Avoiding The Hackers – Securing WordPress!
Much to my annoyance I was subjected to a site hacker attack on two of my newer Commission Ritual websites today, I'm not 100% sure how long they had been hacked for since I haven't checked either of the sites since the beginning of last week. It looks to me like they carried out some kind of SQL injection attack. The fix was simple enough, just a case of navigating into my site via FTP and replacing the affected files but it still created around an extra 1 hours work due to the fact I then had to go through and change my usernames and passwords all over again. How annoying!!
The reason the hacker was able to hack these two particular sites is simple, I hadn't secured them to my usual standard, I had been in a rush when I put them up and hadn't been as thorough as I usually am, well that will teach me for the future won't it!
Making Your Installation Secure
There are several things I always do (apart from this once) which make the installation far more secure and they are things you should be doing also to avoid the extra hassle of having to undo the work of a hacker. The following aren't hard at all and most can be done as part of your installation and setup.
1) Remove the version number from your footer
Never leave the WordPress version number in place within your footer, if you do then you are telling the hacker exactly which version you are using so they can search for version specific exploits.
2) Change the default WordPress username
The default administrator username for WordPress is usually set to 'admin'. Never, ever set it as admin. If your default administrator username is set as admin simply do the the the following to change it:
- Navigate to 'Users' and click 'Add New'
- Create a new username and password, making sure to assign it administrator rights
- Logout as the current administrator and log back in with your new username and password
- Delete the old 'admin' user from the WordPress 'Users' list
3) Make sure you use a 'Strong' password
when you are entering your password in the fantastico setup it won't tell you how strong or weak your password is so it's always good to check the overall strength of the password before you use it. In the past I have used Password Meter to check how strong a password is likely to be.
4) Use a different prefix for WordPress DB tables
The default table prefix for WordPress database tables is wp_, you should always make sure you change it. As far as I am aware fantastico doesn't allow you to choose the default table prefix but you can specify it if you install manually. You can also change the table prefix following the fantastico installation using a WordPress plugin called 'WP Security Scan' available here:
N.B - If you are going to start messing around with your table prefixes on a LIVE site I strongly recommend you backup your database AND are comfortable with exactly what you are doing!
5) Choose a different 'public' name
Don't use the same publicly visible name as your admin username, always make sure the two are different from one another.
6) Use the login lockdown plugin
This is a fantastic little plugin and it enables WordPress to automatically disable user login based on their IP address after a set amount of failed logins, you can then lock them out for as long as you want to. I have most of mine set to 1 failed attempt. Grab the login lockdown plugin here.
7) Be aware of your WordPress version
It's always a good idea to keep your website up to date with the most recent version of WordPress. However, I always make sure I leave a little bit of time before upgrading my versions to the latest release, this just allows time for bug fixes and incompatabilities to be resolved first.
8) Backup, backup, backup!
Need I say more!
Updates From Comments:
9) Remove the WordPress version meta tag - Thanks to Mark- Niche Store Builder for this suggestion
Remove the WordPress version meta tag from your theme's header file which usually looks like this:
<meta name="generator" content="WordPress 2.9.1" />
Just remember that this meta tag is used for WordPress.com stats, but personally I would rather have a more 'Hacker proof' website.
I hope this helps you make your WordPress installations more secure, if you have any other tips and tricks which you use to prevent those annoying hackers getting in then please feel free to post them below.