How to Protect Your WordPress Site
Here, from the voice of experience, is some advice for protecting your WordPress blog from hacking, or recovering quickly in case it happens to you:
- Take upgrades seriously — Check this list, and if your WordPress version is one of these with known vulnerabilities, or if you are using anything lower than the latest version, upgrade immediately. Not sure which version of WordPress you are using? Log in to your WordPress admin panel dashboard. Scroll down to the bottom of the page. You will see the version listed there. Remember, you can always find the latest version of WordPress software here. If you do your own tech work, download it yourself. Or contact your webmaster.
- Carefully research any plugins before you download them – See if there are any reported insecurities. Plugins sometimes are backdoors for hackers to exploit. Go here to see known plugin vulnerabilities.
- Do not allow self-registration for new users – Self-registration gives hackers a way in. Once in, they can exploit certain versions of WordPress and gain control of parts of your site. Go into your WordPress admin dashboard; click the “Options” tab and then on the “General” sub-tab. Make sure the box stating “anyone can register” is unchecked.
- Change all your passwords — This is just a good thing to do periodically. And it’s a must if you’ve been hacked (you never know — your hacker may now have your passwords).
- Check your site to see if it’s already compromised — I discovered that a friend’s blog had been compromised without her being aware of it! You want to check for hidden links. In your browser, click on the “View” menu, and then choose “Source.” This will open up a little window where you can easily see your code. Look for links to sites you do not recognize. They may appear near HTML code “display:none” or “hidden.” Both codes mean what they suggest: that links are being hidden from casual view. Maybe there’s a legitimate use for such HTML in your site — but then again, it may be the work of hackers. Even better, use this tool to view your site as the Googlebot sees it, including hidden links.
- Check your site’s outbound links – Another tool to check your site is the Outbound Links Report from Vertical Leap. This free report will show you links emanating from your site that may have been hidden by hackers in directories you normally do not see. This report will help you identify if part of your site has been hijacked without your knowledge.
- Do not download templates from unofficial sites — Some vulnerabilities have been linked to free design themes downloaded from disreputable sites. Once your site is infected, the malicious code will keep re-creating spammy links even after you delete them. Unless you know how to scour a theme file to spot added “surprises,” stick to downloading design templates only from the official WordPress theme site.
- Get qualified help immediately — I’d like to think that intelligent business people could recover on their own from a hacking. However, I could not have cleaned up all the hackers’ gunk and recovered without the help of my webmaster and hosting company. These hackers are crafty. It took more technical expertise than I have to fix the sneaky damage. In fact, my webmaster Tim has set up a service called Fix WordPress just to help those whose WordPress installations have been hacked. (In every dark cloud, there’s an entrepreneurial opportunity.)
- Forewarned is forearmed. Educate yourself — Read up about hacking activity. Better yet, think like a hacker. Even if you have a technical staff to handle the details, you can save time, money and worry by being a proactive site owner or user. The more knowledge you have, the better able you will be to (1) spot suspicious activity or (2) avoid behaviors that leave you wide open.
For more educational sources that are especially helpful, see:
Three tips to protect your WordPress installation
Lorelle also has good advice for protecting your WordPress blog
White paper: Trends in Badware 2007
White paper: How to Create a Secure WordPress Install (PDF)
If you’d like to read my experience with a WordPress exploit, read:
Hacked: It Could Never Happen to My Site (Famous Last Words).
February 6th, 2008 at 3:37 am
[...] for you. But since this article is already long, I’ve put them in a separate article: How to Protect Your WordPress Site. Bookmark [...]
February 6th, 2008 at 5:26 am
I am a new WordPress user, but only the online version at wordPress.com. Do you think these issues go back to that version as well?
D
February 6th, 2008 at 10:08 am
This is a really helpful list of tips. I’m sure this will prevent a ton of needless headaches.
February 6th, 2008 at 11:26 am
Excellent information on Wordpress vulnerabilities. Everyone using Wordpress should read the hacker post as well so as to prevent security breaches.
February 6th, 2008 at 3:54 pm
Great tips to protect our Wordpress blogs. One of my clients blogs was hacked last week by some Russian hackers. They replaced the index.php file with an image of the Kremlin and a Russian Czar staring at you with big red eyes. They also changed the title to Hacked by (some Russian names that I can’t remember).
I found out that the file permissions were changed which allowed them access to change the files. Here are the recommended file permissions from wordpress.org
http://codex.wordpress.org/Changing_File_Permissions
Ted
February 7th, 2008 at 12:08 am
What an Awesome blog entry. I so appreciate your being so open and honest about your terrible hacking experience. One of my clients word press blogs was hacked after only being up for 4 weeks. I was mortified. How could this happen to a site that was not even up and running that long. I was even more upset at my host when they charged me a fee to restore the last backup after the hacking. I now backup all my blogs on a regular. I also use a website to backup all the blog content http://www.blogbackuponline.com
So thanks again for your wonderfully candid blog entry, I have already applied many of the steps you mention.
February 7th, 2008 at 4:16 am
Here is a resource: http://blogsecurity.net/wordpress/wordpress-security-whitepaper/
February 7th, 2008 at 9:28 am
[...] (more…) [...]
February 7th, 2008 at 10:48 am
Jeffrey,
Thank you for pointing out the backup link. It’s not really clear on their site, but is their service always free? If so, that’s an awesome deal.
February 7th, 2008 at 5:02 pm
[...] Happen to My Site (Famous Last Words), tells the tale of what exactly happened. The second post, How to Protect Your WordPress Site has some useful tips to work into your [...]
February 7th, 2008 at 7:57 pm
[...] to protect your WordPress installation - Matt Cutts 5 WordPress Security Essentials - Lee Robertson How to Protect Your WordPress Site - Anita Campbell Protecting Your WordPress Blog - Lorelle Technorati Tags: Blogs, hacker, plugins, [...]
February 9th, 2008 at 8:22 pm
[...] How to Protect Your WordPress Site » Small Business Trends | small business experts Here, from the voice of experience, is some advice for protecting your WordPress blog from hacking, or recovering quickly in case it happens to you (tags: advice blogging Blogs wordpress Protect) [...]
February 29th, 2008 at 7:34 pm
[...] How to Protect Your WordPress Site » Small Business Trends | small business experts - Here, from the voice of experience, is some advice for protecting your WordPress blog from hacking, or recovering quickly in case it happens to you: [...]
June 16th, 2008 at 1:17 pm
[...] How to Protect Your WordPress Site [...]
July 18th, 2008 at 8:18 pm
This is excellent. I use WP for several sites, and am always looking for info to make them better in terms of security and SEO.
December 11th, 2008 at 8:16 am
Thank you for this information.
February 13th, 2009 at 6:14 pm
What is captcha code?, pls provide me captcha code codes or plugin, Thanks in advance.