Blog

Is Your WordPress Blog Secure from Hackers?

I will keep it short and sweet, because this is a rather "hurried" write-up so to speak! :D I hope you would find it as useful as the previous issues of Nuttiezine!

Almost all newbies these days are big into blogging and WordPress. Personally I find nothing fanciful about it, but that's just me. Anyways, one big issue with WordPress is, and has always been, SECURITY! In fact, WordPress's ever increasing popularity is a reason of concern for sure. Concern? Why?

Free softwares naturally tend to saturate the market faster than their shareware counterparts. When a software over-saturates the market, it falls into the hands of honest and dishonest people alike, and becomes susceptible to hacking! That is what happened to the Article dashboard script in the not too distant past!

To top it all, if the free software happens to be an "open source" platform like WordPress, even a Jack can read and manipulate it the way he wants!

That is why softwares, whether they run on your computer or a remote web server, need to be updated constantly with the latest security fixes! Unfortunately, open source developers cannot invest as much time and money into software development as the large shareware companies!

The one who suffers at the end of it all is of course the you, the end user! Just imagine, you have spent days and even months pampering your newly installed WordPress blog, and suddenly one day, you see it hacked! Not good, is it? By following some simple precautions outlined below, you can keep your WordPress blog safe from hackers! ;)

1. Pre-installation precautions:

Before you install WordPress, you need to open the wp-config.php file and edit its settings. At the very least, you are required to enter the following information in it:

MYSQL Database name

MYSQL Database User

MYSQL Database password

MYSQL Host

Now you would need to create a database on your web server. I won’t waste time explaining it since it is explained in detail in WordPress's installation instructions. One crucial thing to note here is that you should choose a strong password for your SQL database user. Your password should, at the bare minimum, contain both upper case and lower case characters and at least ONE number! An example: EBi0KaKc

The tool I use to generate strong passwords is Roboform; it is a good tool in more than one way as it even stores the passwords safely for you! ;)

If you don’t want to make your life any harder than it already is, I strongly suggest that you download it now. It costs about $30 I think but it is worth every penny!

Back to topic. After you have created a database and assigned a user to it, you will want to go back to the wp-config.php file and fill in the respective details. Once you are done, scroll down to the section called "WordPress Database Table prefix"-it should be just a little lower down. I strongly recommend that you change the default table prefix to something unique! This has two advantages:

a) You can have more than one WordPress installation within a single database!

b) You are protected from zero day SQL injection attacks! Zero day attacks are those attacks that occur before a security fix for that attack has been released!

Regardless of whatever you use as your table prefix, be sure to keep the underscore at the end of it intact, or your blog won’t function! For example, if you want to use a table prefix like "abcdwp", it should be in this format: ' abcdwp _' (without quotes)!

If you want to change the table prefix of an existing WordPress blog database, it is a bit hard though. In fact I myself don’t know how to do it. There is a tool called WordPress security scanner which has an option to rename the database table prefix, but even after following all the required steps, I failed to make it work! If however you do manage to get it working, I would appreciate some directions! ;)

Personally I use PSPad to edit such files. PSPad a full-fledged HTML editor and very easy to use as well! Among its many other virtues, it lets you locate and replace certain words and phrases in a file easily using the "Find" and "Replace" utilities. Did I mention it is 100% free!

2. Post-installation precautions:

After you have installed WordPress, delete the "install.php" file from the wp-admin directory! You won’t need it again except in case you need to reinstall your blog from scratch! There is a speculation that hackers can re-install WordPress and manage to gain an entry into your blog by running that install.php file! Others however, disagree and say that even if the hacker runs the install.php file he cannot re-install WordPress unless he goes into the PHPMyAdmin of the MYSQL server and drops the blog's existing database tables.

Personally speaking, I am not sure who is right, so I prefer to download the file to my local hard drive as a safety precaution and then delete it from the web server. Besides, there is really no point in keeping a redundant file on your server, isn’t it? ;)

You need to exercise caution when stetting permissions on files and folders of your web server. Make sure that

a) No directory in your server has permission of over 0755 or drwxr-xr-x

b) No file in your server has permission of over 0644 or -rw-r–r–.

The exceptions to this rule are the .htaccess file that resides in your blog's root directory, and the sitemap files (in case you use the Google sitemap plugin). If you want to take advantage of "pretty permalinks", you should set the permissions of the .htaccess file to 0666 until you have updated your permalink structure from within your blog administration area! After that, you can safely CHMOD it back to 0644 permission!

If you don’t find a .htaccess file in your blog's root directory, just create an empty file, save it as .htaccess and upload it over there. Then CHMOD that file to 0666.

The sitemaps however, need to be set at 0666 permissions forever, otherwise the plugin won’t be able to update the sitemap of your blog. Using the plugin is of course, optional! ;)

Speaking of plugins, there are a few WordPress plugins that require a certain directory to be writeable by the script. Usually you need to set the permissions of that directory to 0777 to make it writable by the world. By doing this however, you are making your server vulnerable to hackers. An outsider can easily upload a malicious file to that directory and gain control of your website; this happens more on shared hosting environments than dedicated servers!

An example of such a plugin is the WP DB manager. It is a great plugin, but it needs the backup directory to be CHMOD to 777, which is the reason I stopped using it! According to the plugin author, you are pretty safe if you upload the accompanying .htaccess file in your backup directory, but still, I don’t feel confident enough! One thing I know is that if my server gets hacked tomorrow the sufferer would be *I* and NOT the plugin author!

After WordPress is installed, it automatically generates a password for you to access the administration area! The password is strong enough to keep your blog safe for centuries, but way too cryptic to memorize. I usually change the password to something that is strong enough to keep away hackers as well as easy enough to remember. Of course, I don’t need to remember passwords because I have Roboform to take care of it!

3.   Other precautions:

Now that you have started blogging actively, you still need to follow a few guidelines to keep your blog safe and secure. The first thing you should do is to download and install the WP Security Scan plugin! It would show you the security holes of your blog, if any, so that you could fix them before they become the cause of your worry! ;)

The plugin works okay, except that database table prefix renamer tool, which, as I already pointed out, has failed to work for me!

Another thing you would want to do is to keep your plugins, themes and the core WordPress files up-to-date with the latest stable versions. For plugins, you have got the red indicator which shows you how many plugins need to be updated. You shouldn’t of course install a "beta upgrade" of any software unless you know what you are doing! ;)

I keep my weekends for such tasks. Every Saturday or Sunday, I log into all of my blogs (fortunately I have only three right now) and check to make sure everything is up-to-date. You would want to backup your blog database BEFORE doing any upgrades as a precaution against potential complications (in fact, you should backup your blog database regularly regardless of whether or not you update/upgrade anything)! ;)

If however, you have 100 or more blogs, it is not possible to keep all of them updated. So how would you protect an old blog from hackers? Fortunately, the WPPadLock pro plugin is there to help you out! It is a private label version of the erstwhile "WP secure pro" plugin that I use on all of my blogs! To my knowledge it has been taken out of the market!

I had to pay a decent price for the original plugin but since you are smart enough to be a Nuttiezine subscriber, you can download the new plr version for free (you don’t have any plr rights to it, mind you, and neither have I)! Click the links below to download:

WPPadlock-with-Video-1
WPPadlock-Video-2
WPPadlock-Video-3
WP-Padlock-Pro-Video-Instructions

For your information, the total size of the 4 downloads is about 204 MB! ;)

After you have unzipped the files, you will notice a folder called "WP-Padlock". This is the most important folder in the whole package. Even if you don’t want to use the other plugins recommended by the author, you should install that script at the very least! In fact I am running only that script at my testblog and haven’t bothered to check the other recommendations, yet!

In the event that anyone gets hold of my admin username and password, he might be able to login to my blog's admin area just fine, but won’t be able to move any further! :D

Installing the plugin is pretty easy as well! Here are the installation instructions in brief (detailed instructions are already available in the installation guide provided with the package):

Step 1: Rename WP-Padlock.php (the Installation PDF wrongly mentions "wsp.php" instead as per the original plugin, probably because the author forget that he had renamed that file before selling it)

Step 2: Upload the renamed WP-Padlock.php to your blog root directory

Step 3: Upload scopbin folder to your blog's root directory

Step 4: Upload the .htaccess file to your wp-admin folder (the .htaccess file can be found in the wp-admin folder of this package)

Step 5: CHMOD both the .htaccess (uploaded in the wp-admin folder) and the wpslog.txt files (found in the scopbin folder) to 666!

Step 6. Run the WP-Padlock.php file (or whatever you have renamed it to) from your browser! The first time you run it, you would be asked for the username and password you use to login to the blog's admin area. If the script accepts your login credentials, you should see a success page like this:

 

Sorry folks I had to hide my IP address out of "privacy concerns"! ;)

My admin username and password worked fine on two of my blogs but on the third blog I had to create a dummy user account in the blog and provide the credentials of that user to the script since (for some odd reason) it was not accepting the login credentials of the blog administrator. Just thought I should mention it in case the same thing happens to you! ;)

Remember that your new URL to login to the blog admin area would be the URL of the WP-Padlock.php file (or whatever you have renamed it to) instead of /wp-admin! :D

That's it! Now every time you wish to login to your blog, just run the WP-Padlock.php file (or whatever you have renamed it to), authenticate your IP address, and log in safely.

It would seem a bit irritating at first but gradually you should get accustomed to it. If you use Roboform as I recommended earlier, you won’t need to remember your blog's login URL anyway!  Just browse to your blog's domain, click on one of the matching passcards from the Roboform toolbar and you would be logged in to your blog automatically in no time! You won’t however understand a thing of what I said just now if you are not familiar with the tool! :)

To be frank, any security measure you take to protect your server, PC  or house is bound to be irritating. Honestly, do you enjoy plodding your way through complicated antivirus programs? Nope, right? But you HAVE to do it for the sake of your PC's  security! Similarly, when you put a barrier in front of your house in order to protect it from the bad guys, the barrier is sure to cause a little trouble for you as well, but at the end of the day you would be able to sleep peacefully knowing that your house is safe!

If you don’t like to run the file every time your IP address changes, watch the video accompanying the package (look for a file called WP Padlock Pro-IP Test.mp4). It would show you a better way to use the script. From what I understand, the video shows you how to use a proxy server's IP address to login to your blog! I have not tried it so am not sure if it would work, but feel free to try it on your own end! My question is, is it safe to rely on a third party server for your blog's security and even if it is, what would happen if the server's IP address changes one day?

Okay, now the most important part: if you thought there is a catch to this free offer, you ARE right! I am offering you a great tool for free and all I ask in return is that you do not to bug me with support requests! :D It is not that I am too immature to support the script but I cannot provide reliable support because of my time constraints. If however, you have problems let me know and I would direct you to the original seller who is incidentally a very nice guy! ;)

Something else to note: if I am not wrong the author recommends several plugins, one of which is the ALL in One SEO Pack plugin (for SEO purposes). In my humble opinion, it is just another over hyped but mediocre product. I have used both and can say that in terms of features and flexibility, Platinum SEO Pack beats the All-in-one-seo plugin hands down! If you want a permanent solution to your SEO worries, the Platinum SEO plugin is one for you! The default options are ok, but I do suggest you customize it (especially the "noindex" and "nofollow" options) to suit your interests! :D

Good luck!

Yet another reason I am giving away the plugin for free is that I hope that after reading this article, you would be happy to feed my "under-nourished" blog with a nice comment! ;)