March 14, 2013 by

WordPress Security

With more and more people and companies deciding to use WordPress to power their websites, WordPress has become a larger and larger target for hackers. Correspondingly, WordPress security is becoming an increasingly important issue. While the guys at Automattic do a great job keeping ahead of the hackers with security updates and making security a top consideration there are always vulnerabilities and potential security holes in any software.

Since I just finished securing an entire network of compromised WordPress sites I thought now would be a good time to write the WordPress security. This article is not meant to be an all encompassing “WordPress Security How-To” but rather to give you some tips to help you from falling into the same WordPress security hell that I find myself helping my clients crawl out of repeatedly. It is much easier to prevent hackers from getting in then getting them out and cleaning up after them.

First Steps
First – if the administrator account is named admin and you can log into your site with the username admin – then get in touch – because this is security 101 and you will need my help sooner or later. At the very least change the admin user name to something other than admin. If you don’t you are giving hackers half of the knowledge they need to break into your site. Along the same lines, if your database table prefix is the default (wp_) then you are asking for trouble from the script kiddies out there with their SQL injection scripts.

One of the easiest way hackers can gain access to your WordPress installation is if the install.php file is accessible through http at the default location. Once you install WordPress this file is of no use to you and has been exploited by hackers in the past. This file is in wp-admin – the easiest way to secure it is the chmod it so that you cannot access it via the web, but you can delete it, re-name it, etc. Similarly, if upgrade.php is accessible via http you have the same issue – but don’t delete this file as you will need it later. Chmoding is the way to go with this one.

0-day exploits
0-day exploits are arguably the biggest security threats for all types of software and WordPress is not exempt. One of the easiest ways to guard against these exploits is to remove the full WP version from your site. Hackers can search Google to find all of the sites out there with an exploitable version and target them. Here is a little function you can use on your site to hide your WordPress version from would be hackers.

function remove_version() {
return ”;
}
add_filter(‘the_generator’, ‘remove_version’);

This should get you started with securing your WordPress site. Look for another WordPress security article in the next week or so when I will talk about securing the wp-config.php file. looking at your PHP settings, and showing hackers unnecessary information.

Until then, you can always contact me to help you secure your WordPress Installation.

8 Comments

  1. Shakuraso March 15, 2013 Reply

    Very timely article ninja, these are tips that anyone that is serious about WordPress security can use.

  2. Sandy April 1, 2013 Reply

    I have wordpress, but I do not even know where to begin with this information!

  3. ninja April 1, 2013 Reply

    Sandy – This information is for the more advanced WordPress user that is self hosting WordPress. If you are not familiar with acronyms like FTP and SQL, you should leave it to the ninja or some other nerd…

  4. Bizarrio April 10, 2013 Reply

    WordPress security is indeed an area where webmasters should focus on. You do not want to lose your blog to hackers, due to poor security.

    Personally I feel, you should have a strong password and you should change the password once in every 15 days.

  5. ninja April 10, 2013 Reply

    BIZARRIO – Hey Now, good point about changing your password every 15 days – regularly changing your password anywhere is good policy :)

  6. Sercoluf May 1, 2013 Reply

    cialis gerenico
    generic cialis
    trackback einen kommentar hinterlassen cialis

  7. Klaus May 9, 2013 Reply

    WordPress runs so many sites these days, one good WordPress security exploit could take down half the web!

  8. Dana Tunison May 15, 2013 Reply

    Finally somebody is writing about this critically important topic. That is the first article I have read on this subject but I have heard of many WordPress sites being hacked – kudos to you for proving this service to visitors to your blog.

Leave a Comment

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>