Could Your Wordpress Blog Be Hacked?

November 3rd, 2008 | by Paula Brett |

More and more of my I.M. colleagues and indeed new people that I meet on line are `getting into blogging’. And why not? Blogs are relatively easy to produce and use, no matter which platform you choose, and they can be a brilliant tool for internet marketers.

However, no matter how easy they are to install and use, and no matter how helpful they can be to your business, the one thing that I’ve noticed more frequently is that many people are neglecting the security of their blogs.

Now I’m actually talking in particular about Wordpress blogs here. Yes, I have used Blogger blogs in the past, and I know that many people swear by them, but I found Blogger a bit too restricitive for my liking (though I understand that things have changed a lot at Blogger since I first used them).

Because Wordpress is an open source blogging tool, meaning that it’s free and available to everyone, it’s a prime target for hackers and ne`er-do-wells. Of course, the Wordpress development team are tireless in constantly working on the script for our benefit, but none of this is any use if we don’t actually get up off our backsides and do a bit of work on our blogs behind the scenes.

It’s par for the course to worry about your blog theme, your next blog post, your readership, attracting subscribers to your RSS feed etc. etc., but do you actually think very much about your blog’s security?

I suppose that I might perhaps see more Wordpress blog security problems than most, being in the hosting business.

Did you know that probably the biggest cause of server compromisation is actually people who install Wordpress blogs and other open source scripts and don’t keep them up-to-date with the latest versions and patches?

Hackers find it easy to search around, find a way in through an old script, hack your blog, access your email accounts, start sending viagra and cure for baldness spam emails `from you’ and generally get up to all kinds of nasty things.

I can’t tell you how many panicky emails I’ve had to answer from people who’ve logged into their blog one day and have been smacked in the face by a skull and cross bones proudly proclaiming that their carefully crafted, lovingly nurtured blog has been hacked by Hound Dog Horris the Hardcore Hacker!! Great!

So I’ve put together a few suggestions that you might like to implement to help keep your Wordpress blog `safe’

Keep Up-to-Date

First of all, the most obvious fix is to ensure that you keep your blog up-to-date with the latest version released by Wordpress.

Most Wordpress blogs display a little warning in the Dashboard that tells you when a new version is released and a link for you to click to download it. If yours doesn’t, then it’s worth checking the Wordpress website fairly regularly for updates. They also invite you to sign up for email notification of updates.

If you feel a bit daunted installing updates via FTP, or you installed your blog initially using Fantastico in your cPanel, so are not sure how to install the updates, Wordpress offer quite a good set of instructions for this.

Alternatively, due to high demand, we are now offering a script up-grade service at D9 Hosting (you don’t have to be one of our hosting clients to use this service, either - everyone is welcome!)

Plugins

It’s a good idea to hide the list of plugins you are using.  Any known vulnerabilities and bugs that may occur in some plugins can be used as tools to harm your website.

Check out your blog, now… http://yourdomain.com/wp-content/plugins

The chances are, you will see the full directory of all of your blog plugins, and in some cases, the date they were installed.

To hide your plugins, simply create an index.html file and upload it to the wp-admin/plugins folder. This index file can be blank or you can be really creative and add some promotions to it.

Another way that Hound Dog Hacker uses to determine whether your blog is furtile ground for hacking is to check which Wordpress version you’re using.

So, if you’re one of those that has put upgrading on the back burner, then you could be announcing that you’re ripe for a hack harvest with a huge magaphone!

How so?  Well, go to your blog… go on.. open a new tab in your browser and type in your blog’s url.  Then right click on your blog with your mouse and select View Source, View Page Source, or similar, from the drop down menu.

Check out the coding….. about 10-12 lines down, you will see something like this

<meta name=”generator” content=”WordPress 2.6.3″ />

Obviously the 2.6.3 version is the latest version as I’m writing this post today, and your one, hopefully, tells you the latest version on the day you check your code. However, there’s a possibility that you’ve not updated your version and an old version is showing. Naughty, naughty!  Talk about dipping your cut finger in shark infested water and inviting all the sharks for a slap up meal!!!  Slight exaggeration, there, but I’m sure you get what I mean?

Why advertise that you’ve been a bit too busy to update your blog to the latest version, or that that upgrade keeps getting shoved down your list of things to do?

I’ve been using an excellent plugin by David Kierznowski, which removes the display of your Wordpress version to help deter attacks.

Check out this page you are reading now, do the right mouse click and then view source code, you should simply see

<meta name=”generator” content=”WordPress ” />

So no-one knows I’m really a lazy mare who hasn’t updated her blog for about 3 years!!  Only joking, Hound Dog…

The plugin is merely one small .php file that you upload to your plugins folder, and then activate it in the usual way in the plugins section of your Dashboard. You can download it here

Block Access

A folder that Hound Dog Hacker likes to have a good old nosey around on your blog is your wp-admin folder - this is the storage place for all your blog’s most sensitive data. So here’s a quick tip to secure this directory…

Open notepad or wordpad on your computer, and add the following code:-

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName “Access Control”
AuthType Basic
order deny,allow
deny from all
allow from TYPE YOUR IP ADDRESS HERE

If you don’t know your IP address, you can find it here http://whatismyipaddress.com/

Next, save your txt file as .htaccess and then upload it to your wp-admin folder.

NOTE: This method might be a pain in the neck for you if you don’t have a static IP address, however, if you are with an internet service provider that has a range, you can add the range.

I have to say that my IP address isn’t static BUT, I’ve only had to add extra IP addresses twice in the past 6 months or so, to allow me to login.

I did wonder why, when I went to my blog login page whilst on my laptop that I was denied access……. doh, then I realised that my .htaccess file was denying me access from this computer. I now keep the .htaccess file on my desk top and just add an IP address, if and when it changes, to the file and upload it in seconds. So your file might look something like this

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName “Access Control”
AuthType Basic
order deny,allow
deny from all
allow from TYPE YOUR IP ADDRESS HERE
allow from TYPE YOUR IP ADDRESS HERE
allow from TYPE YOUR IP ADDRESS HERE

I hope this has helped give you some ideas, or at least galvanized you into taking a closer look at your blog security.

Does anyone use any other methods to protect their blog, I’d love to hear about them and I’m sure others would too… so don’t be shy, let us know.

If you would like to be notified the next time I make a post, sign up for Email Alerts or subscribe to the RSS feed. Many thanks for reading