December 1, 2009
WordPress STD’s (Security Transgression Defilements) are a common occurrence. WordPress-powered websites are far from being immune to hackers, although the latest release/s address many earlier security issues. WordPress, like other content management systems and forums such as phpBB, vBulletin, is a major target for hackers and spammers. Basic prophylactic measures, or condoms for WordPress STDs, need not be complicated or expensive.
Those involved in hacking WordPress usually want to use the sites as concealed (cloaked) link farms. Its rare that actual damage is done to your site, and often the site owner remains blissfully unaware that there’s been any interference. Some of the link injection systems are extremely sophisticated! Testing for enemy action can be as simple as opening your site and choosing View / Source and reading through the content of the <Head> section down to, and including, the <BODY> tag. The link injections I’ve seen are usually immediately after <BODY>. Is there a long string of HTML code containing links to dozens of sites you know nothing about? If there is, you’ve been violated, and have a WordPress STD (Security Terminated Deficiency)!
This article is not about fixing security violations. Its about simple prophylactic measures most “non-technician” site owners take. This is not slick and professional security strategy, and there are some who will scoff at using “security by obscurity” as a primary tactic. However, even on a tight budget, the following 12 zero-dollar steps can and should be taken to minimise the possibility of attack.
1 – Always Use the Current Version
Why anyone would persist with an older version is beyond me. Upgrading has always been easy enough, and recent versions reduce the pain to a button click! The community of authors work extremely hard and surprisingly quickly to address known security problems.
2 – Remove Primary Target Identifier
Remove the Powered by WordPress credit details in the footer of your website’s theme – e.g.; /wp-content/themes/the-current-theme/footer.php. This is the fastest way to reduce the chances of the ill-intentioned finding your site in the first place! Try it – do a search on Google for “Powered by WordPress” and you’ll get the picture… At time of writing, there are 106 million competing page opportunities out there for hackers!
By all means give WordPress the credit they deserve – but you could do it on your links page, or make it a graphic / image link instead of text…
3 – Remove Secondary Target Identifier
A lot of WordPress themes come with an giveaway WP version HTML tag in the <HEAD> section. In View / Source it displays as follows; <meta content=”WordPress 2.8.4″ />
Obviously, this immediately reveals the WordPress version used on the site. Since some versions are vulnerable to known security flaws, you’ve just told the hackers where they are best to start their evil work…
Removing this giveaway is straightforward enough. Simply open up /wp-content/themes/the-current-theme/header.php and delete the code that’s outputting the Meta Generator tag.
4 – Remove Tertiary Target Identifier
There is another version identifier tag in the RSS Feed output, e.g.: <generator>http://wordpress.org/? v=2.8.4</generator>
Removing the RSS version identifier can be done by opening /wp-includes/general-template.php and searching for “function the_generator”
The line immediately below that statement commences with: echo apply_filters(‘the_generator’……
Place a # character in front of the word echo, as per: #echo apply_filters(‘the_generator’ etc
5 – Remove Lesser Target Identifiers
Doing the above pretty much gets you out of the spotlight and into the shadows. You could also remove links to “Log In” from the current theme’s footer. There are 3.8 million competing page opportunities for a Google search for “wp-login.php” and its probably a good thing to not be in that list either.
WordPress also adds two easily accessible files in the directory into which it is installed; licence.txt and readme.html. Renaming or removing those is important because they also contain WP version information!
6 – Don’t Use Easy Passwords
Don’t make it easy for the hackers! Use super-difficult passwords that are impossible to guess, and not easy to crack. That applies to the hosting account control panel, FTP access AND the WordPress administration access. Ideally, high-exposure sites should use different password for each of those areas.
Recent versions of WordPress seem to have addressed the issue of directory browsing, by keeping people out of areas they should not be looking. Securing the wp-admin area via SSL is a lot more complicated than it should be. There are no well-written, easy to use plugins available for this – those that do exist appear well past their WP version use-by date. Its also far too easy to end up locked out of your site while trying to make them work!
7 – Don’t Use Default Admin ID
If you recklessly use “admin” as the default user ID, you’ve given the hacker half the pieces of the puzzle and they only have one item left to crack – the password.
8 – Ensure WP File Permissions Are Adequate
File system security is important, to prevent easy unauthorised access. There may be times when you have needed to alter permissions to edit a file, or copy files into a directory. Did you reset permissions to the correct default afterwards? If not, you’ve left a door ajar… Pull it shut and lock it again!
9 – Plugin Integrity
As a general rule, only install plugins from the official WordPress Extend / Plugins repository. There at least, they are in the spotlight, and subject to some scrutiny. Installing plugins from anywhere else leaves you wide open to malware exploitation!
10 – Theme Integrity
Ok, you can go anywhere and get free themes and make them work… but can you trust the source? Can you be sure that no malware is included? Can you be sure that no security breaches are opened by insecure coding? Personally, if I want a theme, I’d rather go to a reputable source and buy one that is coded for the latest version of WP, and where some assurance is implied as to suitability for the intended purpose.
11 – Automate Your Backups
There are backup plugins that automate the process of backing up your WordPress database and emailing the file to you daily or weekly. Install and use one of them! They can be a lifesaver, for a variety of other reasons.
12 – Server, Network and PC Vulnerabilities
Be aware of the configuration of your hosting company’s web server. Is it running old versions PHP, MySQL, cpanel in a shared hosting environment? If so, that places you at greater risk than being on a hardened server with up to date tools and services running.
Never access your WP installation from a non-secure networks such as internet cafes, coffee shop or hotel WiFi systems.
Another commonsense measure is to ensure your PC you post from uses current and reputable antivirus software that also detects malware, spyware and key-loggers.
Ben Kemp, a search engine optimization consultant since 1997, is a specialist in website redesign, and a veteran of 25-plus years of experience in the IT industry.