Telephone: 0844 967 0565 Email: info@pushon.co.uk

Check Your WordPress Security

dull-blog-security

WordPress is fantastic, and it has been adopted by more and more people for use as not only their blog, but also their main website.  The features built in, plugins and free themes available make it very customisable, and it can function very well as a full content managed website.

The down side is that sneaky spammers have a blue print for the bank, and if they find a hole in security they can exploit this on any website with the same setup.

Website security is hugely dull, but a very necessary evil.

Here are some things you can do to reduce the chance your site will be compromised:

To check whether you’re already a victim:

  • Check what your site looks like with styles turned off, and with JavaScript turned off.  You may already have hidden spam links in your site.
  • Check your Web Analytics – has your site had a sudden drop in traffic, or have you received traffic from keyword searches unrelated to your website?  This could indicate a problem with your website, but it could also indicate that your tracking code has been pinched and used on someone else’s site.
  • Check your backlinks – if you have any suspicious links (unrelated, foreign, etc), this could be a warning sign… or it may be nothing to worry about.
  • Check your common files or template files don’t have any strange code that uses the eval() command, or base64_decode() – cross reference against the original WordPress files or your original theme file.
  • Look for ‘k1b0rg’ or ‘keymachine.de’ in your php scripts

How to fix your WordPress Security problem

I’m no expert in WordPress development, so if anyone has anything to add/amend on this topic, please shout up! But here is one simple process to follow if you find you are a victim of a security exploit, and cant deal with festering around in the code to delete corrupted files:

  1. Take a backup of all your files
  2. Take a backup of your database
  3. Export your posts
  4. Export your list of registered users
  5. Make a note of the plugins you have installed
  6. Make a note of your theme (and any mods you have made)
  7. List all hyperlinks on your blog (use your sitemap)
  8. Type a search in with your plugin name for each one you have installed, and see if there are comments about SQL injection, security holes, etc.  Take any of the plugins that look dangerous off your list for re-install.
  9. Download all your safe plugins & a fresh version of your theme (if you’ve used a template)
  10. Change your passwords for FTP & Database administration
  11. Delete the WordPress files from your server
  12. Drop the WordPress tables in your database related to this install (careful here particularly if you have other sites using the same database)
  13. Download the latest full version of WordPress
  14. Upload the files to your server & run through a fresh install
  15. Import your posts back in
  16. Change your options in permalinks to reflect your old site structure (this maintains any link equity you may have built up & reduces the chance of broken links to your site)
  17. Install your safe plugins & activate
  18. Install your theme & make your  modifications
  19. Check your media (images, video, etc) is displaying correctly – you may need to upload images from your backup copy
  20. Update your settings (blog title, All in one SEO title tags, etc)
  21. Take all security measures listed in the list at the top of this blog post
  22. Check nothing has broken in the process

Further reading:

To find out how PushON research & analysis services can give your company a competitive online edge, simply call 0844 967 0565 or contact us via our form.

  • http://www.idaho.uk.net Jamie

    Hi Kat, great article.

    I Wish there was something smart I could add but you have covered it all.

    All I would say is that the latest releases of WordPress (from 2.6) ask you to enter a security key in the wp-config file. This is used to generate a hash key that makes your site more secure.

    See: http://codex.wordpress.org/Editing_wp-config.php#Security_Keys

  • http://www.pushon.co.uk Kat

    Thanks Jamie,

    I was wondering when you would re-surface, hope you had a nice honeymoon.

    Good point on the security key – I think after the massive security problems people had with version 2.5 of WordPress, the emphasis they have on built in security increased… which is good!

    Definitely a good idea to generate these codes too, because it’s not something you need to actually remember.

  • Pingback: renaissance chambara | Ged Carroll - Links of the day

  • http://www.marketingorsearch.com/search-engine-analytics.aspx Search Engine Analytics

    Just found your blog today. Really like it – keep up the good work.Domain info more important than you think :-) Domain information such as DNS, age of domain and even the expiration date are used to distinguish between illegitimate and legitimate domains.Why are google doing this? Simply to get all the factors they can to get an internal “trust score”.This “trust score” is used to eliminate “doorway” pages and spam in the search result.I’M not saying that it’s working perfectly – but they are doing a pretty good job.