In part one of this series, ‘Secure WordPress From Hackers’, we took a quick look at two techniques to completely stop individuals who have a desire to mess up your WordPress blog installation.
It is simple, but simple is always good. First, have good passwords. Second, back it up baby. As I mentioned this two punch technique works very well.
But what about protecting your wordpress installation before a hacker can get in? I know that there are a lot of smart individuals out there and the first step to hacking someone is investigation.
During investigation, it all comes down to finding where the weak spots are. I recently investigated another person’s wordpress install that was completely defaced. The defacer found a yet undiscovered door in one of the owner’s plugins.
This all comes down to having the ability to be able to browse a person’s wordpress installation. To be honest, I’m guilty of snooping into other peoples’ wordpress sites, not to hurt the owner, but to find out what theme or what plugins that person is using.
Some of my best discovers have been when I see something I really like and I peek behind the curtain to see the strings being pulled. Now, there is nothing wrong with this, but as I mentioned in the beginning, this is also an excellent starting point for hackers.
So, what do I mean by all of this?
WordPress has a pretty standard directory structure that hasn’t changed too much between updates. This is a good thing, if you wish to take advantage of things like automatic upgrades.
But the directory I’m going to zero in on today, is the directory ‘wp-content’. As you can see, it contains two directories, in particular, ‘plugins’ and ‘themes’ that can be strong venerability point.
Why, simple. The contents of these two directories contain code that is completely out of the hands of the original wordpress developers.
This is actually a big thing. The original developers of wordpress really don’t have any say on how add-ons to wordpress should actually work.
There is a recommended framework in place, but that doesn’t mean that it’s followed. In many ways, this is where we can get into trouble. Let me offer you an example.
I was cruising a site, just recently and was interested how the author had created their unique menu structure. So, I performed a simple change of address in my web browser to change the address from :
(Now, please don’t try to go to this site, it doesn’t exist.)
Let’s see what we find:
Very interesting. Here is a complete list of what plugins this site uses. Now, if I was trying to hack this person’s site, I would now start to investigate all the plugin directories listed to see if any had any security holes.
Second I could look into the themes directory, much like the plugins directory.
Do you see what I’m getting at? This can take a sinister tone pretty quickly in the wrong hands.
Well, fortunately, it’s very easy to plug this security hole. Stop from allowing the directory from being listed! There are a couple of ways to accomplish this.
- Put a blank index.html file in every directory you wish to protect. The idea is if someone goes to that directory, the web server, in most cases would just automatically load the blank web page instead of the directory contents.
- Ask you web hosting agent to disable directory listings for your website. Easier said then done.
- Modify the pre-existing .htaccess file to disallow directory listings. This is what I recommend, because it’s the simplest.
You will need to access the .htaccess file that is sitting in you /public_html folder on your hosting agent’s servers. (I’m making the assumption that you are running a hosting agent that runs CPanel.)
It may or maynot be there. But the idea will be to add the following lines of code on the bottom of this file:
deny from all
Now, this addition to the .htaccess file will do the following things for you:
- Stop anyone from accessing your .htaccess file
- Tell the web server to not do directory listings
- Always only display the file, index.php as a default web page
The last point, setting the default web page, is important too. I had a bunch of websites defaced by a group of hackers that simply broke in through a brute force ftp attack and then put up their webpage, ‘index.html’ in all of my directories.
Out of the box, most web servers will display a index.html page before index.php! Guess what your wordpress uses? index.php.
So, it’s a small thing, but simple to protect against.
In conclusion, we looked at how to protect your website from hackers by stopping them from actually being able to look at what we’ve loaded and are running. As mentioned, stopping hackers from seeing what you are running, makes it much harder for them to find a way to compromise to your setup.
This was part 2 of Secure WordPress From Hackers. I hope you enjoyed it!