Wordpress Blog Hacking Prevention

Are you running a Wordpress blog on your website space? If Yes, better be careful as it may be opened to hackers. However, there are some methods of prevention shared by fellow blogger; AshChuan. Her blog was recently hacked into on January 24 and luckily no data was loss.

She wrote in another post later of tips she found from Matt Cutts (Google employee) to your protect Wordpress blog. And I seriously never noticed how much Wordpress may be lacking in security.

Try entering this into your browser window (or new tab) - replace where necessary:

http://www.your-domain.com/wp-content/plugins/

You’ll find that your Wordpress plugins list is actually open for the whole Internet to see. This seriously was a shocker for me. And it was one of the steps the hacker used to hack Ashley’s blog. By gaining access to the Wordpress plugins, the hacker exploited one of the buggy plugins; wordpress forum plugin v1.7.4 by fredrik fahlstad.

According to Ash, the plugin allowed a hacker to perform a remote sql injection exploit. She reported the hacker gained access into her Wordpress blog admin and changed her password. Luckily, the database wasn’t damaged from the incident.

Matt Cutts said by uploading an ordinary index.html prevents a person from loading your plugins list. I’ve done it and works like a charm. However, I’m now worried of other possible folders accessible as I’ve tested.

If you’d like to further secure your Wordpress blog, there’s a. .htaccess method you can perform. The details could either be gotten from AshChuan’s blog or Matt Cutts blog.

Any other Wordpress security measures you would like to share?

Updated: January 3, 2008
Geminigeek shared by adding Options -Indexes to your .htaccess is an easier way than creating index.html in all the Wordpress folders.

You will find the .htaccess in your blog directory - folder you installed your blog. Otherwise, you’ll need to create a new .htaccess file.

[tags]Wordpress hack, Hacking wordpress, Wordpress plugin bug[/tags]

Other articles you should have read:

9 Responses to “Wordpress Blog Hacking Prevention”

1. Response #1 by Planet Malaysia on January 29th, 2008

   Thanks for the tips. Basically I don’t have any protection before.

2. Response #2 by GeminiGeek on January 29th, 2008

   Put in Options -Indexes to your .htaccess is way faster than manually creating an index file to each directory. It works for me.

3. Response #3 by Danny Foo on January 30th, 2008

   plantmy:
   Well, a lesson learnt is a benefit gained. Or it goes something like that.

   gemini:
   Thanks for the suggestion. I’ve done that and it is easier. Will update the article.

4. Response #4 by Chong on January 30th, 2008

   Thanks for the info.

5. Response #5 by Ash Chuan on February 4th, 2008

   There’s a pretty comprehensive whitepaper on securing WordPress installations by blogsecurity.net.

   Worth downloading. It’s free. I’ve written a summary about the whitepaper on my website.

   http://ashchuan.com/blog/2008/02/03/securing-your-wordpress-installation/

6. Response #6 by Danny Foo on February 5th, 2008

   Thanks for the sharing, Ash. I’m going to download and have a read through.

7. Response #7 by Unreleased Wordpress 2.5 Sneak Peek on February 17th, 2008

   [...] Besides the above, I’m looking forward to the upgrade in Wordpress 2.5 and other features it may bring along. Of course, without the sacrifice of securing the Wordpress installation to prevent hacking. [...]

8. Response #8 by tk2 on March 16th, 2008

   Adding index.html in the plugin folder will not prevent hackers from knowing your plugin list.

9. Response #9 by Danny Foo on March 16th, 2008

   Thanks for sharing, tk2.

   Hope you’d be able to share a securer way since you came up with an automated way to guess what plugins could the author be running.

Leave a Reply