07 December, 2007

How to protect WordPress blog from hackers

A recent hack of our blog made me realise that blogs based on older versions of WordPress are at great security risk. I said “older version”, because the company’s developers are making security fixes as soon as they’re found. WordPress Trac is where bugs are reported and tracked.

By releasing immediate security fixes they honour their end of the deal, but do we by upgrading our WordPress accordingly? I have to say, the majority of us don’t. Apart from upgrading WordPress, there are other server related issues which may look simple, but can be your saviour or doorway to destruction.

Exploits are inevitable; you will come across them every now and then. Exploits are an unavoidable by-product of major projects; they are part of the bargain: you fix them and move on. Here is what can be done to stay safe

  • Subscribe to WordPress development blog . That should keep you alert of the latest security patches and versions. Don’t just read it act on it too. So, upgrade accordingly. Upgrading might force you to take down your blog/site temporarily for few hours, but it’s still better than your server being brought down for forever, right?
  • Not only do you have to upgrade WordPress, keep an eye on your plugins. I had experienced persistent XSS Vulnerability (Plugin responsible-wp-feedstats 2.4) and SQL Injection Vulnerability (Plugin responsible- WP-Stats 2.01), fortunately these were taken care of.
  • Stop anonymous comments and trackbacks, why? There’s history of WordPress Trackback Charset SQL Injection Issue and other Non-WP related spam flood.
  • Check your server files and folder permission accordingly. Especially Config.php file, which is an open text based file in a Web accessible directory. Not only is it Web accessible, but it contains the login and password for your blog’s database. No need to be a rocket scientist to figure out what will happen if someone naughty can get access to that.
  • Directories should have permissions of 755. NEVER 777. All files should have permissions of 644. If you do want to use the built-in editor; theme files should have permissions of 666. NEVER 777. Do not use any plugin that needs to write anything to the server. No matter how drastic it sounds, trust me it will save your ass.
  • Last but not the least, if you are building your own theme/or asked someone to do that for you, please do try to consult/check for latest PHP security holes or common security flaws before using that as template.

All of the above do’s and don’ts are common sense, but unfortunately we get lazy and tend to ignore most of them. Learn from my mistakes.

 

5 Responses to “How to protect WordPress blog from hackers”

  1. Mike 9 December 2007 at 12:59 pm #

    Also if you can:

    - Have your webserver and database running in a chroot / jail. Then even if someone gets into your server they face a significant barrier to doing more damage.

    - The ownership of files on the webserver and the process the webserver runs on should be different. Also makes its harder for a hacker to do more damage even if they do break in.

  2. Kamrul 10 December 2007 at 3:27 am #

    Good one Mike, though I won’t exactly call it a jail  perhaps secured facility sounds better.

    PHP’s include is just one of the many ways to do that. But first of all we need awareness and full understanding of file permission

  3. Mike 10 December 2007 at 10:25 am #

    Thanks Kamrul – I should have been a little clearer by writing a “FreeBSD Jail” (http://en.wikipedia.org/wiki/FreeBSD_jail) or on other flavours of Unix a chroot (http://en.wikipedia.org/wiki/Chroot).

    Chroot and Jail are not the exact same thing.

    A chroot setup creates a virtual filesystem. For example if your website was running in /var/www/segala and you have chrooted the web server to /segala then the web server program (and any programs run by the webserver ) think that /segala is the top level directory on your filesystem.

    A Jail is more powerful and can be used to create virtual machines that are kept separate from each other.

  4. Kamrul 10 December 2007 at 11:12 am #

    Cheers Mike for the tip, that Jail new for me. I was familiar with Chroot though, used it in several occasion. Have to look into that Jail.

    Virtual filesystem becoming increasingly popular and necessary every minute.

  5. Kenneth Linch 6 May 2010 at 1:30 pm #

    Thanks for this information, I need to secure now my newly installed wordpress blog. Again, thnx for sharing this.

    Kenneth

Leave a Reply

About

Founded in 2003 and privately owned, Segala is a specialist in testing and certification.

Segala’s mission it to help make the Web more reliable, safe and trustworthy. Our method of certification helps us to realize this mission by exposing more information about the suitability of each website in search results – enabling users to make informed decisions about which sites to visit. Read More…

Contact

Contact us by emailing daphne@segala.com or call +353 (0)1 2931966. Our address is 19 The Mall, Beacon Court, Sandyford, D18. Ireland.

PHVsPjxsaT48c3Ryb25nPndvb19hYm91dDwvc3Ryb25nPiAtIGFib3V0PC9saT48bGk+PHN0cm9uZz53b29fYWRfYmVsb3dfaW1hZ2U8L3N0cm9uZz4gLSAvaW1hZ2VzL2FkNDY4LmpwZzwvbGk+PGxpPjxzdHJvbmc+d29vX2FkX2JlbG93X3VybDwvc3Ryb25nPiAtIGh0dHA6Ly93d3cud29vdGhlbWVzLmNvbTwvbGk+PGxpPjxzdHJvbmc+d29vX2FsdF9zdHlsZXNoZWV0PC9zdHJvbmc+IC0gZ3JlZW50ZWEuY3NzPC9saT48bGk+PHN0cm9uZz53b29fYmxvY2tfaW1hZ2U8L3N0cm9uZz4gLSAvaW1hZ2VzL2FkMzM2LmpwZzwvbGk+PGxpPjxzdHJvbmc+d29vX2Jsb2NrX3VybDwvc3Ryb25nPiAtIGh0dHA6Ly93d3cud29vdGhlbWVzLmNvbTwvbGk+PGxpPjxzdHJvbmc+d29vX2Jsb2c8L3N0cm9uZz4gLSBmYWxzZTwvbGk+PGxpPjxzdHJvbmc+d29vX2Jsb2djYXQ8L3N0cm9uZz4gLSAvYmxvZy88L2xpPjxsaT48c3Ryb25nPndvb19jYXRfbWVudTwvc3Ryb25nPiAtIGZhbHNlPC9saT48bGk+PHN0cm9uZz53b29fY29udGFjdDwvc3Ryb25nPiAtIGNvbnRhY3Qtd2lkZ2V0PC9saT48bGk+PHN0cm9uZz53b29fY3VzdG9tX2Nzczwvc3Ryb25nPiAtICNyc3N7DQpiYWNrZ3JvdW5kOiAjMzNhMTJjOyAvKiM2ZjljMzMgOy8qICNjZTQ5MjA7Ki8NCn0NCg0KLmdyaWRfMTZ7DQoNCn08L2xpPjxsaT48c3Ryb25nPndvb19jdXN0b21fZmF2aWNvbjwvc3Ryb25nPiAtIDwvbGk+PGxpPjxzdHJvbmc+d29vX2ZlYXRwYWdlczwvc3Ryb25nPiAtIDE5MDAsMTc1NywxNzcyLDE3NzY8L2xpPjxsaT48c3Ryb25nPndvb19mZWVkYnVybmVyX3VybDwvc3Ryb25nPiAtIDwvbGk+PGxpPjxzdHJvbmc+d29vX2dvb2dsZV9hbmFseXRpY3M8L3N0cm9uZz4gLSA8L2xpPjxsaT48c3Ryb25nPndvb19sYXlvdXQ8L3N0cm9uZz4gLSBkZWZhdWx0LnBocDwvbGk+PGxpPjxzdHJvbmc+d29vX2xvZ288L3N0cm9uZz4gLSBodHRwOi8vc2VnYWxhLmNvbS93cC1jb250ZW50L3dvb191cGxvYWRzLzMtbG9nLXBuZy1oaWdoLnBuZzwvbGk+PGxpPjxzdHJvbmc+d29vX21hbnVhbDwvc3Ryb25nPiAtIGh0dHA6Ly93d3cud29vdGhlbWVzLmNvbS9zdXBwb3J0L3RoZW1lLWRvY3VtZW50YXRpb24vdmlicmFudGNtcy88L2xpPjxsaT48c3Ryb25nPndvb19uYXZfZXhjbHVkZTwvc3Ryb25nPiAtIDE1MTcsMTUxOSwxNTIxLDE1MjMsMywxNjEzLDEwLDE2NzYsMTc1NywxNzcyLDE3NzYsMTY3MzwvbGk+PGxpPjxzdHJvbmc+d29vX3Nob3J0bmFtZTwvc3Ryb25nPiAtIHdvbzwvbGk+PGxpPjxzdHJvbmc+d29vX3Nob3dfYWQ8L3N0cm9uZz4gLSBmYWxzZTwvbGk+PGxpPjxzdHJvbmc+d29vX3Nob3dfbXB1PC9zdHJvbmc+IC0gZmFsc2U8L2xpPjxsaT48c3Ryb25nPndvb19zdGVwczwvc3Ryb25nPiAtIDAxLiwgMDIuLCAwMy48L2xpPjxsaT48c3Ryb25nPndvb190YWJiZXI8L3N0cm9uZz4gLSBmYWxzZTwvbGk+PGxpPjxzdHJvbmc+d29vX3RoZW1lbmFtZTwvc3Ryb25nPiAtIFZpYnJhbnRDTVM8L2xpPjxsaT48c3Ryb25nPndvb191cGxvYWRzPC9zdHJvbmc+IC0gaHR0cDovL3NlZ2FsYS5jb20vd3AtY29udGVudC93b29fdXBsb2Fkcy8zLWxvZy1wbmctaGlnaC5wbmc8L2xpPjwvdWw+