Apr 8th, 2009 by Richard
Andrew at dnw.com had his Wordpress hacked recently. I noticed it at around 5am EST and tried to contact Andrew to let him know, without success. Ultimately, my buddy Elliot was able to get the news to him.
Wondering how I noticed dnw.com was hacked? I got the same warning in Firefox that a lot of other people did. So I fired up a my ethereal packet sniffer to see what was going on. I did a capture, and bingo, there was a .cn domain trying to run a script to do some nasty stuff.
We use Wordpress ourselves and install it for clients, so we’ve seen and done a lot with Wordpress over the years.
Here’s my best tips on security for Wordpress. If you’re serious about not getting hacked, please consider every tip on this list as required, not optional.
Update your Wordpress
Update Wordpress and plugins regularly. I use SVN to automate the process, but you can do it manually if you want to. If you have 100’s or 1000’s of Wordpress blogs, use Wordpress MU so that you don’t have 100’s of instances of Wordpress to update.
If you follow the rest of my tips, updating your Wordpress often doesn’t matter that much, to be honest. If you missed an update but you secured your files, directories and login access, then that latest injection bug won’t effect you anyways.
Login Security Tips
Use https (i.e. SSL) to log into the Wordpress control panel. You’re already doing this right? You don’t need to buy a SSL cert to do this, just use a self signed SSL certificate!
Use strong passwords and change them regularly. For example,
H&&73r$r0cK$ is strong,
p4ssw0rd is not. And don’t even think about using your wife’s name, your dog’s name, or your favourite drink as passwords.
Do not use the
admin username as the Administrator of Wordpress. Instead, create a new username that is hard to guess, assign that user the Administrator Role and change your
admin username to the Role of Author or Contributor. Then continue to use your
admin username to post to your Wordpress and only use your new username when you need to perform Administrator functions. Then if someone gets your
admin password, they will be wasting their time because they won’t get Administrator access if they log in as the
admin username anyways. Sneaky heh?
If you are not allowing user registration on your site (for comments or contributions) then you should also protect your wp-admin directory with an
.htaccess file. This will stop anyone from being able to reach the control panel, even if they did know the login credentials for the Administrator user.
Server Security Tips
Hide your directory contents from prying eyes by disallowing directory browsing. To do this, add
-Indexes to the
Options line in your Apache config file (or .htaccess file). If you don’t do this, then people can get a full directory listing of your
/wp-content/themes and with that info, they can see if you have a buggy plugin or theme installed which they could then exploit and try to hack into your blog. Yep, people really do that.
Change file ownerships to your server/cpanel username, instead of nobody, www-data etc. The default install of Wordpress normally uses the web server user as the owner of files. This means that if there is a hole discovered in the Wordpress code, then it is unlikely that you would be exploited.
Change your directory permissions to 775 and file permissions to 644 using chmod or your sftp/scp client. By doing this, you make your Wordpress files readable by the web but not writable. So again, if a hole is found in the Wordpress code, it is unlikely that you will be exploited since your files are readable only.
[NOTE: The downside of changing your file ownership and permissions is that modification of your theme files or .htaccess will need to be done through sftp/scp and will no longer work from the Wordpress control panel. But security is more important than convenience, right?]
When uploading and changing your files use a secure tool such as sftp, scp or ssh. Standard ftp is not secure because it is not encrypted. Someone in your office could be packet sniffing your traffic, your ISP could be doing it, and even your hosting company could be doing it. So use secure tools with encryption like sftp and scp or ssh for shell access.
If you have the technical expertise yourself or have a server admin, then you should install mod_security for Apache. This tool performs two very important functions that everyone can benefit from.
- Automatic blocking/drops of any suspicious or unusual traffic to your web server. That means if someone is trying to hack or flood your Apache, mod_security is going to block or limit the attack.
- Sophisticated logging allows you to receive alerts about unusual traffic in real time. In other words, if someone exploited your Wordpress and modified your index.php file, you would get an email you about it - in real time. If you missed the email and needed to check your logs to see how the hacker got into your site, you can see detailed logs to see what happened so that you can fix the hole and stop it from happening again. Nifty!
Questions? Need more details? Fire away in the Comments below!
There are some more security tips from wordpress.org here