That’s right! Even Caroline Wabara’s blog got hacked. I woke up on monday morning of the 24th of October, 2011. Typed in my blog’s url, hit the enter key, only to find a big bold green monster sign saying: “Hacked By Poison”.
Was I shocked? I almost had a heart attack! This is the very first time just an ugly incident would happen to me. My whole day was ruined. I had to contact my web host immediately. Thanks to syskay.com for their excellent service, they restored my blog to its original state and sent me an instructional manual on How to secure my wordpress blog against the ever intelligent hacking demons.
It has come to our attention that many WordPress users have very porous WordPress Installations that are very susceptible to exploitation by hackers. Here are some steps to secure your WordPress installation:
1) Hide your plugins folder:
Anybody can gain access to your blog folders containing themes, uploads and plugins. This is a good opportunity for hackers to gain access to your blog and your entire server. Your wordpress blog plugins are located in http://domainname.com/wp-content/plugins. To hide the plugin folder is very easy. There are two ways to do it.
a. Using the .htaccess file. This method is used to disable browsing the directory of your site sensitive files. To do this, go through the FTP client, locate the .htaccess file. Then right-click to open it with Notepad. After that, add this code:
In some cases, you may not be able to locate the .htaccess file. This depends on the type of FTP client you use. For FileZilla, go to SERVER and click FORCE SHOWING HIDDEN FILES.
b. cpanel – Directory browsing can also be turned off through the cpanel. This is very easy if you cannot handle .htaccess files. Cpanel displays your entire website files anf folders through the “Index Manager”. Using the cpanel option, the server automatically creates the necessary .htaccess for you. Some people find the tree format display of cpanels easier.
2) Define user privilege for your multiple-author blog
If content of your blog is contributed by multiple authors, there is need to assign access rights limits or privileges to each author. To make the administration easier, you should install the User Access Manager. The plugin enables you to manage the access to the blog posts, pages and files. To use the plugin, you only create a user group, put registered users to this and set up the access rights for the group. The post/page will then only be accessible and writable for the specified group
3) Always upgrade WordPress and plugins versions to the latest ones
Make sure the version of WordPress is the latest. Latest versions always fix the bugs and other security issues of the previous versions. This also applies to plugins. It might be difficult to upgrade at once if you have multiple niche blogs. How can you upgrade 100 niche blogs at once. This is a disadvantage of maintaining multiple blogs. In my own case, I do not just install plugins. I make sure that the ones I install are ones I really need for making the site make money. Not just fancy plugins. I don’t install plugins because everyone else is installing. This makes it easier for me to plan and upgrade all of the wordpress versions and plugins in no time.
4) Do security scan regularly
On a regular basis, do a security scan of your blogs. A security scan reveals if you have correct CHMOD permissions for all website files. A good plugin to do this is the wp-security-scan plugin. The plugin also proposes the correct ways to fix those security loopholes found in any file or folder.
5) Use Secret Keys in the wp-config file
Hackers are getting wise everyday. They are always creating new ways of hacking websites after new version of wordpress is developed to combat the security vulnerabilities of the previous one. Hence, you need to use a security key in order to completely put your site under tight security.
A secret key is very good because it makes a blog difficult for hackers to hack. Not only that, secret keys make access to a blog harder to crack by adding random elements to the password. A secret key is a password with elements that make it harder to generate enough options to break through your security barriers.
Security Keys are single-line definitions in your WordPress configuration file, the wp-config.php. If you don’t know what the wp-config.php file is, it is the file that stores the names, address and password of the database that the blog needs to function. The file also stores user details and blog posts. It is in fact the engine that keeps a wordpress blog moving.
6) Encrypt your login
WordPress has some security weaknesses. One of them is that whenever you login to your blog, your password is not encrypted. The security flaw is more serious if you are on a public network where a hacker can easily download your login information with login harvesting scripts. Encrypting a wordpress blog is to be done with the use of SSL or other secure protocols. The problem is that most people don’t have the technical skills to do this. Hence, if you are one of them, you should use the Chap Secure Plugin. The only problem I have noticed with this plugin is that it can give errors even when you have set the parameters correctly.
7) Prevent brute force attack
A brute force attack is when a hacker uses all possible keys against an encrypted data until the correct key is found. There are many ways of doing this. A script can be written to send automated requests to the system, seeking permission to gain entry to your server with different keys. If a key does not gain entry, another one is automatically developed. This system is also used for hacking twitter accounts. To stop brute force attacks, you should install the AskApache Password Protect plugin. This plugin is designed to stop automated attempts to exploit your blog vulnerabilities. Another one is the Login LockDown plugin. The plugin limits the number of login attempts from a given IP range within a certain time period. Once a certain number of failed login attempts are reached, the plugin automatically disables the login function for all requests from the IP range.
8) Use strong password
Don’t just use any word for a password. Don’t use dictionary words, birthday, names of spouse, children, etc. Use a combination of digits, upper and lower case letters and special characters that will not even be easily remembered by people, including you. Write the password down and keep it in your home. Do not store passwords on your computer. Use a minimum of 8 characters for your password.
9) Protect the wp-admin folder
The wp-admin folder is where the main information directing how your blog functions is kept. Most hackers enter through this folder before gaining access to other files in the server. Use the WP Scan plugin to always scan all your blog files to determine which one is vulnerable. The plugin will reveal if some file do not have the correct CHMOD permissions. You can also use the AskApache Password Protect. This plugin enables you to use password to protect the directory and give access right only to authorized people.
10) Remove WordPress version information
Each wordpress version has its security weaknesses. Hackers use the wordpress version of a blog to easily create and launch hacking strategies and bring the blog down in minutes. Therefore, you should prevent the version of your blog from being displayed. If you are using general wordpress themes for your blogs, make sure they do not display your version of wordpress.
To remove the WordPress version info, log in to your WordPress dashboard. Go to Appearance->Editor. Then click on the header.php tab and the file codes will be displayed. Click Ctrl+F on your keyboard and paste this code:
Delete the entire line and click Update File.
11) Do not use “admin” login name
WordPress 3.0+ allows you to choose your own username. The previous versions of wordpress had “admin” as the username. The use of a login name different from “admin” makes it difficult for hackers to use automated means to guess your login information.
12) Backup the wordpress database
Even after taking all necessary security steps, you still need to always backup your wordpress database. This is because anything can happen at any time and what you thought was secure might not be secure. The WordPress EZ Backup plugin allows you to create backup archives of your entire site (not just the wp installations). It also allows you to backup any mysql database. Another plugin is the wp-db-backup plugin. This does a complete backup of your core wordpress database and other tables in the same database. You can also schedule the backup process so that the plugin automatically does a backup at your specified time interval.
Most of the backup plugins are not written to be compatible up to the current version 3.0.1 version of wordpress but they can still work with it.
13) Don’t download plugins from just anywhere
Plugins are what make the wordpress blogging platform very robust. With plugins, you give flexibility to your blog to fit in to internet marketing situation. This is why it is very easy to make money with wordpress blogs than any other blogging platform or static html websites.
However, there are security risks in using plugins. Plugins can contain malicious codes that store and relay back your site information to the plugin author. This is why you should not just download and install any plugin you find around. Do not install plugins unless they are really necessary for the smooth-running or survival of your blog in any niche market you are targeting.