Check Your WordPress Security

PushON | February 18th 2009


WordPress is fantastic, and it has been adopted by more and more people for use as not only their blog, but also their main website.  The features built in, plugins and free themes available make it very customisable, and it can function very well as a full content managed website.

The down side is that sneaky spammers have a blue print for the bank, and if they find a hole in security they can exploit this on any website with the same setup.

Website security is hugely dull, but a very necessary evil.

Here are some things you can do to reduce the chance your site will be compromised:

To check whether you’re already a victim:

  • Check what your site looks like with styles turned off, and with JavaScript turned off.  You may already have hidden spam links in your site.
  • Check your Web Analytics – has your site had a sudden drop in traffic, or have you received traffic from keyword searches unrelated to your website?  This could indicate a problem with your website, but it could also indicate that your tracking code has been pinched and used on someone else’s site.
  • Check your backlinks – if you have any suspicious links (unrelated, foreign, etc), this could be a warning sign… or it may be nothing to worry about.
  • Check your common files or template files don’t have any strange code that uses the eval() command, or base64_decode() – cross reference against the original WordPress files or your original theme file.
  • Look for ‘k1b0rg’ or ‘’ in your php scripts

How to fix your WordPress Security problem

I’m no expert in WordPress development, so if anyone has anything to add/amend on this topic, please shout up! But here is one simple process to follow if you find you are a victim of a security exploit, and cant deal with festering around in the code to delete corrupted files:

  1. Take a backup of all your files
  2. Take a backup of your database
  3. Export your posts
  4. Export your list of registered users
  5. Make a note of the plugins you have installed
  6. Make a note of your theme (and any mods you have made)
  7. List all hyperlinks on your blog (use your sitemap)
  8. Type a search in with your plugin name for each one you have installed, and see if there are comments about SQL injection, security holes, etc.  Take any of the plugins that look dangerous off your list for re-install.
  9. Download all your safe plugins & a fresh version of your theme (if you’ve used a template)
  10. Change your passwords for FTP & Database administration
  11. Delete the WordPress files from your server
  12. Drop the WordPress tables in your database related to this install (careful here particularly if you have other sites using the same database)
  13. Download the latest full version of WordPress
  14. Upload the files to your server & run through a fresh install
  15. Import your posts back in
  16. Change your options in permalinks to reflect your old site structure (this maintains any link equity you may have built up & reduces the chance of broken links to your site)
  17. Install your safe plugins & activate
  18. Install your theme & make your  modifications
  19. Check your media (images, video, etc) is displaying correctly – you may need to upload images from your backup copy
  20. Update your settings (blog title, All in one SEO title tags, etc)
  21. Take all security measures listed in the list at the top of this blog post
  22. Check nothing has broken in the process

Further reading: