Find out how InfoSec Institute can help you receive your CISSP Certification and become an IT professional.
As old readers know, my blog has been hacked several times. You can read about my first hack and what to do when your blog has a virus, but now it’s time to prevent hackers from injecting malware in your WordPress blog.
Follow these simple 10 steps, they aren’t ordered in any way, just a list I am writing to help you making your blog more secure
1) Don’t display your WP version: hackers know security holes and exploits of every WP version, and unfortunately in your
header.php file you probably have this line:
Remove this tag or simply remove the php function returning the WP version. Your new generator tag should look something like
2) Protect your
/wp-content/plugins/ directory putting a blank
index.html file in it. In latest WP versions there is an empty
index.php file that does the same job. This way nobody will see the plugins you installed, checking for exploitable ones.
3) Use a secure password, it shouldn’t be your girlfirend’s name or your daughter’s name. A good password is made by at least 8 characters using both uppercase and lowercase and numbers.
4) Change your login name with something different than “admin”. Most WP installations still use the default admin login to log into administrator area. If your blog is under a brute force attack, you will make hackers life a bit harder if they have to guess both the password and the login name.
5) Install Login LockDown plugin. Login LockDown records the IP address and timestamp of every failed login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery. Currently the plugin defaults to a 1 hour lock out of an IP block after 3 failed login attempts within 5 minutes. This can be modified via the Options panel. Admisitrators can release locked out IP ranges manually from the panel.
6) Choose a good hosting company or keep your web server updated. You can secure your WP blog in a million ways, but if your server has security issues, you’re doomed anyway.
7) Secure your
/wp-admin/ directory. Create a file called .htaccess in such directory and place this script:
AuthUserFile /dev/null AuthGroupFile /dev/null AuthName “Access Control” AuthType Basic order deny,allow deny from all # allowed IP's allow from xxx.xxx.xxx.xxx allow from yyy.yyy.yyy.yyy ... ... allow from zzz.zzz.zzz.zzz
Change xxx, yyy and zzz with IP’s you currently log in from
8) Keep your WP version (not too) updated. While old WP versions may have security bugs that aren’t fixed anymore, installing the latest release can expose you to unknown bugs during the first day. If it’s not a critical security update, my advice is to wait at least a couple of days before installing the new version.
9) Get rid of bad bots adding these lines to your main .htaccess file (the one in your WP root)
SetEnvIfNoCase User-Agent "^Libwww-perl" bad_bot
Order Allow,Deny Allow from all Deny from env=bad_bot
If you look in your server logs you will probably see attempts by automated scripts (bots) to hack your site. This happens to all sites, and the
Libwww-perl agent is recognized to be one of thw worst of them. Check this Google search for more information.
10) When you are about to install a plugin, Google for it, to make sure nobody is reporting security issues
… and death to pirates…