Lead developer for WordPress core and WordPress security expert Mark Jaquith’s presentation on Theme & Plugin Security from WordCamp Phoenix 2011 is a must-watch video for all Theme Developers. Check it out.
In case you didn’t hear ThemeShaper was hacked. You know what? It really sucks. I’ve got two tips and a plugin recommendation that I want to pass on to you so the same stupid thing doesn’t happen to your WordPress install. And these aren’t even my ideas! These are time tested and tried things that just plain work.
After that comes a list of some further plugins and resources that’ll help harden up your WordPress install and keep hackers at bay. So read on.
Do a Fresh Install of WordPress, Plugins, & Themes
Do a fresh install of all WordPress, your plugins, and themes. That means deleting a whole whack of WordPress files just like you were doing an upgrade. And deleting and re-installing ALL your themes and plugins. If you’ve done ANY customization to any one of these files go through them line by line or re-store a local version that never made it to your web server. And while you’re at it start keeping local copies of your edited themes and plugins that have never made it to your web server.
You’re doing this to help make sure your current setup isn’t already compromised.
Hardening WordPress with htaccess
The Blog Security blog has a great article on how to lock out anyone trying to mess with your WordPress files using htaccess. It’s dead simple to do and requires only cut-paste skills and FTP access to your server, and a quick trip to What’s My IP. Anyone can do it. Check it out now and harden your blog.
The Update Notifier Plugin
The single biggest exploitable entry point on any WordPress install is going to be outdated versions of WordPress, themes and plugins. If you don’t know how extreme this can get check out this comment from one of my readers.
I remember when something similar happened to me. Fortunately I managed to find someone willing to help who knew quite a bit more about WordPress than me. The breach was traced to a caching plugin that was out of date by about a week.
The Update Notifier Plugin helps solve this problem by checking the official repository on a regular schedule and sending you an email when it’s time to upgrade.