blog. There are two ways to prevent this. One is by upgrading your WordPress blog ASAP , or hiding the information of your current WordPress version (or do them both). WordPress version is usually displayed on blog footers, so you may want to replace with just “Powered by WordPress”. You can also view the current version by viewing a page’s source code. It’s the result of what’s coded within header.php , usually with the remark “<!– leave this for stats –> “. To disguise your WordPress version, simply install and activate the Replace WP-Version plugin. It will replace your WordPress version with a random number in case someone is trying to view your page’s source.
- Try typing http://www.homebiz.bukiki.com/wp-content/plugins/ . Without a blank index.html file inside my plugins directory , anybody can view the plugins I use easily. The same thing can happen to your blog! Check each directory if it displays its content when people type their URL and if it does, add a blank index.html file inside the directory. DO NOT add an index.php file. Why? See the comment below. It doesn’t have to be blank though, you can write anything you want like “Beware of dogs!” Don’t forget to put it inside your themes directory also.
- In case you think you need a more concrete-solid protection against unauthorized access, you can install wp-scanner plugin to get your list of security risks on your blog.
The blog breach could happened maybe because I was putting security not as important as content, design and SEO. While they might be the King , Queen and Queen Mother , I musn’t forget that there’s also the Gurkha .
There you are. Let me know if there’s any problem after performing these steps (I wish there weren’t any).
Hopefully you won’t have to experience the same like I did (twice!). Or if you did, maybe you have something to share
Other sources for securing your WordPress blog:
- Hardening WordPress
- Is your WordPress blog hacked? Why not upgrade to the latest version?
- How To Secure Your WordPress Blog
- WordPress exploit: we been hit by hidden spam link injection