A Word About Wordpress Security…

Security is not really my “thing” but as someone who has been hacked more than once, I’ve learned the hard way. Whenever someone asks about WordPress in particular, I find myself saying the same thing so it just seemed easier to write this article so I can post a link.

If you blog or want to blog, chances are someone recommended WordPress and no wonder… with all the themes and plugins available, it’s a great choice for beginning and veteran bloggers alike. But there is a problem with WordPress that could shut you down before you can blink an eye…

It has to do with security. The popularity of WordPress and it’s Open Source code, combines to offer enticing opportunities for mischief makers who like nothing better than to break in to web sites and wreak havoc.

Part of the problem is with PHP – the underlying programming language for the WordPress script. Bear in mind, I am far from a programming expert, as a matter of fact I’m not a programmer at all. All I know is what I’ve learned from working with scripts for the past several years. What I’ve learned is this:

PHP scripts are among the most popular around. And I’ve had more PHP scripts hacked than any other type. That tells me PHP has some inherent problems. Here’s one I know about…

Many PHP scripts are capable of creating or modifying files and folders. To do this, they require permission from the webmaster. (Often this is you.) These permissions are what control who has access to what files on your site. PHP generally requires global (777) permissions to do what it needs to do. The problem is, global permissions gives anybody permission to create, modify, or even delete that file… even hackers.

While some web hosts have take measures to prevent this – one of which is installing another script called “suEXEC” -

With both of the above problems, there is some controversy. I’ve seen some folks post that the problem runs deeper than this and is due to shared servers (cheap web hosting relies on sharing your server with lots of other sites) and inefficient server management. In other words, your host may not be dealing well with these issues on their end.

Okay, that may be true but I’ve been hacked several times on different hosts and I can tell you it’s ALWAYS the files with a 777 permission that are hacked.

So what do do about all this?

First, be careful about what scripts you install. Whenever possible, I try to opt for cgi scripts (another language – you’ll notice every domain and subdomain has a cgi folder) whenever possible – these have presented less of a problem over the years.

I still install plenty of PHP scripts – especially WordPress blogs. These days, I monitor those installs much more closely. One of the easiest ways is to log on to your account with an FTP (File Transfer Protocol) program and look at the “modified” dates of folders and suspect files. Investigate any that look out of place.

How to spot a hacked file:

What I do is simply open the suspect file in a text editor. Most of the time I’ll transfer a copy from my site to a folder I create on my computer (I”ll call it hacked files-August-2010 or something) and then open with wordpad or some other simple text editor.

After you’ve seen a few php files, you’ll soon be able to tell right away but if in doubt, open the original file and compare the two. If it’s hacked they will look different. Usually the inserted code is right at the top.

Can hackers be stopped?

In the real world? No. Not really. Like someone said to me once – locks just keep honest people out. But, just as you can do things to make your house or car less attractive to burglars, you can make changes to your website to encourage hackers to move on to easier pickings.

As I said before, watch those file permissions. Make sure every folder has a file named “index.htm”, “Index.html”, or “index.php” – these are the most common. If your folder has no such file create one. It need not have anything on it. All you want to do is have something for browsers to see – even if it is blank space – if someone stumbles upon your folder. For example:

Let’s say you have an “images” folder on your website. Pretty common. On some hosts if you navigate to http://mysite.com/images/ and it has no index file in place, your browser will list every file in that folder. It may be possible to see more of your file structure too. If the folder contains sensitive files, anyone can look at or download them. My host tells me this is no longer necessary but I do it anyway.

Now about WordPress Security…

I’m not going to go into this because it’s already been done by people much more knowledgeable than I. But I will provide links so you can get this information yourself.

You can find an excellent white paper on WordPress Security here You’ll also find loads of other security information on this site too. It’s well worth a look and a bookmark.

Here is another good post on WordPress Security

There are others but between these two, you should be a lot better off than if you just installed your blog and hoped for the best.

By the way, I don’t always utilize every technique these publications recommend. But there are several I always do – like install the role manager and use it. And change my prefixes. (don’t worry, you’ll soon know what I mean

This article is far from a definitive work on security. But it will get you started in the right direction and the information can help protect you from a lot of heart and headaches.

God bless,

Andy

Bookmark It

Hide Sites