In case you didn’t hear ThemeShaper was hacked. You know what? It really sucks. I’ve got two tips and a plugin recommendation that I want to pass on to you so the same stupid thing doesn’t happen to your WordPress install. And these aren’t even my ideas! These are time tested and tried things that just plain work.
After that comes a list of some further plugins and resources that’ll help harden up your WordPress install and keep hackers at bay. So read on.
Do a Fresh Install of WordPress, Plugins, & Themes
Do a fresh install of all WordPress, your plugins, and themes. That means deleting a whole whack of WordPress files just like you were doing an upgrade. And deleting and re-installing ALL your themes and plugins. If you’ve done ANY customization to any one of these files go through them line by line or re-store a local version that never made it to your web server. And while you’re at it start keeping local copies of your edited themes and plugins that have never made it to your web server.
You’re doing this to help make sure your current setup isn’t already compromised.
Hardening WordPress with htaccess
The Blog Security blog has a great article on how to lock out anyone trying to mess with your WordPress files using htaccess. It’s dead simple to do and requires only cut-paste skills and FTP access to your server, and a quick trip to What’s My IP. Anyone can do it. Check it out now and harden your blog.
The Update Notifier Plugin
The single biggest exploitable entry point on any WordPress install is going to be outdated versions of WordPress, themes and plugins. If you don’t know how extreme this can get check out this comment from one of my readers.
I remember when something similar happened to me. Fortunately I managed to find someone willing to help who knew quite a bit more about WordPress than me. The breach was traced to a caching plugin that was out of date by about a week.
The Update Notifier Plugin helps solve this problem by checking the official repository on a regular schedule and sending you an email when it’s time to upgrade.
17 Comments
Please use the antivirus plugin for security reasons: http://wpantivirus.com
Very slick. I love how the template scanner scans the parent theme too not just the template files in the active theme. +1
I see the second piece of advice offered quite often in the WordPress tip-o-sphere, and I’ve always wondered if it is actually useful to people, because it assumes two (2) things that I would not assume:
First, that you always access your WP admin from the same place.
Second, that you have a static IP address at that place.
For what percentage of WP users are both of these true?
(In .htaccess you can of course “allow from” partial IP addresses, which will work for a dynamic address, and will still keep out most of the world.)
In my view, the two things to do if you take the security of your WP site seriously are:
First, choose a host that are serious and knowledgeable about security.
Second, be prepared to be incovenienced. Security comes at a cost.
Cheers!
@ian sorry to hear about the attack
i wish the hackers would concentrate their actions on sites and organizations who deserve some headaches it like MPAA and RIAA etc 
@Sergej cool plugin, will definitely be checking it out for my blogs.
@Stuart
Thank you!
Thanks for this Ian.
@demitris – it’s not too hard to do a combination of IP and user authentication which was necessary for one of my projects (I have fixed IP but client doesn’t). The .htaccess code I use is:-
Satisfy Anyorder deny,allow
deny from all
#don't require user/pw from following IP addresses
allow from 12.34.56.78
AuthType Basic
AuthUserFile /path/to/htpasswd.file
AuthName "restricted"
require user wordpressuser
You might also try this WordPress firewall plugin:
http://www.seoegghead.com/software/wordpress-firewall.seo
Just what I was looking for I have been reluctant to do a WordPress install for this very reason.
I will still contemplate installing until I feel confident I understand the full process of securing my blog til then i will stick with WordPress.com.
Thanks for the info.
Lisa
Thanks for the article. I’m not good in coding, so I have difficulty to follow the tutorial, after I apply the codes on my blog, my template gets mess. So for now I just following the WP update, back-up my file, and install the WP antivirus
We should also talk about MYSQL and security. For example, I bet many people set up a WordPress database with a “master” user. I like to create a separate user for each database and only give that user access to their WordPress database. Also, if possible, set up phpmyadmin to only be accessible locally. If you are fortunate to have a setup where you can SSH remote / RDP into your server, then that’s another method to secure your server.
Great blog! Best wishes and happy holidays!
Kris,
i read somewhere that it’s best not to permit shell access to your user account. i don’t use terminal, so i won’t miss such permissions. however, i’m not sure it’s a “best practices” per say – to not allow shell user. wondering what you think about this…should we avoid using shell? (is that the same as SSH? and how does it differ from SFTP?)
thanks!
Backup, Backup, Backup!
There are several plug-ins that will automatically backup your WordPress files and database. USE THEM!
Having a current backup is essential. You can do automatic backups that integrates with Amazon S3 using the WordPress Backup plugin.
After reading around here, I can’t believe that my sites are so insecure. I”ve always relied on my host (hostgator) to do back ups. I can see this is not enough. I use wordpress a lot becuase of its user friendliness, but not being techie I can just never even imagine the way people can get at your sites. I always think ‘well why would they want to’. But now I understand its not about that. People just do this stuff without having any reasons at all. I have been naieve. Thanks for the tips.
One WP plugin I highly recommend is WP Security Scan. It will check your website for known security vulnerabilities and recommend corrective actions to help reduce the risks of intruders accessing your website. The plugin says it’s compatible up to WP 2.8.4, but I am using it on several sites with 2.9.2 and it works fine. You can find it here: http://wordpress.org/extend/plugins/wp-security-scan/
Securely yours,
Regina Smola
security is the most important things if you’re using any CMS, specially open source CMS
Wow!!! Nice Stuff buddy…..
Recently there is a attack over WordPress Blogs by Hackers.The saddest part is exploited security Hole not yet Identified,
Dirty Attack Over Hundreds Of WordPress Blogs
http://www.techpraveen.com/2010/04/dirty-attack-over-hundreds-of-wordpress.html
4 Trackbacks
[...] huge secret that I have had this WordPress blog hacked twice this year but some consolation is that I am not alone.Helpful resourcesAlex recently launched a DVD course on WordPress security that is available for [...]
[...] It is no huge secret that I have had this WordPress blog hacked twice this year but some consolation is that I am not alone. [...]
[...] I just found a blog that goes into detail on this though I have’nt read the whole thing I’m listing it here for anyone interested in this topic Don’t Get Hacked [...]
[...] within the WordPress community have recently been hacked – for example, read this post at ThemeShaper. If it could happen here, it could potentially happen to you too – especially if you’ve [...]