underattacker – panicstarterdesigner, programmer, lover.

many of you subscribers should already know my site was hacked a few weeks ago thanks to me being an idiot and setting one of my folders to 777 and having a form within the folder.  having a secure site should be our first priorities when keeping a successful blog and hopefully these security tips will help you implement a better stance in security against malicious activity.

1.  no one should be allowed to search your entire server

this is how wordpress sets up your search code:

<?php echo $_SERVER ['PHP_SELF']; ?>

instead, you should use this:

<?php bloginfo ('home'); ?>

this Blocks WP- folders from being indexed by search engines. the best way is to block them in your robots.txt file. this is what i have in my robots.txt file:

Disallow: /wp-* 

2. directories should not be left open for public viewing

There is a potential problem letting people know what plugins you have and what versions they are. If there is some known exploit that is linked to a plugin, it could be easy enough for someone to use it to their advantage. Make an empty wp-content/plugins/index.html file or just add this line in your .htaccess file in your root:

Options All -Indexes

3. remove the version string in your meta tags

A large number of WordPress themes have the WordPress Meta Tag that show the version of WordPress that is running on your blog which is an easy way to get your blog prone to hackers if you didn’t upgrade to the security-enhanced file permissions.

4. protecting your wordpress wp-admin folder

Attackers can use brute force attacks that simply guesses the admin password until they come up with the correct one and login. There are a couple of solutions out there, we will highlight each below.

• Limit access to wp-admin folder by IP address- This solution is to restrict which IP’s can access the wp-admin folder via .htaccess. This has one drawback is you may have to update your .htaccess folder if your internet provider assigns you a dynamic IP address, you move to another location or you have authors at other locations.
• AskApache Password Protect- The plugin is simple, it adds a 2nd layer of security to your blog by requiring a username and password to access anything in the /wp-admin/ folder. All you have to do is choose a username and password and you are done. It writes the .htaccess file, without messing it up. It also encrypts your password and creates the .htpasswd file, as well as setting the correct security-enhanced file permissions on both.
• Login Lockdown plugin- records the IP address and timestamp of every failed WordPress login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery.

5. stay up to date

You need to keep your plugin/widget, theme, and WordPress versions updated. Also, subscribing to the plugin/widget/theme Author’s RSS feeds makes keeping up with them much easier.

6. take regular backups of your site and database

You always have to take regular backups of your file directories as well as the database.  the WordPress Database Backup plugin creates backups of your WordPress tables as well as other tables of your choice.

7. update your wordpress to its latest version

this is the first thing you should do! Install the Instant Upgrade Plugin or the WordPress Automatic Upgrade Plugin. Make sure you back everything up before performing the upgrades.

8. use ssh/shell access instead of ftp

If someone gets a hold of your FTP login information, they can manipulate your files and add spam to your site without you even knowing about it. Using SSH, everything is encrypted including the transfer of files, etc.

9. stop worrying about your wp-config.php file

Keep your database username and password Safe by adding the following to the .htaccess file at the top level of your WordPress install:

<FilesMatch ^wp-config.php$>deny from all</FilesMatch>

This will make it harder for your database username and password to fall into the wrong hands in the event of a server problem.

10. protect your blog with a good password

Creating a strong password that is also memorable is one of the easiest defenses against being hacked. There are a lot of online password strength checkers that you could check.

Related posts:

1. wordpress image upload solution.
2. usb plug-n-play thief
3. why i think security is important:
4. a lighter, quicker underattacker
5. this is how you blog

This entry was posted on Tuesday, June 24th, 2008 at 11:17 pm and is filed under blogging, code, hacks. You can follow any comments to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.