Skip navigation

Protecting Your WordPress Blog

I’ve written extensively about the choices you have in responding to negative comments and bloggers. You can respond or ignore, but never retaliate. However, a few months ago, Darren Rowse of Problogger was the victim of a spammer and hacker and it made me want to jump up and hit back, as I’m sure it did others when they found out.

Darren didn’t know his email newsletter had been hacked until he started to get hundreds of angry emails filling his inbox with nasty threats. He plunged in immediately to determine the problem and responded back by posting announcements on his effected blogs and emailing his newsletter mailing list, and then emailing each individual who emailed him explaining what had happened and apologizing for the criminal activity imposed upon him.

He moved fast and appeared to remain calm as he methodically responded to the attack. And he learned some lessons, including how he turned a negative into a positive, gaining more readers and fans in the process.

A couple months ago, a hacker publicly announced his list of WordPress blogs he was going to hack due to a security flaw in WordPress. This came right as the security flaw was patched in WordPress 2.0.7. Those on the hackers list who didn’t upgrade were vulnerable, and many were hacked, their blogs defaced. Each were warned as soon as the news came out by fans and web watchers, but some were still attacked. The blogosphere took care of their own and many helped out to restore the defaced blogs as fast as possible.

Not long after, news hit that a hacker broke into WordPress and contaminated the latest version of WordPress. The site was shut down immediately and the international crew of WordPress developers moved in to clean up the mess and prevent this from happening in the future. The announcement came out 12 hours later alerting everyone to update their WordPress version, no matter what version, and asked WordPress fans around the world to spread the word.

Earlier this year, a lot of people were angered when they found their downloaded WordPress Theme stuffed with ad links and other unwanted content. The issue became very hot and Matt Mullenweg asked the WordPress Community to vote on what they wanted done to protect WordPress bloggers from these possible threats, and the response was overwhelming. With the overwhelming majority in the Community wanting spam links and potentially risky WordPress Themes out of the WordPress Theme Viewer and other WordPress official sites, Matt complied.

There are still sites offering free WordPress Themes that may include security vulnerabilities, ads, and other unwanted elements, so WordPress users are still warned to beware.

You might think bad things only happen to the famous and most popular bloggers and online services, but bad things by evil people can happen at any time.

Are you prepared? Would you know what to do if bad things happened to your blog?

Preparing For Evil with a WordPress Blog

The reality of having any form of site on the Internet is that there are nasty people out there just looking for trouble. The trouble they may find could be your WordPress blog.

While most are familiar with fighting the evil of comment spammers, to help you prepare for possible hacking or problems on your WordPress blog, here are some tips.

Update WordPress Regularly

Yes, upgrading WordPress is a pain, though there are now WordPress Plugins like WordPress Automatic Upgrade WordPress Plugin that promise to make the process easier. The threat of losing some of our most valuable WordPress Plugins or the possibility of breaking our WordPress Theme with serious upgrades makes the decision to upgrade a nervous one.

Protecting your blog from security flaws and vulnerabilities is critical to keeping your blog safe, so don’t use Plugins and Theme issues to justify not upgrading. It only takes one open door for a hacker to enter, and you want to make sure those doors are closed as fast as they are found.

There are two types of upgrades available currently in WordPress. One is for the latest version, with all the improvements and security fixes. The other only includes the security patches and bug fixes for an older version. These versions are called “branches”.

Currently, to upgrade WordPress to the latest version, you would use the WordPress 2.2 branch. To upgrade along the WordPress 2.0 branch, you would use the latest version in that line.

WordPress 2.2 brought some changes to some template files and database tables, which caused some popular WordPress Plugins to break in the upgrade. Many of these WordPress Plugin authors had already upgraded their Plugins to be compatible with the new version, others moved a little slower, making a lot of users unhappy.

When making a major upgrade, check for the latest version of:

  1. The WordPress Plugins that your blog is dependent upon.
  2. Your WordPress Theme.

If you make changes to the WordPress core programming, which is not recommended as many of these can be achieved with a WordPress Plugin, make sure to keep a text file with all the notes and details of all the changes you have made. Store this in a safe place or in the wp-content folder, the one not impacted by upgrades, so you can refer to it after an upgrade.

With this as a guide, you can redo the customizations you made that may have been overwritten in the new version.

Update WordPress Plugins and Themes Regularly

Work is underway in the next version of WordPress to make it easier to get news of updates to WordPress Plugins, and hopefully it will include WordPress Themes. Until then, it’s critical that you check regularly for upgrades for the WordPress Plugins and Themes you use.

Blog Security offers a “WordPress Theme Scanner WordPress Plugin” which looks for common WordPress template flaws and security issues in your WordPress Themes, reporting on what may need changing or updating. It doesn’t get everything, but they are working on improving it all the time. Consider testing your WordPress Theme, whether or not you designed it yourself.

Currently, there is nothing similar for WordPress Plugins to check for security flaws and issues, though there are rumors that someone is working on one.

WordPress Plugins Panel - activated blogs and links to Plugin author sitesCheck with the WordPress Theme and Plugin author for updates on a regular basis. From the Plugins panel, you can click on the link to the Plugin’s official page to see if they have released an update or have news you need to know about running the Plugin on your blog.

WordPress Presentation Panel for WordPress ThemesFrom the Presentation panel, you can do the same thing with your WordPress Theme.

If you developed and designed your own WordPress Theme, it’s important to keep up with potential flaws and security risks you may have inadvertently included of your own accord or from code you copied from another WordPress Theme or article. I recommend you add the Blog Security blog to your feed reader as well as Mark Jaquith, , and the to keep track of such announcements.

Also check the , the online manual for WordPress Users, regarding the new version. There are often pages added which list Plugins and Themes reported compatible with the latest version.

Changing WordPress Themes – Check It First

Have you checked your WordPress Theme for evil? Recently, there were a lot of announcements of security flaws and unwanted advertising links embedded in WordPress Themes. Some didn’t realize that the WordPress Themes they had recently downloaded and installed on their blogs had hidden links, unwanted advertising, and other nasties.

Testing it with the WordPress Theme Scanner WordPress Plugin may help, but Pro Blog Design offers a few more suggestions, which you might want to try, along with these tips which include searching your WordPress Theme template files before you upload them to your web host server:

  • Search the Theme Files for http://: Search the template files and check every link reference within the files. If there is a link going somewhere you don’t want it to go, remove it or try another Theme.
  • Search for “script”: Search your template files for the word “script”. This indicates a Javascript. It could be a safe one, put there to help with the design, thus it would be mentioned within the Theme’s readme file or the link would go to a file within your Theme’s folder you could check to see what the script does. If it links to an off-site location, or looks suspicious, it might be.
  • View the Generated Page Source: Using your browser’s View > View Page Source feature, view the source code for your generated WordPress blog’s web page. You might not understand all of it, but look closely at all the code to see if something it linking to an off-site location or a bit of code that looks odd or like an advertisement. It could be.

Protect Your WordPress Blog Files

Quick Online Tips offers “3 New WordPress Security Tips I Learnt from Matt Cutts”, tips to help you better secure your WordPress blog and files.

In general, they are:

Remove the Version Meta Tag: In your blog’s header.php template tag, remove the meta tag named “generator” which states which version of WordPress you are using. Why help hackers know which version you are using so they can easily choose the scalpel to hack away at your blog.

Prevent Access to Your WordPress Folders: If you check your Plugins directory in a browser with http://www.example.com/wp-content/plugins you may see a listing of all of the Plugin files and directories. So can everyone else. The same may go for some of your other WordPress directories. There are a few ways to deal with this.

  1. Create a blank HTML or PHP file and put it in that directory.
  2. Put a password on the directories to prevent access. This is done through your host server’s backend management program, such as with Cpanel’s guide on protecting directories with passwords.
  3. Restrict access to those directories or files as explained in Hardening WordPress with .htaccess.
  4. Add disallow to your robots.txt file for these directories to stop search engines and other bots from indexing them.

While these seem easy, there are some drawbacks. If you restrict access to the wp-admin directory, it may block registered users from seeing parts of the Administration Panels, especially if they log on with a different IP address than they normally use. As I travel a lot, I frequently log in from various IP addresses, which would mean this method wouldn’t work for me.

Change File Permissions: You can set some of your files and directories to allow various degrees of access, be it to totally prevent all access to changing the file in any way, to only allowing access to change a file by a user/program authority. “Changing File Permissions” from the WordPress Codex explains how to change those file and folder permissions on your server, but if you do change them to make them have temporary wide open access, change them back afterwards.

For more on file permissions, see A Quick And Dirty CHMOD Tutorial from evolt.org.

Prevent Login Access

The new Login LockDown WordPress Plugin claims to:

…help increase security and reduce the chance of someone hacking into your WordPress installation.

…Login LockDown takes a different approach. Every failed login attempt is recorded, along with the timestamp of the attempt and the IP address of the user. If a user tries (and fails) to log in too many times within a certain time period, the system then blocks any login requests coming from that IP range until the lock-out is released. The lock-out period defaults to 1 hour, although that can be changed within the admin panel. The number of retires and the time period that they occur within in order to trigger a lock-out are also configurable from the admin section, and admins do have the ability to release an IP block manually (assuming of course that they haven’t locked themselves out).

There have been many requests to WordPress developers to improve the login and registration features to prevent hackers and registration spam. Hopefully, this will improve the security of logins in general.

Backup, Backup, Backup

If something does happen to your WordPress blog, be it for evil reasons or just “one of those glitches in the system” reasons, how recent is your most recent WordPress backup?

There are three steps to backing up your WordPress blog:

  1. Backup your WordPress blog database.
  2. Backup your WordPress Themes and Plugins directories.
  3. Backup your files and images and all non-WordPress specific files.

For more information on backing up WordPress, see:

Monitor Your Blog For Downtime and Breakdowns

A blog can break for many reasons, though rarely caused by evil doers. It’s usually something the blog owner has done that breaks the blog. The breakdown can happen immediately, or be overlooked, or happen unpredictably.

Before installing and activating a WordPress Plugin or Theme, or making any changes to your WordPress blog, back it up! This way, if something does happen, you have a replacement to put it right – back to the time and place where it was last right.

It also helps to monitor your blog for problems by checking your blog’s feeds or using a site monitoring service.

I cover more on how to monitor, troubleshoot, and fix your blog in When the Blog Breaks: Fixing Your Broken Blog and When The Blog Breaks: Site Monitoring.

Don’t Do Dumb Stuff

The last tip I have for protecting your WordPress blog is to not do dumb stuff.

  • Don’t work without a net. Backup EVERYTHING. Even as you are working on it – just in case.
  • Do not use a simple password like your name or the word “password”. Use a complicated and strong password.
  • Don’t tell people your password, put it in emails, or publish it (you think I’m kidding? It happens.)
  • If you change file permissions, change them back.
  • RTFM. Read tutorials, guides, instructions, and readme.txt files and follow them to the letter. They were written for a reason – with you in mind – so follow them first, before rushing to the Support Forums.
  • If you need help, don’t ask me first. Search first, check the , then hit the Support Forums appropriate for your version of WordPress.
  • If you are not technically included, and the underlying code terrifies you, don’t go digging. Use a WordPress Plugin to make the changes you want, or get someone who knows what they are doing to do it for you, or help teach you how to do it yourself.
  • When in doubt, don’t.

Member of the 9Rules Blogging Network


Site Search Tags: , , , , , , , , , , , , , , , ,
Feed on Lorelle on WordPress Subscribe Feedburner iconVia Feedburner Subscribe by Email

Copyright Lorelle VanFossen, member of the 9Rules Network, and author of Blogging Tips, What Bloggers Won't Tell You About Blogging.

29 Comments

  1. Derek
    Posted September 10, 2007 at 6:52 am | Permalink

    Great list of recommendations here. I had my site hacked once and the CHMOD settings were not set correctly, which caused the issue.

  2. Posted September 10, 2007 at 8:05 am | Permalink

    I think SandBox WordPress Theme is a good theme to use simply because it has CSS-only skins.

    No PHP, no JavaScript, no security issues.

  3. Posted September 10, 2007 at 9:45 am | Permalink

    While I love the Sandbox Theme, many Themes do not include Javascript and can be designed only through the CSS. They aren’t “skins” by the way. A “skin”, by traditional definition, only changes the surface. WordPress Themes include programming language which makes them “beyond skins”. We try to name things properly around here to avoid confusion. :D

    WordPress Plugins, however, often add Javascript. Because not all WordPress Plugin authors are really knowledgeable about security risks and issues involving such things, we need to do more to educate them on how to write more secure code.

  4. Posted September 10, 2007 at 10:22 am | Permalink

    yes, lorelle, themes are not skins. all the entries for the sandbox competition, and all the designs listed under the “customcss” tag are SKINS, not THEMES. engtech is right.

    Otto’s made the point on the wp-hackers list several times that hackers do not check your blog for the _presence_ of a vulnerability before hacking it (it’s an unnecessary HTTP request, since the attack vector is another HTTP request, there’s no incentive to do it twice). removing the “generator” link isn’t necessarily great advice in that regard.

  5. Posted September 10, 2007 at 11:34 am | Permalink

    Removing the generator tag is arguably safer, insofar as Google and other search engines can index based on that information, thus providing “hackers” the ability to quickly compile a list of potential targets through use of these search engines. So in theory, it’s a good idea.

    In practice, I doubt it actually makes much, if any, difference. Still, it’s not along the same lines as what I was talking about in wp-hackers, because the generator line causes you to potentially be included in a list that is theoretically likely to be compiled.

  6. Posted September 10, 2007 at 11:40 am | Permalink

    As was publicly announced not long ago, there were a couple of hackers who searched for a specific “vulnerable” version of WordPress and sought them out to do evil, justifying their reasoning as a way to call attention to the vulnerability. I can’t speak for their righteousness, but I believe that any excuse is a good excuse when you’re out to cause trouble. So why invite it, as Otto says.

    What good does it do anyone to provide the generator info anyway? Does it help search engines change how they move through the site? Does the information benefit WordPress in any way? If it don’t help, clean out the clutter. :D

    As for the “skin” reference, I wasn’t thinking about the contest or collection of “skin” versions of the Sandbox Theme but the general labeling of all WordPress Themes as “skins”. I should have been more clear on that. Thanks.

  7. Posted September 10, 2007 at 1:49 pm | Permalink

    I’m not sure if this is related to security or not, but is there something going on with your feed? For the past week or so Sage has told me that the feed is loading for as long as I let it sit there and think.

  8. Posted September 10, 2007 at 5:34 pm | Permalink

    Thanks for letting me know. The feed is working through Google Feed Reader. So I don’t know why you are having trouble with it.

  9. Posted September 10, 2007 at 7:31 pm | Permalink

    Very good article. Many thanks!

    The wp-plugins are very often not updated. On many sites…

  10. Posted September 11, 2007 at 4:36 am | Permalink

    Whatever it was, it seems to be working again. When I saw your reply last night it was still doing the same thing but when I checked it just now everything seemed to be playing nice again.

    Probably just a hiccup in my own setup.

  11. Posted September 11, 2007 at 1:58 pm | Permalink

    Lorelle, great article and well researched. We are planning to release a whitepaper shortly which will go into alot of these areas in greater detail, so look out for it.

  12. Posted September 12, 2007 at 6:02 am | Permalink

    Hi Lorelle, this is my first visit to your blog. It’s really great, very helpful!

    This article has really opened my eyes. There is so much to do with blogging, beyong the actual act of enjoying writing articles and publishing content. There are so many out there looking to spoil someones fun/creation.

    Thankyou for a great and very useful blog post :)

  13. Francisc Rusznyak
    Posted September 14, 2007 at 5:55 am | Permalink

    Very usefull article!
    But I think You forgot to mention something:
    “1. Create a blank HTML or PHP file and put it in that directory.”

    Wouldn’t it be better do say it has to be a file named “index” plus the extension? ;-)
    e.g. index.html or index.php (some hosts also allow .php3, .php4 etc.)

  14. Posted September 14, 2007 at 9:29 pm | Permalink

    Another tip to improve subfolder security – if you drop a blank index.htm or index.html file into the subdirectory, it prevents people from doing a directory listing and looking at the files there. It won’t stop accessing those files directly, but it will prevent people from getting a whole directory list and seeing everything (and accessing it) easily.

  15. Posted October 20, 2007 at 11:55 pm | Permalink

    Thanks for the great recommendations.
    LP

  16. peacefulone
    Posted December 2, 2007 at 12:02 pm | Permalink

    Hi! I have 5 sites! Today, all 5 of them were either hacked or wordpress crashed. I’m thinking it was the former. Your information is very helpful. Since, I don’t quite know how to execute it; I’ll have my son review it. Many Thanks. I av very grateful. By the By: I recovered all my articles! Yeah!

  17. Posted February 7, 2008 at 11:05 pm | Permalink

    That’s a great post. I once had to deal with this kind of nightmare(now I think it it over I think it was twice in one month)… I shudder at the thought of happening it again.

    If you are working with right people (and good hosting services), they can help you a LOT. All of these tips above can actually help you a lot…

    Varun Pratap

  18. Posted February 16, 2008 at 8:00 am | Permalink

    They have fixed most of the known vulnerabilities but Who knows! Update guys, both blog and content!

  19. Posted June 9, 2008 at 9:43 pm | Permalink

    Re: this advice: “Remove the Version Meta Tag” -> There’s no point in doing this. The WP version seems to be readable from wp-links-opml.php, wp-rss.php, wp-commentsrss2.php, wp-version, wp-rdf.php and wp-rss2.php as I found out today from the WP security scanner here: http://blogsecurity.net/cgi-bin/wp-scanner.cgi

  20. Posted June 10, 2008 at 8:24 am | Permalink

    @ UP:

    Removal of information on which version of WordPress you are using is a very good idea. The less information you give to the potential hacker who searches for that information in order to exploit vulnerabilities, the better. Is that what you are talking about?

  21. Posted June 12, 2008 at 7:15 am | Permalink

    Note that removing the generator is not quite as easy anymore. If you really want to do it, it can be done, but WordPress changed to unify the generator tag in the core instead of letting it be all over the place.

    This code in a plugin or the theme’s functions.php will do the trick:
    add_filter(‘the_generator’,create_function(‘$a’, “return ”;” ));

    That filters the generator function to return nothing at all, eliminating the generator code from *all* locations where it’s output.

  22. Posted January 18, 2009 at 11:25 pm | Permalink

    thanks so much for this . . .

    i’m new to WP and have enjoyed learning about how to lockdown my site and protect myself and my blog as i go along.
    :)

  23. Tim
    Posted January 26, 2009 at 5:10 pm | Permalink

    I thought one way to show your appreciation for being able to use someone else’s plugin was to provide a link to their plugin page. If I’m reading your recommendation about protecting access to the plugin folders correctly, it is a bad idea to let others know whose plugins you are using. Is this correct?

    Thanks.

    • Posted January 26, 2009 at 7:21 pm | Permalink

      @Tim: It is a great idea to tell the world about the Plugins you are using. That has nothing to do with protecting your Plugins folder on your server. Close that door, but let the words within your post content praise your favorite WordPress Plugins.

  24. Tim
    Posted January 27, 2009 at 10:07 am | Permalink

    Thank you Lorelle for the clarification. I enjoy reading your very helpful articles. Take care.

  25. Posted August 28, 2010 at 6:20 am | Permalink

    My blog was hacked today thanks for phpMyAdmin which helped me to get back access to my blog. Now i will have a very strong password to blog. One more thing I has done is As a matter of fact, wordpress stores all your details including your username and password in plain-text in the wp-config.php file in the directory. Now, if you have incorrect file permissions set, this sensitive information may be out in public. To make sure that doesn’t happen at least for this file, you can put this piece of code in your .htaccess file:

    order allow,deny
    deny from all

    This will set the correct file permissions and will prevent anyone from viewing this file.

  26. Posted August 28, 2010 at 6:25 am | Permalink
    
    order allow,deny
    deny from all
    
    
  27. Posted August 28, 2010 at 6:26 am | Permalink

    I am just unable to post the code here i tried twice if you need that mail me i will send it to you.


26 Trackbacks/Pingbacks

  1. [...] har en post under titlen: “Protecting Your WordPress Blog” der vel nok er værd at tjekke ud. Ikke mindst de gode råd: opdateringer og [...]

  2. [...] Protecting Your WordPress Blog [Lorelle on WordPress] [...]

  3. [...] przez GoogleReadera o nowym wpisie na blogu Lorelle – dotyczy tej samej tematyki i znajdziecie jeszcze więcej porad pomagających w zabezpieczeniu i bezpiecznym korzystaniu w bloga opartego na systemie WordPress. [...]

  4. [...] Protecting Your WordPress Blog While most are familiar with fighting the evil of comment spammers, to help you prepare for possible hacking or problems on your WordPress blog, here are some tips. (tags: blogging howto security tips WordPress) [...]

  5. [...] recently discussed ways to protect your WordPress blog from hackers and other nasties of web life, and today I cover how to protect your blog from the [...]

  6. [...] Speaking of blog security, Lorelle has a whole huge post on protecting your WordPress blog. [...]

  7. [...] Protecting Your WordPress Blog [...]

  8. [...] Protecting your WordPress blog [...]

  9. [...] Lorelle also has good advice for protecting your WordPress blog [...]

  10. [...] 5 WordPress Security Essentials – Lee Robertson How to Protect Your WordPress Site – Anita Campbell Protecting Your WordPress Blog – Lorelle Technorati Tags: Blogs, hacker, plugins, security, upgrade, [...]

  11. [...] dicas foram reunidas de vários blogs que li como da Lorelle, Matt Curtts e outros tutoriais que [...]

  12. [...] של וורדפרס: Hardening WordPress הגנה על וורדפרס בלוג מאת לורל: protecting-your-wordpress-blog נוספים:How WordPress Blogs Are Hacked five wordpress security essentials Security Tips and [...]

  13. [...] przez GoogleReadera o nowym wpisie na blogu Lorelle – dotyczy tej samej tematyki i znajdziecie jeszcze więcej porad pomagających w zabezpieczeniu i bezpiecznym korzystaniu w bloga opartego na systemie WordPress. [...]

  14. [...] Protecting Your WordPress Blog [...]

  15. [...] quickonlinetips.com, lorelle.wordpress.com. Image by [...]

  16. [...] http://www.lorelle.wordpress.com / [...]

  17. [...] Protecting Your WordPress Blog [...]

  18. [...] Protecting Your WordPress Blog [lorelle.wordpress.com] Personal << Big firms consider dropping health benefits [...]

  19. [...] Protecting Your WordPress Blog [...]

  20. [...] Security Essentials – Lee Robertson How to Protect Your WordPress Site – Anita Campbell Protecting Your WordPress Blog – [...]

  21. [...] Protecting Your WordPress Blog [...]

  22. […] Protecting Your WordPress Blog: I take a look at the various ways you can boost your blog’s security and improve your chances of avoiding being hacked or invaded. […]

  23. […] Protecting Your WordPress Blog: I take a look at the various ways you can boost your blog’s security and improve your chances of avoiding being hacked or invaded. […]

  24. […] Protecting Your WordPress Blog […]

  25. […] Protecting Your WordPress Blog: I take a look at the various ways you can boost your blog’s security and improve your chances of avoiding being hacked or invaded. […]

  26. […] WordPress users are not the only ones who need to watch themselves and protect themselves from security vulnerabilities and attacks. […]

Post a Comment

Follow

Get every new post delivered to your Inbox.

Join 20,103 other followers

%d bloggers like this: