Wordpress Security

twinkle88 · #1 (**permalink**) 10-02-2008, 06:30 AM

Hello guyz,

I have read that hackers target wordpress blogs easily.
I heard that they target .htaccess file first.
Where can I find .htaccess file?
Can any one tell me how can I protect wordpress blog.

Best Regards.

**gifmore** · #2 (**permalink**) 10-02-2008, 08:34 AM

Came across this product:

Code:

hxxp://wppadlock.c0m/

Have no clue as to whether it really works or how good it is, but it might be worth a look

If other members have had any experience with this, please do share your feedback here

Thank you.

Cheerio

twinkle88 · #3 (**permalink**) 10-02-2008, 12:39 PM

Thanks for the reply.
But there is nothing over there. The domain was redirected to hxxp://agoga.c0m/ which is parked.

OnFire25 · #4 (**permalink**) 10-02-2008, 08:55 PM

Having had some of my blogs attacked and identified as malware site because of the hacking these are some of the steps that I now use to "harden" my blogs.

* Your “plugins” directory is NOT secured by default!

And that means there’s no “index.html” or “index.php” file in that directory so anyone can SEE what plugins are you using by just going to “www.yoursite.com/wp-content/plugins”. It is easy to stop this by creating a blank HTML file named “index.html” and put it in that directory. Job done!

* Choose a strong password!

Don’t use an easy to be guessed admin password (your several characters small name, your wife’s name, pet names, etc)…choose a longer password and try to combine it with numbers and upper/lower case letters (even other characters like #,$,%,^…). And change your admin password regularly!

* Use security-related plugins!

Some of these security related plugins may help you:

- BS-WP-NoVersion
A lot of attackers and automated tools will try and determine software versions before launching exploit code. Removing your WordPress blog version may discourage some attackers and certainly will mitigate virus and worm programs that rely on software versions.

Or you can use Replace WP version plugin.

Code:

http://wordpress.org/extend/plugins/replace-wp-version/

- Login LockDown
Login LockDown records the IP address and timestamp of every failed WordPress login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery. Currently the plugin defaults to a 1 hour lock out of an IP block after 3 failed login attempts within 5 minutes. This can be modified via the Options panel. Admisitrators can release locked out IP ranges manually from the panel.
Download it from here.

Code:

http://www.bad-neighborhood.com/login-lockdown.html

* Backup your database!

You should backup your data regurarly (that includes the database). Encrypting the backup, keeping an independent record of MD5 hashes for each backup file, and/or placing backups on read-only media (such as CD-R) increases your confidence that your data has not been tampered with.
One good utility is WP-DBManager and can be downloaded from here

Code:

http://wordpress.org/extend/plugins/wp-dbmanager/

* Of course, update your Wordpress!

Like I said above, keeping your Wordpress installation up to date is one of the most important measure against hackers. And it’s not complicated to be done either (backup everything before upgrade!).

Good Luck

**gifmore** · #5 (**permalink**) 10-02-2008, 11:06 PM

Quote:

Originally Posted by twinkle88

Thanks for the reply.
But there is nothing over there. The domain was redirected to hxxp://agoga.c0m/ which is parked.

Sorry, but I forgot to mention that you need to change the
xx to tt and the zero to o:

hxxp://wppadlock.c0m/

Anyways, OnFire25 also seemed to have posted some great tips and tools

Cheerio

twinkle88 · #6 (**permalink**) 10-03-2008, 12:25 PM

Infinite thanks to you.
I did every thing.

Good plougin protection idea. I think i can use this technique to protect all folders like images and all.

The version hider plugin is good. I think the new wordpress software is coded to protect our wordpress version from others.

Quote:

Originally Posted by OnFire25

Having had some of my blogs attacked and identified as malware site because of the hacking these are some of the steps that I now use to "harden" my blogs.

* Your “plugins” directory is NOT secured by default!

And that means there’s no “index.html” or “index.php” file in that directory so anyone can SEE what plugins are you using by just going to “www.yoursite.com/wp-content/plugins”. It is easy to stop this by creating a blank HTML file named “index.html” and put it in that directory. Job done!

* Choose a strong password!

Don’t use an easy to be guessed admin password (your several characters small name, your wife’s name, pet names, etc)…choose a longer password and try to combine it with numbers and upper/lower case letters (even other characters like #,$,%,^…). And change your admin password regularly!

* Use security-related plugins!

Some of these security related plugins may help you:

- BS-WP-NoVersion
A lot of attackers and automated tools will try and determine software versions before launching exploit code. Removing your WordPress blog version may discourage some attackers and certainly will mitigate virus and worm programs that rely on software versions.

Or you can use Replace WP version plugin.

Code:

http://wordpress.org/extend/plugins/replace-wp-version/

- Login LockDown
Login LockDown records the IP address and timestamp of every failed WordPress login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery. Currently the plugin defaults to a 1 hour lock out of an IP block after 3 failed login attempts within 5 minutes. This can be modified via the Options panel. Admisitrators can release locked out IP ranges manually from the panel.
Download it from here.

Code:

http://www.bad-neighborhood.com/login-lockdown.html

* Backup your database!

You should backup your data regurarly (that includes the database). Encrypting the backup, keeping an independent record of MD5 hashes for each backup file, and/or placing backups on read-only media (such as CD-R) increases your confidence that your data has not been tampered with.
One good utility is WP-DBManager and can be downloaded from here

Code:

http://wordpress.org/extend/plugins/wp-dbmanager/

* Of course, update your Wordpress!

Like I said above, keeping your Wordpress installation up to date is one of the most important measure against hackers. And it’s not complicated to be done either (backup everything before upgrade!).

Good Luck

Quote:

Sorry, but I forgot to mention that you need to change the
xx to tt and the zero to o:

hxxp://wppadlock.c0m/

Anyways, OnFire25 also seemed to have posted some great tips and tools

Cheerio

Thanks for the tip.
It is working fine. I think this plugin software does htaccess modification and asks the admin to input his ip address. Good plugin.
Instead of buying this plugin, if we do a google search ".htaccess protection", we can find the tip. But it must be edited manually where as this plugin automates the process.