Posted on March 29, 2009 - by CDS, 6 Comments

Tips to Secure Your WordPress Blog

I’ve just been through the ringer curing a client’s hacked wordpress blog. There are dozens of ways people can maliciously attack your blog, including DB injections, adding scripts to writable files, writing to your .htaccess files, and more. Below are a few things you can do to prevent people or autobots from commandeering your wordpress blog:

Use a Strong Password

You should use a strong, randomized password with uppercase, lowercase, numbers and special characters. It may be inconvenient to memorize, but it’s an important aspect to securing your blog. If you must have the password on file somewhere, it should be a hardcopy (ie on paper), and not stored on your computer somewhere. You should never use any part of your domain name in your password, or the word “blog”, or common names like your pets, kids, or birthdate. All of these things are quite easy to figure out.

Set Security Keys in config.php 

In config.php (or config-sample.php if this is a new install), find the following lines:

define(’AUTH_KEY’, ‘put your unique phrase here’);
define(’SECURE_AUTH_KEY’, ‘put your unique phrase here’);
define(’LOGGED_IN_KEY’, ‘put your unique phrase here’);
define(’NONCE_KEY’, ‘put your unique phrase here’);

These should all be replaced with secure information, preferably long strings of random uppercase, lowercase, numbers, and special characters. You can go to https://api.wordpress.org/secret-key/1.1/ to generate random strings.

You can also add SECRET_KEY. Right under the code snippet above, add the following:

define(’SECRET_KEY’, ‘0000000000000000000000000′);

Replace the zeros with a long set of uppercase, lowercase, numbers, and special characters. You can go to http://api.wordpress.org/secret-key/1.0/ to have random strings generated.

For more information about what Security Keys do, see http://codex.wordpress.org/Editing_wp-config.php

Change mySQL table prefixes 

By default, wordpress uses the table prefix wp_. Since it’s the default, it’s pretty easy for malicious persons to figure out. When setting up wp-config.php, you can change the table prefix to pretty much anything you want (letters, number, underscores only). In wp-config.php, around line 57 you’ll find the code:

$table_prefix = ‘wp_’;

Simply change wp to something more complex. Be sure to keep the underscore at the end.

Plugins

askApache Password Protect - This plugin doesn’t control WordPress or mess with your database, instead it utilizes fast, tried-and-true built-in Security features to add multiple layers of security to your blog. This plugin is specifically designed and regularly updated specifically to stop automated and unskilled attackers attempts to exploit vulnerabilities on your blog resulting in a hacked site. This is the probably the most effective security plugin available, however, I’ve found that it does not work properly on a lot of servers. Hostmonster and GoDaddy, for instance, do not support Basic or Digets Authentication and therefore do not support this plugin. If your server allows all of the functionality required, this is your best bet to protect your blog.

BTEV - Bluetrait Event Viewer (BTEV) monitors events that occur in your wordpress install. BTEV tracks the following events, password_reset, delete_user, wp_login, lostpassword_post, profile_update, add_attachement, wp_logout, user_register, switch_theme.

Login Lockdown - Login LockDown records the IP address and timestamp of every failed login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery. Currently the plugin defaults to a 1 hour lock out of an IP block after 3 failed login attempts within 5 minutes. This can be modified via the Options panel. Admisitrators can release locked out IP ranges manually from the panel.

Replace WP-Version - Security your WordPress-Installation and eliminate or replace your wp-version and database-version on easy way with a small plugin. If you’re running an older version of WordPress, anyone can view source to see what attacks might work against your blog. This plugin replaces the WP-version with a random string < WP 2.4 and eliminate WP-version > WP 2.4.

WP Security Scan - Scans your WordPress installation for security vulnerabilities and suggests corrective actions.

Stealth Login (or any similar plugin) – Allows you to define a different path to your login pages so that they are hidden from viewers. I discovered the importance of this function the hardway when someone successfully and continually was able to change the admin email address by running sql commands through the login form. They would run some command that changed the email address in mySQL, and once that was done they reset the password, which was then emailed to their address.

The good thing was that the BTEV event viewer plugin logged their ip address, and their failed login attempts. It basically provided me with a timeline of the hackers events, so I could pinpoint exactly when and from what page they were able to change the email address. Since they were apparently running sql commands through the login form, I installed stealth login (and banned their ip range). If they manage to gain access to the site again somehow, they won’t be able to find the login form to run the commands again.

*Note* I’m not sure if the comment forms are vulnerable as well, but I don’t think so because of where they write to the sql database. Again, I’m not 100% sure of that.

*Note* You should note also that Stealth Login (and probably other similar plugins) write commands to your .htaccess file, so you need to also make sure that chmod of the .htaccess file is set to 644. Otherwise, a more clever hacker could write to your .htaccess file and undo the redirects that Stealth Login creates.

.htaccess – restrict access to admin files

It’s a good idea to protect certain directories with .htaccess, particularly wp-admin folder. If you have a .htaccess file in your wp-admin folder already, download it first and append it with the information below. If you do not have a .htaccess file in wp-admin, create a new one in notepad and add the following:

# allows access to images, CSS, javascript to everyone
<Files ~ “.(css|jpe?g|png|gif|js)$”>
Allow from all
</Files>

# restrict access to your ip address only
Order deny,allow
Allow from 00.000.00.000 #replace this with your static ip address
Deny from all

This will restrict access to the admin folder to only the ip addresses specified. If you have  multiple admins, add each of their ip addresses to a new line. Save the file, and upload it to your wp-admin folder. Be sure to chmod your .htaccess files to 644 so they are not writeable by the public.

.htaccess – ban ip address or ip range

There are many ways to find the ip address of those who try or succeed in breaking into your wordpress blog. You can view the server logs, but I like to use the BTEV Event Viewer plugin. It lists all activity by ip address in a user-friendly manner. You can sort the events by “warnings”, “errors”, “notices” “debug”, or “display all”. This makes it really easy to monitor exactly who is doing what on your blog, and when. Regardless of how you determine if a ip address should be blocked, it is an easy task with .htaccess. The following code will block a single address. If you have a .htaccess file in your root directory already, download it first and append it with the information below.

# block a specific ip address
order allow,deny
deny from 00.00.00.00 #replace with ip address. repeat this line if blocking more than one
allow from all

If you find that you’re always blocking ip addresses from the same range (they will have similar beginning digits), you can block and entire range using the CIDR number or the ip range if you know it. Use the code below to block by CIDR number or ip range.

<Files *>
order allow,deny
allow from all
deny from 00.0.0.0/0 # CIDR number or ip range
</Files>

You can find the CIDR number of a given ip address at: www.subnet-calculator.com/cidr.php

Disable Annonymous FTP

Unless you need this function for some reason, you should have annonymous FTP disabled for your website. This is usually done in your hosting account admin panel. The procedure and allowances differ greatly across the many hosting platforms, and if you need assistance doing so you can always contact the support team of your hosting company. Some hosting companies do not allow you to delete the anonymous user, but you can restrict or deny its priveledges. Other companies may not have an annonymous user setup as a default… it all depends on the hosting company.

A really bad scenario would be having annonymous FTP enabled, coupled with a writeable .htaccess…. you could very easily have your entire website deleted.

That’s it for now…. I will be updating this post when additional information is available. Happy blogging!