1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

[GUIDE] Make your Wordpress blog Hackproof - A complete guide

Discussion in 'Blogging' started by Gogol, Oct 24, 2012.

  1. Gogol

    Gogol Elite Member

    Joined:
    Sep 10, 2010
    Messages:
    3,062
    Likes Received:
    2,872
    Gender:
    Male
    Hello all!
    I see lot's of threads in this section of BHW where members complain about their Wordpress sites getting hacked. I have been a victim of this myself, in past. So i did some R&D on this regard and have come up with some tactics. I am sharing my tactics on securing a Wordpress blog, I hope it helps some of the members here :)


    Step 1: Choose a good hosting provider.


    We tend to choose the cheapest hosting provider we can get, and this is a very bad move if you want a secure website. Many of the cheap ( and free) shared web-hosts do not have the folders Chmoded properly. You can actually enter another user's FTP using a shell script hosted on your folder. At-least 30 - 40% websites are hacked because of this vulnerability. Some of the well known Hosts like HostGator and GoDaddy have very strict Folder permissions. So, go with them if you can't afford a dedicated Server.

    Step 2: Primary Installation configuration

    When you are installing Wordpress on your server, DO NOT CHOOSE the default username (admin) and db prefix (wp). Instead use a Hard to Guess username and Choose an Alpha-Numeric sentence (not word!) with some special characters added to it for password, and a different db prefix. Password Cracking has become increasingly fast and the hackers now use GPU instead of CPU to bruteforce. It is at least 1000 times (or even more!) faster. So choose db prefix, password and username carefully. This will make the n00bs frustrated and give up their hope.

    Step 3: Delete everything that you don't use, choose the right theme.

    I am not sure how much effective this is, but you should delete all the unused themes (including twenty ten and twenty eleven) and plugins (including hello dolly). This will make your server more manageable and you will be able to detect the shell scripts faster.
    Choosing the right theme matters! Make sure your theme doesn't have TimThumb script which hackers exploit to upload a remote malicious php file. The best way is to make the theme yourself! If you can't do that, then out source the job to some freelance site. Make sure your theme's user inputs are properly escaped, so that there isn't any SQL Injection vulnerability.


    Step 4: Install "Login LockDown"

    This plugin makes brute-forcing much more tougher. If the hackers use WP-Scan type of scanners, it will throw warning to them that this site is using Login LockDown . Some of them might get frustrated and give up trying!

    Step 5: Mute all the errors

    This is a very important step that you need to take for not only WP installation, but for any system in production environment. Many of the hackers use FPD (Full Path Disclosure) vulnerability in Wordpress to know the full path of your site. There can also be other kinds of error notices which can leak sensitive information to the attacker. The best way to mute all errors is by modifying your php.ini file. If you are using Godaddy as your host, then make a new file called php5.ini ( if there isn't any already. create php.ini if your php version is 4, not 5) and add the following line:

    Code:
    display_errors = Off
    expose_php = Off
    

    The code may vary from host to host. You should really ask the support staff how to do this.

    Step 6: Password Protect your wp-admin directory (the twist!)

    by protecting your wp-admin directory, you kind of add a extra layer of protection to your admin section. This works pretty well and I have even seen some major security blogs ( they are the experts isn't it!) doing this. How to do this?
    Firstly you need a htpasswd file. There are tons of online htpasswd generators available such as

    Code:
    www.htaccesstools.com/htpasswd-generator/
    

    Enter your username and password and it will create the htpasswd for you. Not to mention again, choose some unique and hard to guess username and alpha numeric sentence with added special characters as the password. Save it in a file called .htpasswd and place the file outside your public_html folder (uploading the file outside the public_html makes it harder to access the file from web).
    Now create a new .htaccess file with the following rule and upload the .htaccess file under your wp-admin folder.

    Code:
    AuthUserFile /full/path/to/your/htpasswd/folder/.htpasswd
    AuthGroupFile /dev/null
    AuthName "Password Protected Area"
    AuthType Basic
    <limit GET POST>
    require valid-user
    </limit>
    


    Step 7: Maintenance and backup:


    Keep an eye on your apache log files to see if anything funny is going on! Also, do regular backups. When ever you update your content, take a full db and site backup. This way, you can revert back to the last back up if something happens.

    That's basically it! I hope you enjoy reading this and more importantly, it helps someone :)
     
    • Thanks Thanks x 52
    Last edited: Oct 24, 2012
  2. futurestic06

    futurestic06 Supreme Member

    Joined:
    Apr 16, 2011
    Messages:
    1,204
    Likes Received:
    146
    Thanks for sharing dude. I have never used this type of methods. So i am really interested to use it and see the result.
     
    • Thanks Thanks x 1
  3. dbuck

    dbuck Newbie

    Joined:
    Dec 14, 2011
    Messages:
    24
    Likes Received:
    15
    Gender:
    Male
    Occupation:
    Guitar player / Musician
    Location:
    fl
    Thanks for the Login LockDown....goin to look into it. I also like the wordfence plugin. Another Thing I do is chmod my index and config files to 444, so if they do get in they cant write to these files.
     
    • Thanks Thanks x 1
  4. Gogol

    Gogol Elite Member

    Joined:
    Sep 10, 2010
    Messages:
    3,062
    Likes Received:
    2,872
    Gender:
    Male
    Thanks to both of you for the fact that you read the post at least! :)
    Try them out, i guess it will work ;-)

    @dbuck dude, there is also a plugin called better wp security. Try that out too!! About 444, are you sure it works? I usually do 755 in all the folders and files. This way, a script can't enter it's parent folder!
     
    Last edited: Oct 24, 2012
  5. santhu

    santhu Power Member

    Joined:
    Jan 2, 2012
    Messages:
    547
    Likes Received:
    447
    Occupation:
    Self-Employed Interenet Marketer......
    Location:
    India
    Thanks For the share Dude...........
     
    • Thanks Thanks x 1
  6. CyberSEO

    CyberSEO Senior Member

    Joined:
    Jul 14, 2011
    Messages:
    939
    Likes Received:
    255
    Occupation:
    programmer
    Home Page:
    Sorry but that's just not professional. Too many loopholes stay unfixed. E.g. your site can be rooted easily, e.g. via an outdated version of the timthumb library which is still included into the most popular themes including the premium one. In other words, this "complete guide" won't work if even a newbie hacker will want to compromise your WP blog or even the whole host.
     
    • Thanks Thanks x 1
    Last edited: Oct 24, 2012
  7. dbuck

    dbuck Newbie

    Joined:
    Dec 14, 2011
    Messages:
    24
    Likes Received:
    15
    Gender:
    Male
    Occupation:
    Guitar player / Musician
    Location:
    fl
    g0g0l..... 444 works for me. owner can still write to 755. My files would get re infected until I chmod to 444...then I look for the cause.....I have heard of better wp security, but have never tried it. Thanks
     
  8. Ste Fishkin

    Ste Fishkin "I'm watching you.." - Apricot Jr. VIP Premium Member UnGagged Attendee

    Joined:
    May 14, 2011
    Messages:
    1,831
    Likes Received:
    8,689
    Occupation:
    Rands Sex Slave
    Location:
    England
    IP Whitelist the wp-admin directory to your home IP.

    Biggest thing you can do by far.
     
    • Thanks Thanks x 1
  9. Gogol

    Gogol Elite Member

    Joined:
    Sep 10, 2010
    Messages:
    3,062
    Likes Received:
    2,872
    Gender:
    Male
    @cyberSEO
    Yes you are right in a sense, but if you follow the guide properly, you'll see that I have said not to use timthumb at-all! I personally use a custom WP function to dynamically resize my images (search for vt_resize). There can be more points for sure, but if you follow these points properly, i bet your site won't be hacked (i.e., it will become hack proof). The biggest evil in the WP scripts is the editor that is bundled with this product. If you protect your wp-admin properly, i can guarantee you that nothing will ever happen to you.

    By the way, if you have anything to add to this, please share :)
     
  10. CoyoteAssassin

    CoyoteAssassin Elite Member

    Joined:
    Jan 3, 2010
    Messages:
    1,862
    Likes Received:
    3,906
    Occupation:
    Full Time IMer
    Location:
    USA
    Thanks!

    I just purchased Sucuri for all of my high-money making WP sites after someone successfully hacked it over and over. At first I was able to go in and remove their links each time but they got smarter and so did I.

    Sucuri works great and I am very impressed.

    They have a free plugin that will tell you if something is going on.

    Check it out.
     
    • Thanks Thanks x 1
  11. Gogol

    Gogol Elite Member

    Joined:
    Sep 10, 2010
    Messages:
    3,062
    Likes Received:
    2,872
    Gender:
    Male
    That becomes a pain when you have dynamic IP AND /OR you want to use the administration from your mobile! I thought about it, but later decided against it!
     
  12. Gogol

    Gogol Elite Member

    Joined:
    Sep 10, 2010
    Messages:
    3,062
    Likes Received:
    2,872
    Gender:
    Male
    I will try that out! 755, as i believe gives the script permission for Read Write and Execute in the same folder, and only read permission in it's parent. I can be wrong here!
     
    • Thanks Thanks x 1
  13. dbuck

    dbuck Newbie

    Joined:
    Dec 14, 2011
    Messages:
    24
    Likes Received:
    15
    Gender:
    Male
    Occupation:
    Guitar player / Musician
    Location:
    fl
    Nice post gOgOl .... I hope we hear some more ideas on this. Seems the bigger you are (wordpress), the more the kiddies want to hack you....
     
    • Thanks Thanks x 1
  14. CyberSEO

    CyberSEO Senior Member

    Joined:
    Jul 14, 2011
    Messages:
    939
    Likes Received:
    255
    Occupation:
    programmer
    Home Page:
    timthumb is just an example. The latest versions of this library are rather safe enough, but there are many others - not so famous but much more easy to hack.
     
  15. Gogol

    Gogol Elite Member

    Joined:
    Sep 10, 2010
    Messages:
    3,062
    Likes Received:
    2,872
    Gender:
    Male
    Hmm agreed. This is the reason why I don't use third party plugins atall! I only use the essential plugins like the Yoast SEO, ShareThis, Akismet and a few more, but not others, excuse me!
    If i need a solution, i make it myself. That's why i mentioned that make your themes yourself ( or export it to someone). Don't use extra plugins, just do it all from your functions.php
     
  16. Gogol

    Gogol Elite Member

    Joined:
    Sep 10, 2010
    Messages:
    3,062
    Likes Received:
    2,872
    Gender:
    Male
    Absolutely!
     
  17. WPRipper

    WPRipper Supreme Member

    Joined:
    Mar 24, 2010
    Messages:
    1,377
    Likes Received:
    1,493
    Location:
    Proudly romanian
    This is just basic stuff which im sure everyone here knows about it, but thx for your time to put this together.
     
    • Thanks Thanks x 1
  18. dbuck

    dbuck Newbie

    Joined:
    Dec 14, 2011
    Messages:
    24
    Likes Received:
    15
    Gender:
    Male
    Occupation:
    Guitar player / Musician
    Location:
    fl
    Yup.. wordpress plugins can have vulnerabilities which an attacker can use. I protect access to my wordpress plugins directory by uploading a blank ‘index.html' file to that directory to block access.
     
  19. dbuck

    dbuck Newbie

    Joined:
    Dec 14, 2011
    Messages:
    24
    Likes Received:
    15
    Gender:
    Male
    Occupation:
    Guitar player / Musician
    Location:
    fl
    gOgOl hit on the the functions.php file.....add the following line of code in your theme's functions.php file...

    remove_action('wp_head', 'wp_generator');
     
    • Thanks Thanks x 2
  20. twitter.followers

    twitter.followers Elite Member

    Joined:
    Mar 23, 2011
    Messages:
    1,768
    Likes Received:
    2,208
    I am familiar with most of these tips but some are actually new to me and are worth a look.
    Thanks for the share!
     
    • Thanks Thanks x 1