WordPress Security And A Plugin To Help You
You're here: AIM Home » Blogs and RSS » Wordpress » WordPress Security And A Plugin To Help You
There’s a lot of attention lately for WordPress security issues. Blogs get hacked quite often and on forums I see a lot of desperate cries for help. I know how it feels. This blog got hacked once and it’s a real pain in the butt.
Before I go into some WordPress security issues, let me emphasize I’m NOT an expert on this issue. Far from it. If you really want an expert to help you out with security issues, get in touch with my friend Tom Brownsword. He’s a certified security expert!
Again, I’m certainly not, but I certainly took some measures for my WordPress security. Let me share them with you.
One of the first things you absolutely MUST do is change your password into something nobody can guess. A random set of at least 10 characters, some in capitals and including at least one special character, like !, ?, and @.
The downside is that these passwords are hard to remember and you shouldn’t store them electronically. So, what I do is think of a name of a far relative consisting of at least 10 characters. Then I change one of the letters into a digit and another one into a special character. The funny thing is, that, after I’m done, I can still recognize the name, but it now makes a great password.
The second security measure you should take is place an index file in every directory that hasn’t one. I usually redirect them to the home page of my blog, but you can also redirect them to a sales page or whatever.
Since WordPress uses PHP, I always use index.php and the content is really simple:
<?php
header(‘Location: http://www.affordable-internet-marketing.com/’);
?>
You can also use javascript to redirect:
<script language=”javascript”>
window.location.replace(“http://www.affordable-internet-marketing.com/”);
</script>
Or, if you’re familiar with the concept, you can use a .htaccess file do accomplish the same. Some control panels provide this option.
Your next WordPress security measure would be to make sure the permissions settings of your files and directories are all right.
This is a bit of technical matter, but basically you can set the rights to read (r), write (w) and execute (x) files for yourself as the owner, for the group the files belongs to and for other users.
Permission to read a file has a value of 4, write has a value of 2 and the execute value is 1. If you see a value of 7, it means that there is a permission to read, write and execute, 6 is only read and write permission.
Since permissions have to specified for all three groups, a permission setting always consists of 3 digits. 644 means that you have the rights to read and write and all others can only read. This is a safe permission setting. 777 would mean, that everyone has the rights to read, write and execute files. That’s a highly dangerous setting as you allow others to manipulate your files.
Sometimes, for instance when you install a script, you’ll be asked to set permissions to 777 in order for the install program to create and write files. Remember to always, always set permissins back to 644 when you’re done installing. Plus you should delete the install script.
You can set permissions using the CHMOD command. It’s available in the better FTP programs that allow you to upload files to your server. Almost all Control Panels also include a way to set permissions. Use these resources to check all your file permissions. The third digit should almost always be a 4!
Another WordPress security measure is to limit access to your admin area. You can do that using a htaccess file in the admin area. It should contain a deny for all and an allow for your IP address.
There’s a WordPress Security plugin that can help you detect vulnerabilities in your WordPress blog. I just installed it and found 1 minor error in my permission settings as you can see in the image above.
So it’s been useful for me already. Consider installing it.
Don’t forget to always upgrade to the latest WordPress version. I think this is included in WordPress version 2.7, so you may need this plugin only once again.
Finally, check out this great article by Aaron Wall: New WordPress Hacking Strategy.
Any other useful WordPress security suggestions?
Put them in the comment section below.
Related Articles:
- Great WordPress Plugins
- How To Avoid Your Passwords Being Cracked
- How To Tweak Your WordPress Theme On The Fly
- WordPress Backup And Database Optimizer Plugin
- What Do You Want From A WordPress Theme?
- Do You Have A Link To Your Home Page In WordPress?
Tweet
Other Bookmarks that you can use now!
There has been a lot of fuss arund WordPress. Sombody says that it is very unsecure and the proof is that a lot of wp blogs get hacked while other ones says that the high number of hacked blogs just means that there are a lot of wp blogs. the truth is always in the middle. You have just to be careful and always backup your blog!
I would add that you should make sure your WordPress blog is updated to the latest version. I use a plugin called Automatic Update. This plugin not only updates your blog to the latest version withpout the need to ftp files but it also backs up your database and allows you to download the backed up files.
There is a new WordPress plugin out called Phone Factor being billed as a security solution for WordPress, and it has been emailed to me at least four or five times in the past few days.
————————-
Cindy
http://www.legalx.net
I can definitely relate to this. I had a wordpress blog which got hacked and it was a total goner. I learned my lesson the hard way.
I now routinely backup my blog using a plugin, althoug I haven’t gotten to updating to the latest wordpress version. I’ll try what Firstwebsearch had suggested and use the Automatic Update plugin.
http://www.agentsofvalue.com
@Firstwebsearch: keep in mind that your automatic plugin is gonna be discontinued. I used it too. Anyway with the next release wp 2.7 is gonna have its own automatic update plugin.
Hello Case,
Appreciate the link!
Great post; LOTS of good advice in it. And it’s always great when a business and marketing pro (like you) uses your position of influence to call attention to security.
Insofar as setting permissions go: You can usually do this with your FTP software. Just select the file(s) you want to set the permissions on and right-click; there should be a “Permissions” setting (or something similar) that will allow you to set the permissions.
NEVER set them to “777″. If you do, you might as well post your user name and password on your blog!
Regarding the Phone Factor plugin; if you want to use it, make sure that it mitigates an actual risk. Don’t just install it because it’s “security”.
Lots of unanswered questions:
* Who does the calling?
* Who pays for the call?
* How fast do they call back (if it’s slow and you need to work on your blog NOW, you’re wasting time)?
* What else are they going to do with your phone number?
* What happens if you want to work on your blog while traveling?
I think the .htaccess hack would accomplish the same thing, yet leave you in complete control.
HTH,
Tom Brownsword, CISSP®, Security+, ITIL V3 Foundations
I was just curious as to whether you have ever been hacked. How do the hackers do it? Do they have random password generators or is there a backdoor somehow? I just wish I had a better handle on some of the security issues.
Thanks for the informative update. I’ve been contemplating moving to WordPress from Blogspot. Guess this makes a strong case for constantly backing up blogs no matter where they are hosted!
@Steve
Brute Force!
Hackers use software to run all kind of character combination until it finally finds the password. So you better make sure to use a strong password combination.
BTW, they do the same with email addresses.
Hi Tom,
Thanks for chiming in and answering some questions. Always great to have the Master explain the topic himself.
Thank you for this great post. Would you please do just a little more explaining? When talking about permissions, you said that write has a value of 2. When you say write, are you talking about the ability to leave comments? I was told to set all my permissions to all sixes, but I wondered if that was really safe. You advised us to set the third number as a 4. Does that allow your visitors to comment on your blog?
Thank you for your patience and assistance.
Kelli Workman
@Kelli
Maybe I wasn’t as clear as I should be, so I’ll try again.
WordPress allows you to set commenting or not plus some options (e.g. logging in).
For everyone who accesses your blog, you’ll want them to pass the options you’ve set in the Admin area. And you want to block ANY access to your files directly.
But…
…if the last digit of your file permissions on your server is a 7, then anyone can access that FILE directly, without going through your blog, thus bypassing all your Admin settings.
In other words, using FTP anyone can access the files and data that you used in your Admin area and overwrite or delete them, rather than using http to access your blog.
That makes you very vulnerable, or, as Tom says, “you might as well post your user name and password on your blog!”.
So, permission settings is NOT about who can comment in your blog.
Hope this is a better explanation.
Case
Well said! My blog was hacked 2 days a go by Turkish for the reason I know not, i never know them nor get in touched with them yet all of sudden when I was trying to access my blog the screen has changed into dark background with the words This blog belongs to cyber hack…really pain in the ***
Thank you for clearing that up for me. Your original explanation was clear, but I had it stuck in my head that the permissions influenced the comments. Now I understand. This has been a very helpful article.
Thanks.
Kelli Workman
Thanks for the tips.I downloaded the WordPress security plugin and ran it, it seems that everything is ok. I take a backup every week of all my blog files and store them on a USB-hard drive, just to be safe.
-Thanks,
Tom Lindstrom
Hi,
Thanks for the posts it’s very helpful, I am a wordpress user and my previous blog has been hacked but before it was hacked wordpress banned my blog and I contacted them about banning my blog and they said that I was trying to create multiple blogs, then I explained and told them that I only have 1 blog. They made my blog live again and after 1 week I cannot access my account but the blog is still there, so I decided to create a new one and change all my password.
http://jodypalmermodel.wordpress.com
WOW, this is an incredible find (this post). All great stuff here. i’m going to have to spend some time on this blog, because I have 3 WordPress blogs now and I am not doing ANY of thee security measures!
it’s late, and I need to get to sleep, but I am wondering about the upgrading… I need to upgrade to 2.6.3, I have version 2.6. Is that worth it? Or wait for 7?
Also, Does the Automatic Upgrade plugin take a backup first?
Thanks everyone! i’ll be back…
http://ZerolimitsGeneReview.com
I was hacked once, and never recovered from it, even though I did have all of the posts. But preventive measures are always the best. I’ll get this installed right away.
Ann Jade
http://www.21rivers.com
Thanks for the tips. They are very handy and I am off to download and install the plugin. I had someone hack into my hosting the other day so I am not going to take any more chances.
Jana
Good call on these security issues. Re: passwords – I use keepass to generate strong and random keywords. A simple two click process brings up Keepass, I select the sight I want to log into, and copy/paste. Hasn’t failed me yet.
Keep up the great work!
-Enzo
I don’t want to be hacked so I’m taking all the measures you have suggested. Thank you so much. If it may help I use the plug in WP-DBManager to regularly back up my blog.
I just subscribed to your newsletter.
One of my blog got hacked and it managed to install malware on my site. Now whenever someone opens my blog, their system gets infected by malware. Google listed my blog as harmful and my rankings tanked.
I then had to clean all the blog, and password protect the wp-admin directory to keep things rolling.
It does seem that 1 out of 5 posts you run into lately are on WordPress security issues. Thanks for the tips or reminders of areas that should be re-examined. I also wish Go Daddy would update their easy install/upgrade for WordPress more often – they seem to always be a couple of dot releases behind.
I got hacked before that’s why I am more careful now. I regularly do back ups for my site content and I installed an intrusion detection system. but i will also try some of the tips you have mentioned here. Jedz