WordPress Security – Avoiding Being Hacked!

wordpress-securityOriginally created as a blogging platform, the flexibility we now have with WordPress makes it a great platform for all sorts of websites, including for business use. There are an abundance of free templates available, as well as premium templates which don’t look like a traditional WordPress website at all. In other words, WordPress gives you the best of both worlds.

It’s very quick and easy to set up, and very easy to edit and manage. There’s really no need to know about coding, because most things can be done via a user friendly admin panel. Another great thing about using WordPress – Google loves it and seems to rank WordPress websites well.

Unfortunately, the popularity of the WordPress platform means it’s attracted the attention of hackers. These unscrupulous low lifes are always finding ways to get into other people’s sites and use them for all sorts of illegal money making activities by injecting malware, bots and redirect scripts.

There have been 98 update versions of WordPress at the time of writing this so it’s no wonder that people have a hard time keeping up with these updates. Many of the updates are released to patch the hacks that have come to light since the last update, although some updates are a result of the consistent innovation of the WordPress developers. It’s this innovation that has allowed WordPress to become the CMS to rule over the likes of Joomla and Drupal.

3 Basic Security Measures

A secure password is a must! Nobody should be able to guess what your password is, and it should ideally be at least 8 characters long, containing both lower and upper case letters, numbers and symbols. You can use an online generator such as Comparitech’s Password Generator Tool for just passwords, or Random.org to create both usernames and passwords.

The next common sense thing to do is always make sure your WordPress site is kept up to date with the version of WordPress you’re using and the various plugins you have installed. Not doing this is the easiest way to get your site hacked. If you log in regularly, you’ll see messages telling you there are updates to carry out, and there are also some tools which will email you when an update is available.

Thirdly, always download themes and plugins directly from within your dashboard to ensure they’re coming from a reputable source. Downloading and installing anything from a random place on the web can lead to you installing something with malicious spyware incorporated into it, leaving you wide open to hackers.

  • PROBLEM: The wp-config.php file is readable.
    By default the file lives in a place where it can be accessed to a degree, although it shouldn’t be publicly writable by default. You can check this by typing in your URL like this “http://www.yoursite.com/wp-config.php”. If you get a blank page, then it’s accessible.
  • SOLUTION: To deny access to anyone surfing for it, you can edit the .htaccess file and insert the following code right at the very top:
    <files wp-config.php>
    order allow,deny
    deny from all
    </files>

    You should then get a 404 Error Page, which I’ve customized on this site by way of a Plugin.
  • PROBLEM: wp-config.php has inappropriate permissions.
    The default chmod (0755) is not ideal and other users on the server can access the file. wp-config.php file contains sensitive information (database username and password) in plain text and should not be accessible to anyone except you and WP (or the web server to be more precise). What’s the best chmod for your wp-config.php depends on the way your server is configured but there are some general guidelines you can follow. If you’re hosting on a Windows based server ignore all of the following.
  • SOLUTION: Try setting chmod to 0400 or 0440 and if the site works normally that’s the best one to use. You may find your server will only allow you to set the permissions to 600 or 640 which is fine. “other” or “public” users should have no privileges on the file so set the last octal digit to zero. “group” users shouldn’t have any access right as well unless Apache falls under that category, so set group rights to 0 or 4
  • PROBLEM: The readme.html file is visible.
    This page reveals the version information that your WordPress is running on. Anybody can see straight away if you are behind on updates and if the version you’re running has known hacker exploits being used against it. Without any guesswork, any hacker could inject, install, swipe data and control the website without anyone knowing about it until it’s too late. Luckily this potential weakness is very easy to correct.
  • SOLUTION: Rename the file to something more unique like “readme-876.html”; delete it; move it to another location or chmod it so that it’s not accessible via HTTP.
  • PROBLEM: Unnecessary information is displayed on failed login attempts.
    By default on failed login attempts WordPress will tell you whether username or password is wrong. An attacker can use that to find out which usernames are active on your system and then use brute-force methods to hack the password. The solution to this problem is simple.
  • SOLUTION: Whether somebody enters the wrong username or the wrong password, we always tell him “wrong username or password” so that he doesn’t know which of two is wrong. Open your theme’s functions.php file and copy/paste the following code:
    function wrong_login() {
    return ‘Wrong username or password.’;
    }
    add_filter(‘login_errors’, ‘wrong_login’);
  • PROBLEM: display_errors PHP directive is turned on.
    Displaying any kind of debug info or similar information is extremely bad. If any PHP errors happen on your site they should be logged in a safe place and not displayed to visitors or potential attackers.
  • SOLUTION: Open wp-config.php and place the following code just above the require_once function at the end of the file: ini_set(‘display_errors’, 0);
  • PROBLEM: install.php is accessible via HTTP on the default location.
    There have already been a couple of security issues regarding the install.php file. Once you install WP this file becomes useless and there’s no reason to keep it in the default location and accessible via HTTP. Thankfully, this is a very easy problem to solve.
  • SOLUTION: Rename install.php (you’ll find it in the wp-admin folder) to something more unique like “install-876.php”; delete it; move it to another location or chmod it so it’s not accessible via HTTP.
  • PROBLEM: upgrade.php is accessible via HTTP on the default location.
    There have already been a couple of security issues regarding this file. Besides the security issue it’s never a good idea to let people run any database upgrade scripts without your knowledge. This is a useful file but it should not be accessible on the default location.This is a very easy problem to solve.
  • SOLUTION: Rename upgrade.php (you’ll find it in the wp-admin folder) to something more unique like “upgrade-876.php”; move it to another location or chmod it so it’s not accessible via HTTP. Don’t delete it! You may need it later on.
  • PROBLEM: Your Uploads folder is accessible. Allowing anyone to view all files in the uploads folder just by point the browser to it will allow them to easily download all your uploaded files. It’s a security and a copyright issue.
  • SOLUTION: To fix the problem open .htaccess and add this directive into it: Options -Indexes

There are definitely more vulnerabilities than are listed here, and if you’ve come across any more which you think deserve a mention and which you have a solution to, please feel free to make a comment below.

If you want to learn more about WordPress Security, you might want to consider WP Secure Pro by Rapid Crush Inc (aka Jason Fladlien and Wilson Mathos)

1 thought on “WordPress Security – Avoiding Being Hacked!”

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top