12-Pack of Condoms for WordPress STD's
12-Pack of Condoms for WordPress STD's
Those involved in hacking WordPress usually want to use the sites as concealed (cloaked) link farms. Its rare that actual damage is done to your site, and often the site owner remains blissfully unaware that there's been any interference. Some of the link injection systems are extremely sophisticated! Testing for enemy action can be as simple as opening your site and choosing View / Source and reading through the content of the Head section down to, and including, the BODY tag. The link injections I've seen are usually immediately after the BODY tag. Is there a long string of HTML code containing links to dozens of sites you know nothing about? If there is, you've been violated, and have a WordPress STD (Security Terminated Deficiency)!
This article is not about fixing security violations. Its about simple prophylactic measures most "non-technician" site owners take. This is not slick and professional security strategy, and there are some who will scoff at using "security by obscurity" as a primary tactic. However, even on a tight budget, the following 12 zero-dollar steps can and should be taken to minimise the possibility of attack.
1 - Always Use the Current WP Version
Why anyone would persist with an older version is beyond me. Upgrading has always been easy enough, and recent versions reduce the pain to a button click! The community of authors work extremely hard and surprisingly quickly to address known security problems.
2 - Remove Primary Target Identifier
Remove the Powered by WordPress credit details in the footer of your website's theme - e.g.; /wp-content/themes/the-current-theme/footer.php. This is the fastest way to reduce the chances of the ill-intentioned finding your site in the first place! Try it - do a search on Google for "Powered by Wordpress" and you'll get the picture... At time of writing, there are 106 million competing page opportunities out there for hackers!
By all means give WordPress the credit they deserve - but you could do it on your links page, or make it a graphic / image link instead of text...
3 - Remove Secondary Target Identifier
A lot of WordPress themes come with an giveaway WP version HTML tag in the HEAD section. In View / Source it displays as follows; "meta name="generator" content="WordPress 2.8.4"
Obviously, this immediately reveals the WordPress version used on the site. Since some versions are vulnerable to known security flaws, you've just told the hackers where they are best to start their evil work...
Removing this giveaway is straightforward enough. Simply open up /wp-content/themes/the-current-theme/header.php and delete the code that's outputting the Meta Generator tag.
4 - Remove Tertiary Target Identifier
There is another version identifier tag in the RSS Feed output, e.g.: generator=wordpress.org/?v=2.8.4. Removing the RSS version identifier can be done by opening /wp-includes/general-template.php and searching for "function the_generator"
The line immediately below that statement commences with: echo apply_filters('the_generator'......
Place a # character in front of the word echo, as per: #echo apply_filters('the_generator' etc
5 - Remove Lesser Target Identifiers
Doing the above pretty much gets you out of the spotlight and into the shadows. You could also remove links to "Log In" from the current theme's footer. There are 3.8 million competing page opportunities for a Google search for "wp-login.php" and its probably a good thing to not be in that list either.
Wordpress also adds two easily accessible files in the directory into which it is installed; licence.txt and readme.html. Renaming or removing those is important because they also contain WP version information!
6 - Don't Use Easy Passwords
Don't make it easy for the hackers! Use super-difficult passwords that are impossible to guess, and not easy to crack. That applies to the hosting account control panel, FTP access AND the WordPress administration access. Ideally, high-exposure sites should use different password for each of those areas.
Recent versions of WordPress seem to have addressed the issue of directory browsing, by keeping people out of areas they should not be looking. Securing the wp-admin area via SSL is a lot more complicated than it should be. There are no well-written, easy to use plugins available for this - those that do exist appear well past their WP version use-by date. Its also far too easy to end up locked out of your site while trying to make them work!
7 - Don't Use Default Admin ID
If you recklessly use "admin" as the default user ID, you've given the hacker half the pieces of the puzzle and they only have one item left to crack - the password.
8 - Ensure WP File Permissions Are Adequate
File system security is important, to prevent easy unauthorised access. There may be times when you have needed to alter permissions to edit a file, or copy files into a directory. Did you reset permissions to the correct default afterwards? If not, you've left a door ajar... Pull it shut and lock it again!
9 - Plugin Integrity
As a general rule, only install plugins from the official WordPress Extend / Plugins repository. There at least, they are in the spotlight, and subject to some scrutiny. Installing plugins from anywhere else leaves you wide open to malware exploitation!
10 - Theme Integrity
Ok, you can go anywhere and get free themes and make them work... but can you trust the source? Can you be sure that no malware is included? Can you be sure that no security breaches are opened by insecure coding? Personally, if I want a theme, I'd rather go to a reputable source and buy one that is coded for the latest version of WP, and where some assurance is implied as to suitability for the intended purpose.
11 - Automate Your Backups
There are backup plugins that automate the process of backing up your WordPress database and emailing the file to you daily or weekly. Install and use one of them! They can be a lifesaver, for a variety of other reasons.
12 - Server, Network and PC Vulnerabilities
Be aware of the configuration of your hosting company's web server. Is it running old versions PHP, MySQL, cpanel in a shared hosting environment? If so, that places you at greater risk than being on a hardened server with up to date tools and services running.
Never access your WP installation from a non-secure networks such as internet cafes, coffee shop or hotel WiFi systems.
Another commonsense measure is to ensure your PC you post from uses current and reputable antivirus software that also detects malware, spyware and key-loggers.
12Pack of Condoms for WordPress STDs - To learn more about this author, visit Ben Kemp's Website.
Like this article? Share it with your friends
Wordpress STD's (Security Transgression Defilements) are a common occurrence. WordPress-powered websites are far from being immune to hackers, although the latest release/s address many earlier security issues. WordPress, like other content management systems and forums such as phpBB, vBulletin, is a major target for hackers and spammers. Basic prophylactic measures, or condoms for WordPress STDs, need not be complicated or expensive.
Those involved in hacking WordPress usually want to use the sites as concealed (cloaked) link farms. Its rare that actual damage is done to your site, and often the site owner remains blissfully unaware that there's been any interference. Some of the link injection systems are extremely sophisticated! Testing for enemy action can be as simple as opening your site and choosing View / Source and reading through the content of the Head section down to, and including, the BODY tag. The link injections I've seen are usually immediately after the BODY tag. Is there a long string of HTML code containing links to dozens of sites you know nothing about? If there is, you've been violated, and have a WordPress STD (Security Terminated Deficiency)!
This article is not about fixing security violations. Its about simple prophylactic measures most "non-technician" site owners take. This is not slick and professional security strategy, and there are some who will scoff at using "security by obscurity" as a primary tactic. However, even on a tight budget, the following 12 zero-dollar steps can and should be taken to minimise the possibility of attack.
1 - Always Use the Current WP Version
Why anyone would persist with an older version is beyond me. Upgrading has always been easy enough, and recent versions reduce the pain to a button click! The community of authors work extremely hard and surprisingly quickly to address known security problems.
2 - Remove Primary Target Identifier
Remove the Powered by WordPress credit details in the footer of your website's theme - e.g.; /wp-content/themes/the-current-theme/footer.php. This is the fastest way to reduce the chances of the ill-intentioned finding your site in the first place! Try it - do a search on Google for "Powered by Wordpress" and you'll get the picture... At time of writing, there are 106 million competing page opportunities out there for hackers!
By all means give WordPress the credit they deserve - but you could do it on your links page, or make it a graphic / image link instead of text...
3 - Remove Secondary Target Identifier
A lot of WordPress themes come with an giveaway WP version HTML tag in the HEAD section. In View / Source it displays as follows; "meta name="generator" content="WordPress 2.8.4"
Obviously, this immediately reveals the WordPress version used on the site. Since some versions are vulnerable to known security flaws, you've just told the hackers where they are best to start their evil work...
Removing this giveaway is straightforward enough. Simply open up /wp-content/themes/the-current-theme/header.php and delete the code that's outputting the Meta Generator tag.
4 - Remove Tertiary Target Identifier
There is another version identifier tag in the RSS Feed output, e.g.: generator=wordpress.org/?v=2.8.4. Removing the RSS version identifier can be done by opening /wp-includes/general-template.php and searching for "function the_generator"
The line immediately below that statement commences with: echo apply_filters('the_generator'......
Place a # character in front of the word echo, as per: #echo apply_filters('the_generator' etc
5 - Remove Lesser Target Identifiers
Doing the above pretty much gets you out of the spotlight and into the shadows. You could also remove links to "Log In" from the current theme's footer. There are 3.8 million competing page opportunities for a Google search for "wp-login.php" and its probably a good thing to not be in that list either.
Wordpress also adds two easily accessible files in the directory into which it is installed; licence.txt and readme.html. Renaming or removing those is important because they also contain WP version information!
6 - Don't Use Easy Passwords
Don't make it easy for the hackers! Use super-difficult passwords that are impossible to guess, and not easy to crack. That applies to the hosting account control panel, FTP access AND the WordPress administration access. Ideally, high-exposure sites should use different password for each of those areas.
Recent versions of WordPress seem to have addressed the issue of directory browsing, by keeping people out of areas they should not be looking. Securing the wp-admin area via SSL is a lot more complicated than it should be. There are no well-written, easy to use plugins available for this - those that do exist appear well past their WP version use-by date. Its also far too easy to end up locked out of your site while trying to make them work!
7 - Don't Use Default Admin ID
If you recklessly use "admin" as the default user ID, you've given the hacker half the pieces of the puzzle and they only have one item left to crack - the password.
8 - Ensure WP File Permissions Are Adequate
File system security is important, to prevent easy unauthorised access. There may be times when you have needed to alter permissions to edit a file, or copy files into a directory. Did you reset permissions to the correct default afterwards? If not, you've left a door ajar... Pull it shut and lock it again!
9 - Plugin Integrity
As a general rule, only install plugins from the official WordPress Extend / Plugins repository. There at least, they are in the spotlight, and subject to some scrutiny. Installing plugins from anywhere else leaves you wide open to malware exploitation!
10 - Theme Integrity
Ok, you can go anywhere and get free themes and make them work... but can you trust the source? Can you be sure that no malware is included? Can you be sure that no security breaches are opened by insecure coding? Personally, if I want a theme, I'd rather go to a reputable source and buy one that is coded for the latest version of WP, and where some assurance is implied as to suitability for the intended purpose.
11 - Automate Your Backups
There are backup plugins that automate the process of backing up your WordPress database and emailing the file to you daily or weekly. Install and use one of them! They can be a lifesaver, for a variety of other reasons.
12 - Server, Network and PC Vulnerabilities
Be aware of the configuration of your hosting company's web server. Is it running old versions PHP, MySQL, cpanel in a shared hosting environment? If so, that places you at greater risk than being on a hardened server with up to date tools and services running.
Never access your WP installation from a non-secure networks such as internet cafes, coffee shop or hotel WiFi systems.
Another commonsense measure is to ensure your PC you post from uses current and reputable antivirus software that also detects malware, spyware and key-loggers.
12Pack of Condoms for WordPress STDs - To learn more about this author, visit Ben Kemp's Website.
Like this article? Share it with your friends
 | |
 |
No article feedback found. |
| |
Leave Your Feedback |
 | |
| |||
Stephanie RobeyStephanie Robey is President and CoFounder of Pivot Positive, LLC - an Internet marketing business focused on helping people start work at home ventures. Previously, she was employed at The Search Agency with over 20 years experience in graphic design and 10 years experience in online marketing. She was responsible for launching the Conversion Path Optimization (CPO) unit where she and her team have conducted hundreds of optimization tests for online companies across multiple verticals. She is a successful entrepreneur having started and sold 2 companies and remains on the board of directors of the third, PhotoSpin.com Stephanie began her career in the direct marketing realm creating and producing direct mail for many of the major cable television companies and directly attributes her understanding of Internet marketing to those early offline experiences. Stephanie is a graduate of San Diego State University with a BFA in Graphic Arts and also holds an Executive MBA from the Graziadio School of Business and Management at Pepperdine University. Read Steph's Blog Meet Steph and Dave Sign up for our Free 7-Day BootCamp: Self Employed & Rich - Visit Stephanie Robey's Website |
|||
|
To learn more about the Evan Elite Author Program please contact us. | |||
 | |
|  |
Subscribe to Ben's articles
 | |
|
|  |
 | |
|
| |
 | |||||||
|
 | ||
 |
||
 |
||
 |
||
|
| ||
 |
| Have you written articles that would be of value to entrepreneurs? Become an expert on our site by publishing them! Expose yourself to a wide audience, drive more traffic to your website and get more sales! Click Here for details. |
|
|
 |
| Modeling the Masters: Learn the true secrets behind Walt Disney's business success factors & grow your company! Video produced by Phanta Media |
|
|
 |
"Learn straight from Evan how you can Make a Full Time Income (And More) from a Website"
Click Here To Learn More |
|
|
|
|
Get advice & tips from famous business owners, new articles by entrepreneur experts, my latest website updates, & special sneak peaks at what's to come!
|
|
|
 Managing the Unimaginable Disciplines of Success Relational Software Setting Priorities Worksheet Get a Top 20 Ranking |
|
 | ||
 |
Top 50 Social Media Blogs
Top 50 Social Media Blogs | |
 |
Top 50 Franchising Blogs
Top 50 Franchising Blogs | |
| ||
 | ||||
| ||||
|
| ||||
| ||||
|
|
|
|
|
||||||||||||
|
Email us your ideas on how to make our website more valuable! Thank you Sharon from Toronto Salsa Lessons / Classes for your suggestions to make the newsletter look like the website and profile younger entrepreneurs like Jennifer Lopez and Sean Combs!
|
|
|
