Tips, Tricks, Tools & Techniques

for Internet Business, Life, the Universe and Everything

RSS Feed

Six Tips To Keep Your WordPress Blog From Being Hacked

17 December, 2007 (13:05) | Security, WordPress | By: Nick Dalton

Copywriter Michel Fortin tells a harrowing tale of how his blog was compromised and subsequently blacklisted by Google. This comes on the heels of the highly publicized attack on Al Gore’s web site.

Unfortunately the details on what exactly happened with Fortin’s and Gore’s blogs are scant. But here are some general guidelines for keeping your WordPress blog safe.

Update to the latest secure version

No software is free from bugs and security holes. Make sure that you are running the latest secure version. For WordPress – as of this writing – that means versions 2.3.1, 2.2.3 or 2.0.11.

Since WordPress gives plug-ins and themes full access to your blog, you also need to keep your plug-ins up-to-date. With the latest 2.3 series of WordPress you are notified in the admin screen when the plug-ins that you have installed are released in new versions.

Only download and install trusted code

Just like you shouldn’t click on email attachments coming from people you don’t trust, you shouldn’t install software on your blog from untrusted sources. Only download code from the authors’ web site.

Since WordPress and most themes and plug-ins are released as open source, anyone can modify the code with malicious intent and put up the badware for download to unsuspecting web surfers.

Don’t be the guinea pig for the latest plug-ins. Take a cautious approach and wait until you see a plug-in being used by many other trusted bloggers.

Be weary of JavaScript includes

Many web analytics services and ad networks require you to add some JavaScript to your blog pages. Often this takes the form of a JavaScript include which gives the authors of that JavaScript almost wholesale permission to do anything with your web page. In essence you are trusting the security of your web site to this third party service.

In the case of Google AdSense and Google Analytics, or any of the major and reputable ad networks and web analytics services, I would not be worried. But if some relatively unknown company wanted to place JavaScript on my web site I would run away.

Ad networks also pose another problem if you don’t have control over who is allowed to advertise on your network. Google applies the guilt by association principle: If you are advertising for a site that has badware on it, your site may be blacklisted too.

Write-protect your themes directory

There appears to be an exploit going around that modifies installed WordPress themes to add spam links or malicious iframes. One way to make this exploit more difficult is to modify the file permissions of your WordPress themes directory to 755. The drawback is that you will now have to ftp modified files to your web server each time you want to make changes to your theme.

Unfortunately you cannot apply the same write protection to the plug-ins directory since many plug-ins write data to the directory where it’s installed.

Use strong passwords

This is an obvious good security practice, but too often forgotten. Make sure all your passwords are strong: your admin account, the ftp account and any other WordPress accounts that have any edit privileges.

There are numerous articles online about selecting good passwords so I won’t repeat that information here. Just make sure that you follow the advice in these articles and don’t copy the actual passwords they list.

View the HTML source of your site often

You should view the HTML source of your web site often. If you find chunks of encrypted JavaScript, or hidden links to sites you don’t know, then your blog may have been compromised. The reason to do this often is so that you can discover any issues before Google does and blacklists you, or any of your readers get infected by malicious software distributed by your site.

Should you abandon WordPress?

I love the WordPress platform because it’s so powerful, flexible and extensible. The downside to all these extensions is that it only takes one weak link to compromise your blog. Even though the core WordPress developers mostly follow good security practices for the code they write, that cannot be extended to all the thousands of WordPress theme and plug-in developers.

Since WordPress is the most popular blog platform, they suffer the same problem as Microsoft does with their products: they’re also the most popular target for security exploits. Therefore we are going to have to live with constant security vigilance. If you are not willing to at least follow the six steps in this article, then WordPress is probably not the best blogging platform for you.

Are you practicing safe blogging?

Write a comment