secure wordpress Archives

Secure WordPress From Hackers – Part 2

In part one of this series, ‘Secure WordPress From Hackers’, we took a quick look at two techniques to completely stop individuals who have a desire to mess up your WordPress blog installation.

It is simple, but simple is always good. First, have good passwords. Second, back it up baby. As I mentioned this two punch technique works very well.

But what about protecting your wordpress installation before a hacker can get in? I know that there are a lot of smart individuals out there and the first step to hacking someone is investigation.

During investigation, it all comes down to finding where the weak spots are. I recently investigated another person’s wordpress install that was completely defaced. The defacer found a yet undiscovered door in one of the owner’s plugins.

This all comes down to having the ability to be able to browse a person’s wordpress installation. To be honest, I’m guilty of snooping into other peoples’ wordpress sites, not to hurt the owner, but to find out what theme or what plugins that person is using.

Some of my best discovers have been when I see something I really like and I peek behind the curtain to see the strings being pulled. Now, there is nothing wrong with this, but as I mentioned in the beginning, this is also an excellent starting point for hackers.

So, what do I mean by all of this?

secure wordpress from hackers - directory structure WordPress has a pretty standard directory structure that hasn’t changed too much between updates. This is a good thing, if you wish to take advantage of things like automatic upgrades.

But the directory I’m going to zero in on today, is the directory ‘wp-content’. As you can see, it contains two directories, in particular, ‘plugins’ and ‘themes’ that can be strong venerability point.

Why, simple. The contents of these two directories contain code that is completely out of the hands of the original wordpress developers.

This is actually a big thing. The original developers of wordpress really don’t have any say on how add-ons to wordpress should actually work.

There is a recommended framework in place, but that doesn’t mean that it’s followed. In many ways, this is where we can get into trouble. Let me offer you an example.

I was cruising a site, just recently and was interested how the author had created their unique menu structure. So, I performed a simple change of address in my web browser to change the address from :

http://www.the-site-in-question.com/

To:

http://www.the-site-in-question.com/wp-content/plugins/

(Now, please don’t try to go to this site, it doesn’t exist.)

Let’s see what we find:

image

Very interesting. Here is a complete list of what plugins this site uses. Now, if I was trying to hack this person’s site, I would now start to investigate all the plugin directories listed to see if any had any security holes.

Second I could look into the themes directory, much like the plugins directory.

Do you see what I’m getting at? This can take a sinister tone pretty quickly in the wrong hands.

Well, fortunately, it’s very easy to plug this security hole. Stop from allowing the directory from being listed! There are a couple of ways to accomplish this.

  1. Put a blank index.html file in every directory you wish to protect. The idea is if someone goes to that directory, the web server, in most cases would just automatically load the blank web page instead of the directory contents.
  2. Ask you web hosting agent to disable directory listings for your website. Easier said then done.
  3. Modify the pre-existing .htaccess file to disallow directory listings. This is what I recommend, because it’s the simplest.

You will need to access the .htaccess file that is sitting in you /public_html folder on your hosting agent’s servers. (I’m making the assumption that you are running a hosting agent that runs CPanel.)

It may or maynot be there. But the idea will be to add the following lines of code on the bottom of this file:

<Files .htaccess>
order allow,deny
deny from all
</Files>
IndexIgnore *
DirectoryIndex index.php

Now, this addition to the .htaccess file will do the following things for you:

  • Stop anyone from accessing your .htaccess file
  • Tell the web server to not do directory listings
  • Always only display the file, index.php as a default web page

The last point, setting the default web page, is important too. I had a bunch of websites defaced by a group of hackers that simply broke in through a brute force ftp attack and then put up their webpage, ‘index.html’ in all of my directories.

Out of the box, most web servers will display a index.html page before index.php! Guess what your wordpress uses? index.php.

So, it’s a small thing, but simple to protect against.

In conclusion, we looked at how to protect your website from hackers by stopping them from actually being able to look at what we’ve loaded and are running. As mentioned, stopping hackers from seeing what you are running, makes it much harder for them to find a way to compromise to your setup.

This was part 2 of Secure WordPress From Hackers. I hope you enjoyed it!

Backup Your WordPress Installation

There are some really great plugins for backing up your wordpress installation, but I’m not interested in that for this article. What I’m interested in presenting is a way to backup your complete set of websites in one swoop.

Best thing is, if you follow the following directions, you will never have to worry about a hosting agent going strange on you and holding your websites captive. Don’t laugh, I’ve had it happen. One hosting agent, who will remain nameless, went offline for almost two weeks. My sites went with it.

Fortunately, I had backups of my sites and was able to send them to another hosting agent and within hours my sites were backup up. This is the type of backups you want to have!

Another good thing about having backups is if your sites are defaced, you can easily recover them from your last good backup. No muss, no fuss!

Let’s get started. First off, you will need to select a hosting agent that support the CPanel software interface system. Here are two recommendations if you are stuck. I’ve used both and they are both excellent, Hostgator and Scala Hosting.

I will be writing the remainder of this article, assuming that you are running with an agent that supports CPanel.

Once you’ve logged into your CPanel interface, there is a section named ‘Files’. Under here you will see an icon called, ‘Backups’.

CPanel Backup

Just a quick sidenote. You need to ensure you have enough disk space to store your backup locally on your web hosting agent. Normally, you will need as much space as you’ve already used. So, if you have a disk quota, you need to make sure you stay under 50% with normal use.

Once you select ‘Backups’, you’ll be presented with the following screen. It looks a bit daunting, but no worries. We’ll be selecting the easiest option, ‘Download or Generate a Full Web Site Backup’.

CPanel Full Backup

Nice thing about this type of back is that it backs up everything. This includes all your specialty settings, email, email accounts, subdomains. Everything that is part of your CPanel interface. With this backup in hand, you can transfer it to a new or your current provider for a fast restoration.

Once you select this option, you’ll be provided with more options.

CPanel Backup Options

Here you’ll select ‘Home Directory’ for Backup Destination and insert your email address. The system should notify you once you’re backup is completed.

Finally, click on the button ‘Generate Backup’.

You should be presented with a message, stating much to the effect of what I just said.

image

Ok, now you just have to wait it out. The backup could take several minutes to several hours to complete. Once completed, you should receive an email.

Once the backup is completed, it a simple matter of connecting to your web hosting agent with your favorite ftp program and download the backup to your personal desktop. Make sure, once you have a successful download, delete the backup that is sitting on your hosting agent.

And that’s how you perform a backup that’s not only backup wordpress, but your enter websites that is 100% transferrable from your CPanel web hosting agent. Remember this only works with hosting agent that support CPanel. Here again are my two recommendations: Hostgator and Scala Hosting. Cheers!

Secure WordPress From Hackers

Securing wordpress seems to be more rumor and guesswork than fact on the Internet. I’ve purchased a couple of security guides over the past year and have been quite surprised how useless they really were.

More useless because they were not ‘reasonable’. One of the guides, basically recommended tossing out the baby with the bath water. Their suggestions worked, but in the process, it broken more then it protected.

Well, let me save you $40 and tell you some very simple steps to protect yourself from hackers who enjoy defacing your hard work.

Your Hosting Agent

The first place to secure your wordpress installation is not with wordpress but with your hosting agent. I always recommend choosing a host that supports the use of the Cpanel software suite. Not for security, but for ease of use and portability.

With that said, I’m going to assume for the rest of this guide, that you are using a hosting agent that uses Cpanel. If you are stuck and need a recommendation, here are two very good hosting agents. Hostgator and Scala Hosting.

I’ve used both and I personally do prefer Scala Hosting. They are a little smaller then Hostgator and do provide slightly better technical support, but that’s my personal opinion. But both are good. Enough diversion, back to securing wordpress!

The first and foremost thing you must learn to do to secure your wordpress installation is to learn to back it up. This is the most important task you can perform. No hacker on the planet can break the backup you store on your personal computer hard drive. And it’s a snap for your hosting agent to restore your complete site from a cpanel backup.

If you want more information about backups, here a link to backup wordpress.

Securing FTP

Probably the biggest security risk will be your laziness. Sorry for sounding rash, but when you need to upload files to your hosting agent, you must have a username and password. And cpanel doesn’t help as it wants you to create a new ftp username and password per add-on domain.

When you select a username and password, use the cpanel’s ability to help you by choosing a random and complex password for your ftp username.

securing wordpressAbove you’ll see a I’m in the subpanel titled ‘Create an Add-on Domain’. You can click on the picture to see it full size.

You can use the ‘Generate Password’ feature that will bring up the second box to the lower right quadrant. In it, I changed the default password length from 12 to 20. Then you simply click on the ‘Regenerate’ button and the ‘Use password’ button.

Now, I warn to make sure you make record of this password! It is completely random and very complex.

Now why do through all this grief? Simple, I like many other people have been defaced by the simplest trick in the book. The proposed hacker who hacked some of my sites tried one password after another until they discovered my password.

Now, my passwords back then were not simple but not this complex either. After talking with the hosting agent, after having to rebuild 33 sites, (yes I like to learn the hard way), they informed me that they had seen a ton of ftp traffic for about 6 weeks before the defacing.

Performing this very simple step of creating extremely complex passwords can easily protect you and coupled with backups, it’s a sure fire 2 punch to the bad boys who would like to ruin your day!

I’ll be taking a deeper look at securing wordpress in my next article titled part 2 of this series. There I’ll be looking at some web techniques to keep prying eyes out of your directories so wanna be hackers cannot find what you are running in wordpress and further exploit security holes!

Stay tuned.

WordPress Redirect Hack

It’s recently become evident to me that the hackers are starting to look at plugin code to try and compromise your wordpress installation. One possible hack is with the wordpress redirect plugin.

I’ve been corresponding to a fellow wp’er, and some of his wordpress installations have started to ‘redirect’ to pages outside of his site, instead of pages and posts within his site.

It immediately sounded like a redirect problem, so out of speculation, I suggested that he take a look at his redirect plugin. Sure enough, seems that part of the hacking that occurred on his site centers around manipulation of the redirect plugin.

I don’t yet know that full scope of this, but I do know that there may be an easy fix for this issue. If you go into your admin panel and look for the ‘redirection’ under ‘Tools’,

imageSelect this, and you will be presented with this page, here select under ‘Redirections for group’, ‘options’:

imageOnce you select, Options, you’ll go down the page and near the bottom you’ll see the following:

imageClick on the ‘Delete’. Be forewarned that you keep a record of any static redirects you’ve entered into the redirect module. It will remove all of these too! You’ll have to re-enter any manual redirects that you’ve created after deleting all links.

Now, you will be asked to confirm the deletion and after the redirect plugin will be cleaned and disabled. You will need to re-enable the plugin after.

I’m pretty sure that this will rectify the wordpress redirect hack but I still need to confirm this information.

If you encounter this problem and have more info, please comment below!