Improve your wordpress web’s security – Prevention

Easy improvements for the non-technical:

1. are you displaying your username for all the hackers to see? Go to your wordpress profile page and change the “display name publicly as” to something other than your username. Trying using a nickname if your first or last name is too similar to your username.
2. is your password strong? use a mix of upper and lower case and numbers
3. Tighten your allowed access for your users – don’t give them admin or editor if all they need is author. Consider using the role manager plugin to tailor access.
4. Subscribe yourself to your own blog – this may alert you if someone hacks in.

Slightly more technical

1. Upgrade your wordpress version to the latest. Delete old files – use FileZilla directory comparison against a local copy of the latest version and delete any leftover old files.
2. Use the secret key. Edit the w-config.php file and add a secret key to improve the password hashing before you create new passwords.
3. Change the default admin username. Use phpmyadmin to change ‘admin’ in the users table to something else eg: “123bOSS”. It is quick and easy. The public name can still be admin. Make the password strong.
4. Use the Login Lockdown plugin. This will help reduce the likelihood that a brute force method will work on your site, as it will lock any frequent attempts from an IP address.

Even more technical and/or do at installation time

1. change the database table prefix from wp to something else.
2. use a separate database from the others on your hosting account.
3. Consider using apache password protection for the wp-admin folder – giving you two layers of password control. Some advise limiting access to the wp-admin folder to the IP address that you normally work from – personally one of the benefits of a cms is being able to edit it wherever you are, so I’d be hesitant to do that.

A safe secure theme or plugin?

A wordpress theme or plugin could introduce some nasty code – be wary of where you get your theme from. Google theme name separately so you can see what others are saying about it. The supplier may not be malignant, but possibly not aware of security risks of certain types of code. Also others take themes and insert malicious code and then pass the themes on.

If you are not sure and really want to use the theme, here are some things to check in the php files. Even if you are not a programmer, you may still be able to recognise some weird stuff.

1. The theme should not echo or print an unprotected $_SERVER[’PHP_SELF’]; If it does, replace it with: htmlentities($_SERVER['PHP_SELF'];
2. It should also not output the usernames directly. The code should not print or echo the_author_login, but rather the_author(); Check the code and also the user profiles. the profile may be set to display the login name, even if the code is okay. Change it!
3. Any bits of code that have the following could be bad:
   1. @eval(@base64_decode………
   2. <u style=display:none>…..

The alakhnor.com post-thumb plugin is an example of one that either got hacked or had malicious code in it. I was alerted to this when one of the sites that used it was causing a google malware warning. So before using a plugin , I’d suggest doing a search on it too, to see what people may be saying around the net.

Cure?

Keep backup versions, not just of the content, but also the code of any themes or mods. You can reload wordpress, reload the theme, reload untouched content (get that the backups are “clean”).

In some cases, it may be easier to clean up, depending what has happened:

• Upgrade wordpress asap if you have not done so already, yes some plugins may “break”. If they are any good, you should be able to upgrade them too. the automatic upgrade tool seems to work well so far, although somewhat confusing at times.
• You can switch to a clean theme quickly while you clean up the files of your custom theme.
• Use PHPMyadmin to delete bad posts if that is what has happened.

Be Sociable, Share!

• 

No related posts.