DANGER! WARNING! DISASTER IS COMING!
YOUR WORDPRESS BLOG IS VULNERABLE!
The simple fact is that despite the scare tactics, it’s extremely unlikely that your WordPress blog is going to be the victim of an attack. Even if it is, if you use some common sense, it won’t be a complete disaster. The world won’t end. The sky won’t fall.
There are a few things you can do to protect your blog and its contents. They don’t take very long, and can make your blog much less vulnerable to outside attack. For the most part, I’m not going to repeat the how-tos of these simple protections. That’s what Google is for.
Before you do anything, make a backup of your database and files! You can install and use the WP-DB-Backup plugin, but I prefer doing it myself through my hosting provider‘s cPanel interface. Actually, I have a server cron job set up to automatically back up my WordPress databases, but that’s fodder for another article…
In no particular order:
Know who wrote your plugin. Do some research before you just slap up any old plugin. Plugins have full access to your WordPress installation. A badly-written or malicious plugin can destroy your blog.
Make sure you’re using the most current version of WordPress. A simple peek at your dashboard will tell you whether you’re current or not. The latest stable release version of WordPress can be downloaded here.
Remove the version meta tag from the header section of your theme. Yes, I know it says “Please leave for tracking purposes” or somesuch, but would you rather help with tracking or have your blog hacked?
Change your accounts. Everybody knows that WordPress’s famous “5-minute installation” produces an initial account with the username ‘admin’ and a generated password. Do yourself a very large favor–before you do anything else on your new blog, get rid of that admin user. Set up an account heirarchy much like Linux espouses, i.e. a ‘super-user’ administrator, and a normal account with minimal permissions. Here’s how:
- login as ‘admin’
- create a new ‘Administrator’ account. Be a hacker’s PITA– create a username in the same style as a good password–upper- and lower-case characters, numerals, and symbols. Create your password the same way. Brute-forcing a username/password combo like that would take forever.
- create your ‘Author’ account. Us this account for making your regular posts. Use the same technique to create the username/password as you did on the Admin account. Only use your Administrator account when you need to.
Prevent directory listings. Different server setups take different solutions, so use the one appropriate for your hosting setup. But do it. Do it now. Nothing makes it easier to exploit a plugin vulnerability than to know which plugin versions you’re using.
Be secretive. Don’t blare out to the world that “these are the fantastic plugins I’m using”. I mean, it’s obvious enough anyway but why make it easier?
Exclude the nice robots from your files. Use a comprehensive robots.txt file that excludes the core WordPress files and folders. There is no reason for allowing your files to be indexed–any of them. Your WordPress site exists in the database, not in the server’s filesystem. The only exception to that may be your image files, if you want Google to know about them. Of course, bad bots will ignore the robots.txt file, but we do what we can.
Don’t use the vulnerable legacy search code. Make sure your theme has updated the code in the search results page to remove the vulnerability that existed by passing an unfiltered search term. Google for more information.
Listen–if you use some common sense and employ some best-practices security, odds are extremely thin that you’ll be the victim of an attack. If you are, delete your install, reinstall from your backups (you DO have those, don’t you?) and carry on.