Tweet

12-Pack of Condoms for WordPress STD's

Written by: Ben Kemp

Article Overview: Wordpress STD's (Security Transgression Defilements) are a common occurrence. WordPress-powered CMS websites are far from being immune to hackers, although the latest release/s address many earlier security issues. WordPress, like other content management systems and forums such as phpBB, vBulletin, is a major target for hackers and spammers. Basic prophylactic measures, or condoms for WordPress STDs, need not be complicated or expensive.

12-Pack of Condoms for WordPress STD's

Wordpress STD's (Security Transgression Defilements) are a common occurrence. WordPress-powered websites are far from being immune to hackers, although the latest release/s address many earlier security issues. WordPress, like other content management systems and forums such as phpBB, vBulletin, is a major target for hackers and spammers. Basic prophylactic measures, or condoms for WordPress STDs, need not be complicated or expensive.

Those involved in hacking WordPress usually want to use the sites as concealed (cloaked) link farms. Its rare that actual damage is done to your site, and often the site owner remains blissfully unaware that there's been any interference. Some of the link injection systems are extremely sophisticated! Testing for enemy action can be as simple as opening your site and choosing View / Source and reading through the content of the Head section down to, and including, the BODY tag. The link injections I've seen are usually immediately after the BODY tag. Is there a long string of HTML code containing links to dozens of sites you know nothing about? If there is, you've been violated, and have a WordPress STD (Security Terminated Deficiency)!

This article is not about fixing security violations. Its about simple prophylactic measures most "non-technician" site owners take. This is not slick and professional security strategy, and there are some who will scoff at using "security by obscurity" as a primary tactic. However, even on a tight budget, the following 12 zero-dollar steps can and should be taken to minimise the possibility of attack.

1 - Always Use the Current WP Version

Why anyone would persist with an older version is beyond me. Upgrading has always been easy enough, and recent versions reduce the pain to a button click! The community of authors work extremely hard and surprisingly quickly to address known security problems.

2 - Remove Primary Target Identifier

Remove the Powered by WordPress credit details in the footer of your website's theme - e.g.; /wp-content/themes/the-current-theme/footer.php. This is the fastest way to reduce the chances of the ill-intentioned finding your site in the first place! Try it - do a search on Google for "Powered by Wordpress" and you'll get the picture... At time of writing, there are 106 million competing page opportunities out there for hackers!

By all means give WordPress the credit they deserve - but you could do it on your links page, or make it a graphic / image link instead of text...

3 - Remove Secondary Target Identifier

A lot of WordPress themes come with an giveaway WP version HTML tag in the HEAD section. In View / Source it displays as follows; "meta name="generator" content="WordPress 2.8.4"

Obviously, this immediately reveals the WordPress version used on the site. Since some versions are vulnerable to known security flaws, you've just told the hackers where they are best to start their evil work...

Removing this giveaway is straightforward enough. Simply open up /wp-content/themes/the-current-theme/header.php and delete the code that's outputting the Meta Generator tag.

4 - Remove Tertiary Target Identifier

There is another version identifier tag in the RSS Feed output, e.g.: generator=wordpress.org/?v=2.8.4. Removing the RSS version identifier can be done by opening /wp-includes/general-template.php and searching for "function the_generator"

The line immediately below that statement commences with: echo apply_filters('the_generator'......

Place a # character in front of the word echo, as per: #echo apply_filters('the_generator' etc

5 - Remove Lesser Target Identifiers

Doing the above pretty much gets you out of the spotlight and into the shadows. You could also remove links to "Log In" from the current theme's footer. There are 3.8 million competing page opportunities for a Google search for "wp-login.php" and its probably a good thing to not be in that list either.

Wordpress also adds two easily accessible files in the directory into which it is installed; licence.txt and readme.html. Renaming or removing those is important because they also contain WP version information!

6 - Don't Use Easy Passwords

Don't make it easy for the hackers! Use super-difficult passwords that are impossible to guess, and not easy to crack. That applies to the hosting account control panel, FTP access AND the WordPress administration access. Ideally, high-exposure sites should use different password for each of those areas.

Recent versions of WordPress seem to have addressed the issue of directory browsing, by keeping people out of areas they should not be looking. Securing the wp-admin area via SSL is a lot more complicated than it should be. There are no well-written, easy to use plugins available for this - those that do exist appear well past their WP version use-by date. Its also far too easy to end up locked out of your site while trying to make them work!

7 - Don't Use Default Admin ID

If you recklessly use "admin" as the default user ID, you've given the hacker half the pieces of the puzzle and they only have one item left to crack - the password.

8 - Ensure WP File Permissions Are Adequate

File system security is important, to prevent easy unauthorised access. There may be times when you have needed to alter permissions to edit a file, or copy files into a directory. Did you reset permissions to the correct default afterwards? If not, you've left a door ajar... Pull it shut and lock it again!

9 - Plugin Integrity

As a general rule, only install plugins from the official WordPress Extend / Plugins repository. There at least, they are in the spotlight, and subject to some scrutiny. Installing plugins from anywhere else leaves you wide open to malware exploitation!

10 - Theme Integrity

Ok, you can go anywhere and get free themes and make them work... but can you trust the source? Can you be sure that no malware is included? Can you be sure that no security breaches are opened by insecure coding? Personally, if I want a theme, I'd rather go to a reputable source and buy one that is coded for the latest version of WP, and where some assurance is implied as to suitability for the intended purpose.

11 - Automate Your Backups

There are backup plugins that automate the process of backing up your WordPress database and emailing the file to you daily or weekly. Install and use one of them! They can be a lifesaver, for a variety of other reasons.

12 - Server, Network and PC Vulnerabilities

Be aware of the configuration of your hosting company's web server. Is it running old versions PHP, MySQL, cpanel in a shared hosting environment? If so, that places you at greater risk than being on a hardened server with up to date tools and services running.

Never access your WP installation from a non-secure networks such as internet cafes, coffee shop or hotel WiFi systems.

Another commonsense measure is to ensure your PC you post from uses current and reputable antivirus software that also detects malware, spyware and key-loggers.

Related Articles
  Wordpress.org vs Wordpress.com
  When should I upgrade my wordpress site?
  There Are Some Things You Should Know About Wordpress
  The must have plugins for your wordpress blog (for beginners)
  How Wordpress CMS can benefit an organization?

Article Tags: cms, content management systems, hackers, security issues



Related Forum Posts
Re: how do I get started with Wordpress blog? - GoDaddy is another hosting company that works in conjunction with WordPress.org and makes set up a snap. For those of you entrepreneurs who are hesitant in setting up a WordPress blog due to time constraints or for whatever reason, I can help you with that. Setting up WordPress blogs is one of the services I provide, as well as maintaining it for you. Contact me for more information.
Re: Poll: Blogger or Wordpress Blog? - I’ve tried Blogger before. Then I decided to “migrate” my blog to WordPress. But I’m still maintaining the blog at Blogger because I still can’t figure out how to add Google adsense scripts on my WordPress blog.
Re: Poll: Blogger or Wordpress Blog? - [quote:1oty75kx]Somewhere (maybe earlier in this topic thread?) somebody pointed out a difference between WordPress.com and WordPress.org, but I don't recall what the difference is.[/quote:1oty75kx] Wordpress.org is blogging software that you can use on your own host and domain to blog. It is what most people mean when they talk about Wordpress and it is also what most "wordpress blogs" are created with. You have full control with it. This is highly recommended. Wordpress.com on the other hand is sort of like blogger in that your address will be xxxx.wordpress.com and it stays hosted on wordpress. You can use your own domain but you still don't have full control of the blog. Basically using this is not recommended. I made that mistake with my first WP blog because I didn't know the difference and it got shut down for affiliate links.
Advantages of WordPress? - Hi mphcoach, For those of us who don't know, can I ask what are the advantages (i.e. aside from the "easy to use content management system") of creating a website using WordPress? Thanks
Re: Alexa Ranking Goals - Hi David - what I usually do for my blog is write a series of posts in advance and then just post-date them so that they go live automatically on the right day. It`s a build in feature in WordPress and I believe Blogger has recently added the feature in as well.


Share this article with your friends. Fund someone's dream.

Leave a comment below or share on the left and you'll help support entrepreneurs in Africa through our partnership with Kiva. Over $50,000 raised and counting - Please keep sharing! Learn more.

Tweet

Newsletter

Get advice & tips from famous business
owners, new articles by entrepreneur
experts, my latest website updates, &
special sneak peaks at what's to come!

Name:
Email:

Popular Articles

Think Time

••••••>SEO Tip Of The Day: HTML Validation

Ten Reasons to take Notes during Sales Meetings

Suggestions

Email us your ideas on how to make our
website more valuable! Thank you Sharon
from Toronto Salsa Lessons / Classes for
your suggestions to make the newsletter
look like the website and profile younger
entrepreneurs like Jennifer Lopez.