Late on Friday, I read a post from Allen Stern in FriendFeed saying that his blog, CenterNetworks had been, once again, injected with spam links. Allen runs his blog on the latest WordPress installation, 2.8.4, which we all figured was really secure.
I had upgraded barely a week ago, so I instantly checked my blog and lo and behold, I had been hacked as well.
There is something inherently wrong with WordPress’ code if it’s this easy to hack it, even with the tightest security measures, which in my case, include the top 5 of the 7 items listed below. I felt completely let down by WordPress and for a moment thought that it’s time for me to move on to something else for my blog.
I am giving WordPress a last chance, and have enforced the following security measures to see how it goes, and I highly recommend you enable these as well if you are running WordPress.
So here’s the list:
- Use a strong admin password and change it to something else that’s not ‘admin’. WordPress will let you know how strong your password is. Do not leave the password form without seeing a green indicator and the word “Strong” in it.
- Do not use FTP. It sucks, especially for the easy upgrading, but leaving FTP port open on any server is an invitation to easy hacking. Use SSH only to get into your server.
- Do a search on your blog for possible backdoors that are left usually on theme directories (and sometimes in the WordPress core files). To do this just type ‘grep -rin “eval(base64″ path-to-blog/*‘ or download your blog files to a local Windows/Mac machine and use a text search tool. There’s also a tool called WP Security Scan that might work for this purpose.
- Check your blog often with my spamcheckr tool. Even though I’m eventually going to write an automatic monitoring tool, for now just use it once a week to make sure you’re not hacked.
- When hacked, always start with a clean install. Do not copy files from your previous attacked folder. The only safe thing to do is to copy your images and that’s it. Install WordPress and the necessary plugins from scratch.
- If possible, close your wp-admin directory to specific IPs. This one comes from Matt Cutt’s blog and it doesn’t make sense if you are always accessing your blog from different sites. But if you usually login from home and work, create an .htaccess file on your wp-admin directory with the following text (this will only allow you to open your admin panel from the specified IP’s:
AuthName “Access Control”
deny from all
# whitelist home IP address
allow from xx.xx.xx.xx
# whitelist work IP address
allow from xx.xx.xx
- Only make wp-content/uploads writable by Apache. Make everything else (including your themes) only writable by your SSH user. You don’t need to edit your themes everyday, right? So when you do need to edit your themes, just SSH in and change the ownership while you work on them and then protect them again. That way you’re guaranteeing that hackers won’t be able to rewrite your themes from the WordPress Dashboard if they manage to get in.
There are many other security guides out there, but I think these seven should be enough to protect blogs from 99% of the attacks out there.
I promise I will edit this post when and if I get hacked again, so that this guide stays on air only if it’s proven effective to deter these pests from our blogs. If it doesn’t, it means WordPress has had its time, and we might need to move to something more secure.