Check Your WordPress SecurityPushON | February 18th 2009
WordPress is fantastic, and it has been adopted by more and more people for use as not only their blog, but also their main website. The features built in, plugins and free themes available make it very customisable, and it can function very well as a full content managed website.
The down side is that sneaky spammers have a blue print for the bank, and if they find a hole in security they can exploit this on any website with the same setup.
Website security is hugely dull, but a very necessary evil.
Here are some things you can do to reduce the chance your site will be compromised:
- Keep your WordPress install up to date – but leave it until full release is out rather than the beta release.
- Use the Security Scanner plugin to check you’ve not left any opportunities for hackers.
- Use the Secure WordPress plugin
- Change your administrator username to something other than admin, and generate a secure password… not your dogs name.
- Use .htaccess to limit access to wp-admin, wp-content, etc.
- Enhance your .htaccess file for extra security
- Install Login LockDown
- Be careful about which themes and plugins you install – you may be installing a virus, hidden links, etc.
To check whether you’re already a victim:
- Check your Web Analytics – has your site had a sudden drop in traffic, or have you received traffic from keyword searches unrelated to your website? This could indicate a problem with your website, but it could also indicate that your tracking code has been pinched and used on someone else’s site.
- Check your backlinks – if you have any suspicious links (unrelated, foreign, etc), this could be a warning sign… or it may be nothing to worry about.
- Check your common files or template files don’t have any strange code that uses the eval() command, or base64_decode() – cross reference against the original WordPress files or your original theme file.
- Look for ‘k1b0rg’ or ‘keymachine.de’ in your php scripts
How to fix your WordPress Security problem
I’m no expert in WordPress development, so if anyone has anything to add/amend on this topic, please shout up! But here is one simple process to follow if you find you are a victim of a security exploit, and cant deal with festering around in the code to delete corrupted files:
- Take a backup of all your files
- Take a backup of your database
- Export your posts
- Export your list of registered users
- Make a note of the plugins you have installed
- Make a note of your theme (and any mods you have made)
- List all hyperlinks on your blog (use your sitemap)
- Type a search in with your plugin name for each one you have installed, and see if there are comments about SQL injection, security holes, etc. Take any of the plugins that look dangerous off your list for re-install.
- Download all your safe plugins & a fresh version of your theme (if you’ve used a template)
- Change your passwords for FTP & Database administration
- Delete the WordPress files from your server
- Drop the WordPress tables in your database related to this install (careful here particularly if you have other sites using the same database)
- Download the latest full version of WordPress
- Upload the files to your server & run through a fresh install
- Import your posts back in
- Change your options in permalinks to reflect your old site structure (this maintains any link equity you may have built up & reduces the chance of broken links to your site)
- Install your safe plugins & activate
- Install your theme & make your modifications
- Check your media (images, video, etc) is displaying correctly – you may need to upload images from your backup copy
- Update your settings (blog title, All in one SEO title tags, etc)
- Take all security measures listed in the list at the top of this blog post
- Check nothing has broken in the process