Sanjeev Sabhlok's notes on technology, hardware, gardening

wordpress security – additional efforts today

http://codex.wordpress.org/Hardening_WordPress

 

Even today someone managed to login and knock me out from the blog. I've gone to phpmyadmin and fixed the issue, but i'm frustrated at the ease by which people can hack the blog.

Added two plugins:

a) AskApache Password Protect

– unfortunately this one worked only partially. Looks like most of it doesn't work. It locked me out. Luckily I had backedup the previous .htaccess files. DO NOT USE THIS.

b) WP Plugin Security Check

DID NOT WORK.

c) Lockdown WordPress Admin

This one is good. The link to this plugin is found at the very bottom. change wp-admin to something else.

Addendum: ON 12 nOVE 2011

1) Added password protection to the wp-admin directory based on advice from here

2) Anotehr way:

Secure your /wp-admin/ directory. What I’ve done is lock down /wp-admin/ so that only certain IP addresses can access that directory. I use an .htaccess file, which you can place directly at /wp-admin/.htaccess . This is what mine looks like:

AuthUserFile /dev/null

AuthGroupFile /dev/null

AuthName “Access Control”

AuthType Basic

order deny,allow

deny from all

# whitelist home IP address

allow from 64.233.169.99

# whitelist work IP address

allow from 69.147.114.210

allow from 199.239.136.200

# IP while in Kentucky; delete when back

allow from 128.163.2.27

I’ve changed the IP addresses, but otherwise that’s what I use. This file says that the IP address 64.233.169.99 (and the other IP addresses that I’ve whitelisted) are allowed to access /wp-admin/, but all other IP addresses are denied access. Has this saved me from being hacked before? Yes.

I don't think I'm in a position to to this, though.

3) empty index.html file

By default your wordpress plugins directory is viewable by anyone interested in looking at it simply by typing http://www.yourdomainname.com/wp-content/plugins.  Try it right now and see what I’m talking about.  If you can’t see it, you are ahead of the game and can skip this item in your checklist, but if you can see your plugins, you are vulnerable to an attack on your blog.  As with alot of wordpress users, you may have also created some extra folders on your hosting account that may be viewable as well, and these can be fixed in the same way as your plugins folder.

 

There are two methods to use:

  • Add a blank “index.html” file into every folder that doesn’t have one.
  • Add this line of code to your “.htaccess” file in the root directory of your blog: Options All -Indexes

The second choice is the best method, because it allows you to block directory access to all folders, as opposed to finding each folder manually and creating a new file for it.  You may end up missing important folders using the first method.  If you’re not sure how to write to your .htaccess folder, you can find alot of step by step instructions by googling “.htaccess”.

 

Make an empty wp-content/plugins/index.html file. Otherwise you leak information on which plug-ins you run. If someone wanted to hack your blog, they might be able to do it by discovering that you run an out-of-date plugin on your blog and then they could exploit that.

I already have an empty index.php 

4) blogversion

And here’s a bonus tip: in the header.php file for your theme, you might want to check for a line like



<meta name=”generator” content=”WordPress <?php bloginfo(’version’); ?>” /> <!-– leave this for stats please -->

I’d just go ahead and delete that line or at least the bloginfo(‘version’). If you’re running an older version of WordPress, anyone can view source to see what attacks might work against your blog.

Basically what I've done is to delete bloginfo('version') from the Whitehouse theme header.php file

5) robots.txt

I've inserted a new line in robots.txt based on advice from here.

6)  CHANGE SECRET KEYS

If they stole your password and are logged in to your blog, even if you change your password they will remain logged in. How? because their cookies are still valid. To disable them, you have to create a new set of secret keys. Visit the WordPress key generator to obtain a new random set of keys, then overwrite the values in your wp-config.php file with the new ones.

Very simple to do so.

Print Friendly, PDF & Email

sabhlok

View more posts from this author

Leave a Reply

Your email address will not be published. Required fields are marked *