6 Simple WordPress Tweaks to Hack-Proof Your Blog


Although WordPress is an extraordinarily popular and useful tool for website managers in general and bloggers in particular, WordPress’s own popularity has also doomed it to be the target of numerous hacking efforts over the years. With the latest version of WordPress having been downloaded well over sixty million times, WordPress-based sites present an opportunity for cyber criminals and distributors of PC threats – an inadequately-protected WordPress site can be used to host a variety of attacks, including redirects to malicious sites and drive-by-downloads. However, we have come up with the following ways of closing the majority of WordPress’s obvious security holes, leaving your website less-than-ripe pickings for any would-be hacker.

1. Always update WordPress to its latest stable version.

While this may seem like such common sense that it scarcely bears repeating, failing to update WordPress whenever stable updates are available is a fast track to sending your blog towards a hack attack. Old versions of WordPress have been known to allow various types of extremely invasive attacks, such as the SQL injection exploit of June 6th 2007 that allowed hackers to gain access to entire databases worth of account user names and passwords. In this case, an entire month passed before the WordPress team remedied the situation with a security patch – and one can only imagine how further delay in installing that patch could open your site up to hacking efforts. A 2007-era study concluded that all but a mere two percent of WordPress blogs were using outdated versions of WordPress and, therefore, vulnerable to a wide range of security attacks.

2. Set WordPress to avoid displaying its version number.

This goes hand-in-hand with keeping WordPress updated: prevent potential hackers from knowing what version of WordPress you’re using, thus making it harder to figure out which exploits will work on your site. A simple addition to the functions.php file will remove the relevant hook that displays the WordPress version:

remove_action('wp_head', 'wp_generator');

3. Set register_globals to register_globals=off.

This vulnerability is one that many WordPress users may take for granted since many sources at WordPress.org itself recommend for you to leave it on by default. However, register_globals=on has a long and sordid history of being used to hack WordPress websites, including a series of January 2007 attacks that were used to force popular blogs to redirect to malicious sites. Such site redirects can include redirecting visitors to rogue security software or malicious domains and other types of PC threats. Such malicious may lead to rogue security software such as Windows Malware Firewall and WWindows Antivirus Rampart. We note that the hacker responsible for the attacks in January characterized register_globals=on WordPress blogs as ‘easy targets.’

4. Use smart advertisement-management plugins to protect AdSense and other exploitable ads on your site.

While ads can be a great source of revenue, they can also be exploited by various methods – such as hacking attacks that swap out your ‘real’ AdSense ads for irrelevant pharmaceutical ads, or clickbombing attacks that overload AdSense with a flood of clicks to shut your AdSense account down. Selectively using security plugins like ‘Who Sees Ads’ or ‘Better WP Security’ to control your ads displays and ad-related settings can help to prevent such embarrassing incidents. However, you shouldn’t install plugins willy-nilly, either – some plugins, such as AdSense Integrator, have a history of enabling the very types of attacks that they’re supposed to protect against, which will send your potential ad revenue stream straight into criminal hands.

5. Edit your .htaccess file to tighten up its security.

By default, .htaccess’s security is somewhat less air-tight than it could be, and a few selective alterations will help to keep it from being exploited for URL hacks, SQL injections and other attacks. While there are numerous tweaks you can build into .htaccess, some of the most useful ones are noted here:

order allow,
deny deny from all

These few lines will guarantee that bots and other types of unwanted access to your wp-admin.php file are barred from entry. The same method can also be applied to other important files like ‘install.php’ or ‘error_log.’

Another useful batch of code can be inserted to protect against injection-based attacks:

RewriteEngine On
RewriteBase /
RewriteRule ^(.*)$ - [F,L]
RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR]
RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
RewriteCond %{QUERY_STRING} tag\= [NC,OR]
RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
RewriteCond %{QUERY_STRING} http\: [NC,OR]
RewriteCond %{QUERY_STRING} https\: [NC,OR]
RewriteCond %{QUERY_STRING} (\|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)||ê|"|;|\?|\*|=$).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*("|'|<|>|\|{||).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%24&x).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127\.0).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare).* [NC]
RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*$
RewriteRule ^(.*)$ - [F,L]

As a cautionary footnote, always remember to back up your .htaccess file before editing it, in case your changes fail to function as intended and you need to roll back to a previous version of the file. Other types of .htaccess changes can even blacklist bots and other unwanted visitors, block image and bandwidth-stealing content scrappers and halt would-be directory browsers.

6. Use encryption if it’s available.

In scenarios where you’re concerned about personal information being intercepted during transmission, feel free to use an encryption technique like Secure Socket Layer (SSL) to protect your data. Before you do this, you should make a note of your web server and see what types of encryption are supported. Once you’ve decided on an appropriate type of encryption, a single line in wp-admin.php will let you set the encryption on by default. For example, the following line of code will enable SSL:

define('FORCE_SSL_ADMIN', true);

As a parting note, we also encourage you to pay attention to any e-mail accounts that are associated with your WordPress site. Although hacking a WordPress blog isn’t the hardest thing in the world, a silent hacking attack that doesn’t send e-mail alerts to the relevant account is much more difficult to pull off than a ‘loud’ attack. Paying attention to symptoms of WordPress hacks and responding as quickly as possible should always be considered paramount for WordPress security – both for your sake and the sake of your site’s visitors.

Share |

Vincentas is web hosting industry and web marketing enthusiast. He aims to make web better place. Currently he is CTO in Host1Plus.com and lives in London, United Kingdom.
Connect with Vincentas on Google +

Leave a Reply

Current day month ye@r *