I got a reminder last weekend about just how critical it is to secure your WordPress-based Blog.
Mine was hacked…
My own fault, to be sure… Turns out that the installation scripts can be very easily hacked and SQL-injected. The end result is that your tables for your blog will end up being destroyed. Fortunately for me my hosting provider does regular backups.
So, after recovering my data the next step was making sure I didn’t have that happen again. After a bit of research and looking at a couple of websites I found the following steps can pretty well resolve future problems.
Restrict access to your wp-admin directory.
This one is probably the most important. Simply block all access to your admin pages except from the IP address of the location you will be accessing the admin pages from the most. It’s very hard to spoof an IP address and as long as no one knows the IP address you manage your blog from, it becomes even more difficult.
In the wp-admin directory create a file called .htaccess and have it include the following:
AuthUserFile /dev/null AuthGroupFile /dev/null AuthName "Access Control" AuthType Basic order deny,allow deny from all # whitelist home IP address allow from xx.xx.xx.xx
Replace “xx.xx.xx.xx” with your local IP address (or the IP address of your router or firewall). If you’re unsure how to determine that you can always go to a website like http://whatismyipaddress.com/ and you can find out from there.
This one step will block most of the script kiddies and quasi-hackers out there.
Place an empty ‘index.html’ in the plugins folder.
I have no idea why the WordPress distributors don’t do this but the wp-content/plugins folder in the WordPress distribution is left wide open to be viewed by all. So anyone can see what plugins you run and exploit them as appropriate. Rather than make another .htaccess file, just put a blank index.html file in here and call it done.
Remove the ‘version’ string from theme files
Use this tip with a bit of caution – it could cause stats plugins for WordPress to stop working. If you don’t know what those are, then feel free to use this tip.
- Go to WordPress dashboard, click on Design -> Theme Editor -> Header (header.php)
- Find and remove this.bloginfo(‘version’) and save the file.
If your themes are locked, then go into the theme from the wp-content/themes/<themename> directory and name the changes from there.
You can also read the Codex for more information on making the file writable.
Remember to re-apply these changes when you upgrade.
When you upgrade to a newer version of WordPress most of the ‘quickie’ upgrade guides have you replace your old version of your WordPress files with the new version. These guides often entail removing the current directory contents and replacing them with the files from the newer WordPress release. Just make sure to set these changes you’ve made aside so that you can re-apply them after you upgrade.