Securing your Wordpress blog against Hacking

From Acenet Knowledgebase
Jump to: navigation, search

Security is a growing concern with all of the hackers and script kiddies waiting to do bad things to your site. There are ways to improve the security of your blog so that it is more secure than it otherwise might be. This article discusses some measures an ordinary blogger can take to protect his/her blog.

Why a Blog Is Vulnerable to Hacking and Other Exploits

All websites on the Internet are vulnerable to hacking and other exploits. There are no exceptions. The reason is simple: unlike your own personal computer, which may only connect to the Internet sporadically (such as when you turn it on your computer to surf), websites are hosted on servers that are permanently connected to the Internet, exposed to anyone who wants to connect to it.

Sites that run blog scripts, content management system (CMS) software or any other type of script, have an additional area of vulnerability to contend with. The software (blog or CMS script) is actually online, along with your content. If there are any security holes in the software, they can be exploited by a person who connects to your website.

Symptoms of a Hacked WordPress Blog

If your blog has never been hacked before, you may wonder what the consequences are. In the past, hacked blogs have exhibited one or more of the following symptoms:

[1] The blog may be defaced.

[2] The hackers install hidden links on the blog that point to sites they own. Since Google ranks sites according to the number of links pointing to them (among other things), the intention is to make their site appear more important to Google.

[3] The hackers may inject some sort of script coding (usually javascript or an iframe) which will install some sort of malware on the computers of unsuspecting visitors.

[4] As a result of the above things happening, Google may remove the blog from their search engine results. Traffic to the blog will therefore plummet.

Hence, it's not just a matter of defacement if your site is compromised. There are serious side effects that will cost the blogger considerable effort just to clean up and recover.

Measures to Improve the Security of Your WordPress Blog

Keep Your WordPress and Plugins Updated to the Latest Version

There is a automatic update feature within WordPress starting with 2.7. However, there is an even easier plugin that allows you to download all of your backups in the process of updating. It even can be set up to upgrade, back everything up, and require no additional interaction other than clicking on it from the Wordpress Admin page..

Password Protect Your wp-admin Directory

Although the above measure is the only real solution to protecting your site, by plugging the security hole, there are other less effective methods that you can use in addition to keeping WordPress up-to-date.

One of them is to password protect your wp-admin directory on your site. This is different from setting a password for your WordPress user account. When you password protect your wp-admin directory, any attempt to directly load a page from that directory will cause a "401 Unauthorized" error unless a specific user name and password combination is supplied.

Like all other measures in this tutorial, password protecting the directory does not guarantee anything. However, it may help if hackers discover that one of the scripts in the wp-admin directory contains a security hole, and the WordPress developers have not yet issued a fixed version. Let's say for example that the admin.php script has a hole so that hackers can break into your system by accessing (say) "". If you password protect your wp-admin directory, that exploit will not succeed unless the hacker also knows your username/password for that directory.

The procedure for password protecting a directory can be found in How to Password Protect a Directory on your website. If, after doing that, you find that you can no longer log into your blog, you will also need to set up a 401 error page for your site. To do that, see my tutorial How to Access Non-Drupal Folders on Your Drupal Website. Although that tutorial talks about Drupal, the procedure for setting up a 401 handler is the same if your blog is on an Apache web server (which is true for most sites). You can ignore the section "Enabling Support for other Directory Index Files" in that article -- it's not relevant for our purposes here.

There are a few things you should note about protecting your wp-admin directory.

When you log into your WordPress blog, you will be asked to enter two sets of username/passwords pairs, one by the web server that is guarding your wp-admin directory, and one by WordPress for your blog user account.

For better security, you should set a username/password combination that is different from that which you use for your WordPress blog account. That way, if one pair is compromised in some way, at least you won't lose everything.

This password protection is not 100% foolproof.

The username and password are transmitted by your browser to the web server without encryption. Anyone sniffing your traffic will be able to find out your password. That goes for your WordPress blog account as well.

Also, there is no guarantee that the buggy script resides in the wp-admin directory. It may well reside in your main blog directory or one of your theme files or plugins. For example, at one time, the "xmlrpc.php" file, which is found in your main blog directory, was found to have a security flaw. Password protecting those other directories is out of the question, since it will cause other types of problems including the very important one that no one except you can read your blog.

Run a WordPress Security Scan

There is a plugin which will scan your installation, and tell you what needs to be done to secure your site: