June 1, 2011
Hack-proof your WordPress installation and web server
Download the Word file that seeks to consolidate my – ongoing! – learnings here.
As a common user of WordPress software hosted on my own domain, I find web security to be my greatest problem.
What are the vulnerabilities of WordPress and web servers?
Php software in which WordPress is written, is the key vulnerability. This leads to vulnerabilities in phpMyAdmin, dokuwiki, phpBulletin – which act as gateways to the UNIX shell and MySQL database. Also, many plugins create vulnerabilities, not being written by expert programmers. Since it is impossible to run a WordPress blog without using plugins (and php code), the whole thing is a SECURITY NIGHTMARE!
In general, methods of hacking apparently include: Code injection, Web Servers, HTTP Methods, SQL Injection, CRLF Injection, Cookie Manipulation, Script Language Error, cross-Site Scriptng. The vulnerabilities of an ordinary WordPress user are so extensive that the ordinary WordPress blog is certain to get hacked. The wave of attacks occurring in the world is now almost out of control. See this excellent slideshow.
Solutions to protect your WordPress blog
Given that you can't master web security, do the following. These are band-aid solutions, and only provide a second-best alternative (to hiring professional help), but they will keep the blog going for a while.
[For ways to recover from a (frequent) WordPress disaster, click here]
Keep WordPress installation up to date
Apparently these guys are aware of how the WordPress loopholes are being exploited, and they try to resolve security issues with each update.
Install WordPress security software/ plugins
a) WP Security Scan(which pointed out I had a number of security holes, particularly not having .htaccess files)
b) BulletProof Security – this installs .htaccess files. If plugin directories are visible to external people they can crack the security loophole of the lowest security protected plugin (i.e. older version plugins). Once they can get in, apparently then can get shell access.
Watch out for "growing" web-disk
If your web disk (hard disk usage on the serve) is growing without explanation, that's a warning bell! Excessive use of monthly bandwidth is also a give-away.
Check where the "growth" is taking place
Use "Disk Space Usage" option in control panel to find out where the growth is occurring
Run the Clam AV anti-virus software from the control panel
Most hackers have installed phishing and other rubbish, including virus, on your server. This can be readily detected by this anti-virus software. It then neutralises all files that have been detected. Most importantly it will show you the locations of these directories, and you can search these places and remove the files. The kinds of viruses found on my server include:DoS.Linux.Blitz
Run Webmail (Horde)
This will often show thousands of phishing emails that have bounced. The emails are important since they'll show up the locations of the attack files. Destroy the files.
Many examples of inserted code exist, but these were from recent emails:
SQL injection attacks discovered:
Boss, there was an injected target on sabhlokcity.com/2011/03/review-of-geoffrey-millers-spent/?cid=21997&wpmp_tp=1&wpmp_switcher=desktop by 220.127.116.11
Boss, there was an injected target on sabhlokcity.com/wp-content/themes/whitehouse/single.php by 18.104.22.168
Boss, there was an injected target on sabhlokcity.com/2010/05/get-used-to-it-the-climate-always-changes by 22.214.171.124
Look for particular file types
Assuming you are using a bash shell, check the shell history. It is possible that it will contain the steps the attacker took to setup a backdoor onto the system.
I've not done this much since it seems that most times it appears to me that hackers don't actually discover your password: they over-write it on the MySQL database. However, this is advised by a few people on the internet.
Learn from Google's web security website
Read/ subscribe to websites that provide hints on security:
Try using web security software
There is software that claims to detect security gaps in one's website. First, this yields a lot of technical jargon which few can understand. Second, one of these, in "attacking" my website to determine security gaps, hung up and never finished, creating gigabytes of stuff on the server. Be very careful while using these software!