Avoiding The Hackers – Securing WordPress!
Much to my annoyance I was subjected to a site hacker attack on two of my newer Commission Ritual websites today, I'm not 100% sure how long they had been hacked for since I haven't checked either of the sites since the beginning of last week. It looks to me like they carried out some kind of SQL injection attack. The fix was simple enough, just a case of navigating into my site via FTP and replacing the affected files but it still created around an extra 1 hours work due to the fact I then had to go through and change my usernames and passwords all over again. How annoying!!
The reason the hacker was able to hack these two particular sites is simple, I hadn't secured them to my usual standard, I had been in a rush when I put them up and hadn't been as thorough as I usually am, well that will teach me for the future won't it!
Making Your Installation Secure
There are several things I always do (apart from this once) which make the installation far more secure and they are things you should be doing also to avoid the extra hassle of having to undo the work of a hacker. The following aren't hard at all and most can be done as part of your installation and setup.
1) Remove the version number from your footer
Never leave the WordPress version number in place within your footer, if you do then you are telling the hacker exactly which version you are using so they can search for version specific exploits.
2) Change the default WordPress username
The default administrator username for WordPress is usually set to 'admin'. Never, ever set it as admin. If your default administrator username is set as admin simply do the the the following to change it:
- Navigate to 'Users' and click 'Add New'
- Create a new username and password, making sure to assign it administrator rights
- Logout as the current administrator and log back in with your new username and password
- Delete the old 'admin' user from the WordPress 'Users' list
3) Make sure you use a 'Strong' password
when you are entering your password in the fantastico setup it won't tell you how strong or weak your password is so it's always good to check the overall strength of the password before you use it. In the past I have used Password Meter to check how strong a password is likely to be.
4) Use a different prefix for WordPress DB tables
The default table prefix for WordPress database tables is wp_, you should always make sure you change it. As far as I am aware fantastico doesn't allow you to choose the default table prefix but you can specify it if you install manually. You can also change the table prefix following the fantastico installation using a WordPress plugin called 'WP Security Scan' available here:
http://semperfiwebdesign.com/plugins/wp-security-scan/
N.B - If you are going to start messing around with your table prefixes on a LIVE site I strongly recommend you backup your database AND are comfortable with exactly what you are doing!
5) Choose a different 'public' name
Don't use the same publicly visible name as your admin username, always make sure the two are different from one another.
6) Use the login lockdown plugin
This is a fantastic little plugin and it enables WordPress to automatically disable user login based on their IP address after a set amount of failed logins, you can then lock them out for as long as you want to. I have most of mine set to 1 failed attempt. Grab the login lockdown plugin here.
7) Be aware of your WordPress version
It's always a good idea to keep your website up to date with the most recent version of WordPress. However, I always make sure I leave a little bit of time before upgrading my versions to the latest release, this just allows time for bug fixes and incompatabilities to be resolved first.
8) Backup, backup, backup!
Need I say more!
Updates From Comments:
9) Remove the WordPress version meta tag - Thanks to Mark- Niche Store Builder for this suggestion
Remove the WordPress version meta tag from your theme's header file which usually looks like this:
<meta name="generator" content="WordPress 2.9.1" />
Just remember that this meta tag is used for WordPress.com stats, but personally I would rather have a more 'Hacker proof' website.
I hope this helps you make your WordPress installations more secure, if you have any other tips and tricks which you use to prevent those annoying hackers getting in then please feel free to post them below.
Subscribe To Our Blog Related Articles
Good post Ben –
I would add… remove the WordPress version metatag from your header file also.
<meta name="generator" content="WordPress 2.9.1
Even though it is used for WordPress.com stats… most people who would back into your WP install – will know to looks here first also.
.-= Mark´s last blog ..Back to Basics – How to Add a Video to Your WordPress Post or Page =-.
Hi Ben,
So sorry to hear your sites were hacked! It’s good to know the fix was easy and it doesn’t sound like much damage was done. Phew!
Thanks for this information. I was unaware of several steps and will begin implimenting them asap.
BTW, you might want to correct the spelling of the intended “Choose a different ‘public’ name” because the way it is now is a whole ‘nuther topic!
Rochelle
.-= Rochelle´s last blog ..Commission Ritual’s Forum is Now Open to All =-.
Ben,
I have started working on your guidelines and am wondering how I remove the version from the footer. Is this something that some themes will show, while others won’t?
The theme I am using (FlexSqueeze) does not visually show the version, and I don’t see it in the code. Does this mean I’m good to go on this issue?
Rochelle
.-= Rochelle´s last blog ..Commission Ritual’s Forum is Now Open to All =-.
Thanks Mark,
Fantastic, that hadn’t even crossed my mind. Great stuff!
Ben
Thanks for highlighting that for me Rochelle, that will teach me. I usually get Kate to read my blog posts before they go out to avoid issues like that which I sometimes miss. As you can tell she didn’t check it today :).
Thanks again
No worries on the spot checking. It gave me a chuckle ; )
.-= Rochelle´s last blog ..Commission Ritual’s Forum is Now Open to All =-.
Yes it only appears on some themes, so you will only need to remove it in those instances.
Mark’s suggestion above to remove it from the meta data was something I had overlooked, but is certainly worth removing for improved security.
I think sometimes it’s very easy to take for granted that you are using the latest version of WordPress and expect that to protect you but it doesn’t always.
Well then if I could brighten up your day a little I’m happy with that :)
Regarding “Choose a different ‘public’ name”, if our theme does not show the name of the writer, then are we okay to ignore this?
Rochelle
.-= Rochelle´s last blog ..Commission Ritual’s Forum is Now Open to All =-.
Yes you should be okay to ignore this if your name doesn’t appear within your theme or RSS feed anywhere.
Re: Use a different pre-fix for WordPress DB tables
I used the plugin you stated and was unable to change the wp_ automatically. I was able to manually change it via phpMyAdmin. BUT, after I imported the modified database, my site wanted to reinstall WP, starting completely from scratch on my site, and all my site’s posts, etc., were gone. It was truly a brand new site. Fortunately I had backed up the database before I did anything, so I can revert back.
My question is, if I REALLY don’t want to redo my entire blog (which I don’t), how critical is it if I leave the wp_ as is?
Rochelle
.-= Rochelle´s last blog ..Commission Ritual’s Forum is Now Open to All =-.
Great post. I will get to work on securing mine ASAP. Thanks for the heads up.
.-= Diane´s last blog ..Grow Your Own Wart Treatment =-.
Great post Ben and thanks for that meta info Mark, will now have to go through the afternoon changing everything.
.-= Cherie´s last blog ..Knowing the Real Ones from the Fake Hoodia through Its Reviews =-.
One more question (I’m pretty sure this is the last!).
Re: Remove the WordPress version meta tag
I cannot find in any of my theme headers. Does this mean I don’t need to look anywhere else? This may be an obvious question, but since I am unfamiliar with this, I’m just checking.
Rochelle
.-= Rochelle´s last blog ..Commission Ritual’s Forum is Now Open to All =-.
@ Rochelle –
I see it in the head section of your nichestorestrategies site.
<meta name="generator"
Its usually followed with
BUT – if its NOT in the head section, its likely not there! :-)
Mark
.-= Mark´s last blog ..Back to Basics – How to Add a Video to Your WordPress Post or Page =-.
Thanks, Ben.
I’m working on a dummy site with all this stuff, just to make sure I do it properly, before I move on to my real sites. I’m glad I did, because I have TOTALLY messed up my dummy site, and haven’t been able to undo the damage yet. Sigh…
Rochelle
.-= Rochelle´s last blog ..Commission Ritual’s Forum is Now Open to All =-.
No problem Diane, happy to help.
It’s not 100% essential that you do the above but I would certainly recommend taking note of points 1, 2, 3, 5, 6, 7, 8 & 9.
Thanks Mark :) It’s also sometimes called in with < ?php wp_head(); ?> as well isn’t it? In which case it becomes more difficult to remove.
Yup – in sites where it is not in the header file – you need to function it out!
In the function.php file – add:
remove_action(‘wp_head’, ‘wp_generator’);
All Said… All of this work, only keeps out the script kiddies. Anyone with a smart enough bot will get in just by pinging the wp-admin url.
I use the “strong password” philosophy more than anything… letters, numbers and a few special characters. :-)
Mark
.-= Mark´s last blog ..Back to Basics – How to Add a Video to Your WordPress Post or Page =-.
If you are doing it manually did you change ALL wp_ prefixes including those sub items such as wp_user_roles within wp_user_meta? Also did you change your wp-config.php details to match your database?
It’s not 100% essential to do this but it will reduce the chances of SQL injection attacks which is what I think got my sites.
Yep, a good strong password is always good, I take it you aren’t using QWERTY or PASSWORD then Mark. :D
Oooopsy, I’ve been doing exactly the same as you on a test site (which I just found out had been hacked by the same guy). I’ve now re-installed in twice….lol. Hey, at least it’s only a dummy site.
True, at least it wasn’t a live site. It’s still going to be a pain to redo what I’ve done with this site. I don’t understand, though, why restoring the database isn’t fixing things. After I imported the original database, before I made changes, the Admin is okay, but none of the pages I created are working. They each state they don’t really exist and give 404 errors. Grrr!!!
.-= Rochelle´s last blog ..Commission Ritual’s Forum is Now Open to All =-.
Any suggestions for how many characters in a password are sufficient?
.-= Rochelle´s last blog ..Commission Ritual’s Forum is Now Open to All =-.
Yes, I am POSITIVE that I got all the instances of wp_. It seems that when I import the modified database, then go to login to my site’s Admin, that more tables are created, and use wp_. I’m going to forgo this step, as it is taking up too much time to figure out.
I logged in to another of my sites (a live one) and was unable to automatically change it through the plugin there, either. Seems my administrator doesn’t have the right authority to do so. Oh, well.
.-= Rochelle´s last blog ..Commission Ritual’s Forum is Now Open to All =-.
I know many people will think this is a little extreme but I use passwords usually with around 15 characters in. I use a mix of letters, numbers, mathematical symbols and uppercase/lowercase. Somehow I manage to remember them.
With SQL injection hacks though I think it’s less about the password you use and more about things like using ‘Admin’ as your username and the other things mentioned above. Of course it’s still really important to have a strong password but all of my sites which were hacked used a password of 15 characters in length.
Lol! I am using 30 characters for my wp login, with the same mix you use, and wondered if that was strong enough. I use 63 characters for my wifi router in the home, and hope that is strong enough. I suppose it’s all relative as to what is “extreme” ;)
.-= Rochelle´s last blog ..Commission Ritual’s Forum is Now Open to All =-.
Strange, the only thing I am doing differently is changing the database live through phpMyAdmin using an SQL qeury, I’ve backed the database up before I do it. I then change my wp-config, re-upload and refresh. Strange that it’s not working your end though.
Jesus Rochelle, your head must feel like the Matrix, I think I need to make mine longer :D.
ROFL!!!
I can’t claim to have a photographic memory or any such talent. I use a program to generate and save all my passwords and site data.
.-= Rochelle´s last blog ..Commission Ritual’s Forum is Now Open to All =-.
Hi Everyone!
Your technical knowledge is so impressive. My question, though, is how do you know if your site has been hacked?
I will immediately use the valuable information you’ve shared. Thanks so much.
Olivia
.-= Olivia´s last blog ..Contact =-.
Thanks Ben-
Some good tips to lockdown my sites even better. Much appreciated as always.
Cheers
Ben,
If I set the Login Lockdown lockout length to zero is that the same as infinite?
Also, do you mask login errors or lockout invalid usernames? The default is set to no.
Jeff
Hi Olivia,
With the type of hacking my sites were subjected to you will see your home page is gone and you are met by a typical hackers page. This usually contains images and text, some usually offensive!.
It’s important to remember that usually (not always) the hacker has only changed your main theme files i.e. header.php and footer.php so your site is technically still in tact. Therefore the last thing you want to do is panic and delete your entire site, usually by replacing or removing the affected files you can solve the problem. This is exactlywhat I did today, luckily I hadn’t made any changes to the header or footer files.
Thanks Ben. I’m so sorry that happened to you.
I better get to work implementing your safeguards.
Olivia
.-= Olivia´s last blog ..Contact =-.
Ben ~ I too am sorry to hear about this … I’ve had it happen and I know how annoying it is! *sigh*
I’m not in any mood to try to mess with code LOL … so I’ll try it all another day … bookmark this for now and hopefully remember to get it onto my “to do” list. *huGs* Suzanne
.-= Suzanne Franco´s last blog ..Checking In and Free eBook Offer =-.
Jeff,
As far as I can tell from my own use of the plugin the lockout length of 0 sets it to 0 minutes, meaning that it won’t lock them out unless they exceed the specified amount of re-tries.
I always lockout invalid usernames and mask login errors. I also set the maximum retries to 0.
I did accidently block myself out of one of my sites but all you need to do if this happens if FTP onto your site and rename the plugin folder.
Ben
Thanks Olivia, yup make a list of these things and implement them into each new installation.
Suzanne,
Thank you for that, luckily it wasn’t any worse than it potentially could have been.
Good stuff, get it onto that to do list. Am I the only one with a to do list bigger than I can handle. :)
Hey Terry,
No problem, glad to be of help.
Ben
Hang on a minute, don’t blame me for your poor spelling, you didn’t even ask me to check it!!! x
Alright, alright calm down Katie :) XX
I am trying to recover from my own issues with multiple sites being hacked, so your post is timely and appreciated.
When I ran the WP Security Scan tool, one of the things that it noted is that an htaccess file did not exist in my wp-admin directory.
I couldn’t find any documentation in the tool to explain what this file should contain though.
Can this contain some basic information, or is it something that should be customized to each site?
Any recommendations on this step would be greatly appreciated.
Hi, I’ve noticed that one of my sites has been suffering from being hacked – I think. All they do (or have done so far) is to insert a new user admin (I’ve been using other names for ‘admin’ for a long time now) and then 4 or 5 posts appear (as drafts only) advertising seemingly innocent sites promoting things such as golf, or scotland or fly-fishing (might be a Scottish hacker!). I have now changed all of the wp_ suffixes in my dbase tables using instructions from the tdot-blog. Let’s see what happens next… Simon
Hi Simon,
Did you ‘Admin’ username still exist though even though you weren’t using it?
Ben
Hi Greg,
Do you use custom permalinks or force your non www to www? If you do then the .htaccess file should be created automatically for you and I would suggest doing both of the above things anyway. There isn’t a standard .htaccess file I use other than to do the above but there are many fancy things you can do if you wanted to such as blocking people from accessing your wp-admin by adding .htaccess password protection. You can also block access by IP address if you don’t use a roaming IP and you always work on that site from the same computer.
There is some more good advice on WordPress security here:
http://codex.wordpress.org/Hardening_WordPress
Ben :)
Hi Ben, yes, I deleted the old user admin. It’s popped up again once or twice now – I did deleted it both times. It’s only since reading this that I have done things like changing the wp_ prefix on my dbase tables. I’m right up to date running ver. 2.9.2 etc. I’m going to keep a v. close eye on things from now on.
.-= Simon Lewis´s last blog ..Motivation =-.
Well I hope it doesn’t cause you any problems. I think these hackers are getting smarter all the time and as quick as an update comes out they are trying to find a way around it. It seems like they are finding a vulnerability somewhere in your site. The only other thing I would do is password protect your wp-admin area over and above the current username and password and see if that stops it.
When you have quite a few sites sometimes you don’t visit them very often and it’s easy to let them become ‘weak’.
Hi I’ve just been on again, and guess what? Yep he’s been in again. How do you protect wp-admin over and above the user name and p/w? Is there a plugin? I tried Ask Apache but it ran some tests and said I needed to do a bit to make it work…….
.-= Simon Lewis´s last blog ..Motivation =-.
I think I’ve managed to sort it via cpanel / .htaccess. Requiring another p/w for access to wp-admin. A bit like platting fog, but I’ve done it!
.-= Simon Lewis´s last blog ..Motivation =-.
I think I’ve managed to sort it via cpanel / .htaccess. Requiring another p/w for access to wp-admin. A bit like platting fog, but I’ve done it!
Sorry for the late reply Simon, yes that’s exactly how I would have told you to do it, it’s the easiest way basically to just password protect the directory. See how that goes and hopefully it will keep them out. There definitely seems to be some vulnerabilities with 2.9 though.
Ben,
Please clarify this one. How do we password protect our directories?
Rochelle
P.S. This post has certainly been an educational one! Thank you for writing it.
.-= Rochelle´s last blog ..Anyone Heard of ezArticleLink? =-.
I used cpanel to set the protection to a directory. Navigate to Security –> Password Protect Directories.
You can select an alias for the directort and then set up a user. I found that you need to save first, then set up a user with p/w and then save again. This writes the necessary in the .htaccess or creates it if you haven’t got one in the directory that you want to protect.
HOWEVER, it misses a line at the top of the .htaccess. You’ll have something like:
AuthName “Restricted Area”
AuthUserFile “/home/**USER**/.htpasswds/public_html/**INTERNALSITENAME**/**PROTECTED DIRECTORY**/passwd”
AuthType Basic
require valid-user
Where Restricted Area was the alias that you gave in cpanel. YOU NEED to add the following at the top:
ErrorDocument 401 default
That (should) be it. Crosses fingers.
I’m open to suggestion wrt whether or not that’ the best place to store my password? Although it is encrypted.
Hope this helps!
.-= Simon Lewis´s last blog ..Motivation =-.
Sorry all for the late reply here, I’ve been away on business. Simon is correct on the above. Use the directory password protection manager within cpanel to protect the directory and then add the code Simon mentions above to the MAIN .htaccess in the root.
The username and password should be saved into .htpasswds outside of the public_html folder so therefore should not be accessible to anyone else plus as you say they are encrypted.
I recently implemented this system on here and you will now have to get passed the .htaccess login before being able to access wp-admin. From what I have found it’s one of the most secure ways of protecting your admin area. Of course the next best thing is to install WordPress manually and change the wp-admin to something else and then also password protect it with .htaccess.
I may actually put the above into a post so people are able to access it more easily.
Glad to help Rochelle, I’m happy you and so many others have found it useful. Security is one of THE biggest things online and we have to try and be one step ahead of those bloody hackers.
Cheers
Ben
Thinking about it, the one problem with this is that it will not protect the redirection to wp-login.php, not being a .htaccess guru this is something I’m going to have to delve into a little more. :)
Ben
Gah! I’m getting seriously hacked off now (pun unavoidable) he’s been in again, even after my adding a p/w to my wp-admin directory – which by the way pops up before I can go through to log in to wp.
I’m guessing that he’s in my file structure already and short of starting from scratch – reloading themes etc there’s not an awful lot I can do. Of course it’s one that I have modified and made work with both BANS and WP… grrrr, how did I do that?
.-= Simon Lewis´s last blog ..Motivation =-.
Have you managed to get this sorted Simon? Or are you still having the problem?
Ben
Hi Ben, thanks for asking! I’m sort of half way through deleting and then reinstalling plugins at the moment. My theme files look ok – there’s none of the snippets of code identified by Donncha (http://ocaoimh.ie/did-your-wordpress-site-get-hacked/) that I can see. It’s a lesson learned thing – I should have made note of the changes to the theme files, then I could have just deleted them and re-installed em later (now in fact, LOL). Fingers crossed – he’s not been in since I deleted all my plugins, it’s just a slog re installing everything. Still it’s making ask just why I needed particular plugins!
Cheers, Simon
.-= Simon Lewis´s last blog ..Motivation =-.
No problem at all, hate to hear of people having their sites hacked I know how much of a pain in the arse it is.
I’ve read a couple of posts around the web about issues with the older version of the simple tags plugin leaving the installation open to hacking, I don’t know if you had that installed or not?
Absolutely, I have too many on this blog but they are essential in this case but you just have to be SO aware of the amount you use and decide if you really need them or not.
Well, I hope it stays ‘un-hacked’
Thanks again. There was one plugin in particular that removed the date stamp from posts – I have now simply edited the various templates to remove the code that puts the date on – job done (and I have local copies of both the originals and the edited files, just in case…)
.-= Simon Lewis´s last blog ..Motivation =-.
Ben,
You mentioned that Simple Tags is known to be vulnerable to hackers, which is one of the plugins I have on many sites, but it is deactivated. This leads to a question: Does having deactivated (unused) plugins on a site leave the site open to hacking, or do they plugins have to be in use for this to occur?
Rochelle
.-= Rochelle´s last blog ..Anyone Heard of ezArticleLink? =-.
Rochelle,
The plugin may have been updated now but I know up until Dec there were vulnerabilities with it when used in 2.8+. I can’t remember exactly where I read i but I just remember reading it.
I am not 100% sure if the plugins can still lead to vulnerabilities if left un-used/deactivated but all I will say is that I never leave un-used or inactive plugins on a site just in case. I only have plugins which are active installed.
If I do happen to find the link of the post where I read about simple tags then I’ll post it up here.
Ben
Ben,
No need to search out the link. I’m actually in the process of implementing most of your suggestions, and am also deleting the unused plugins as I go.
My question was really more about how vulnerable deactivated plugins are, rather than about that one plugin. Do you know if a plugin’s active/deactive status affects its possible ability to let hackers into a site? In other words, are active plugins with vulnerabilities just as dangerous as if they were deactive?
Rochelle
.-= Rochelle´s last blog ..Anyone Heard of ezArticleLink? =-.
I have to be honest Rochelle, I don’t know the answer to that. My best guess would be in some cases yes they could but as I say I’m not 100% sure on this and it may depend on how the plugin actually functioned. For this reason I will delete any plugins I have inactive in my site, after all they are easy enough to add back in at a later date.
Ben,
I appreciate your help and honesty. Sounds like removing unused plugins is a good idea, to free up disc space as well as for security. Thanks :)
Rochelle
.-= Rochelle´s last blog ..Anyone Heard of ezArticleLink? =-.
No problem Rochelle, happy to help :).
Ben
After a recent hack that took days to cleanup, I’ve been searching for as much information as possible related to WordPress Security. I appreciate all the information that has been shared in this thread.
I stumbled across a new slide presentation that summarizes many of the things talked about in this post, as well as offering some additional recommendations. I found a lot of value in it.
The presentation isn’t mine, and I have no affiliation with the author. Thought this might be of use to those in the same boat as me.
Thanks again
Link = http://www.slideshare.net/wpbeginner/how-to-protect-wordpress
Thanks a lot for that, Greg, well spotted. A very helpful and useful presentation indeed.
Ben,
I got locked out of one of my sites because Xmarks didn’t update my new password on the second machine.
I renamed the plugin folder and was able to get back in. The problem is once I reactivate the plugin it still remembers the IP range.
Do I need to delete and reinstall the plugin?
Jeff
.-= Jeff´s last blog ..I’m Dumping The EPN Network =-.
Jeff,
I haven’t come across that problem, Jeff, I did lock myself out of one of my sites and simply renamed and then re-activated but I hadn’t got my settings set to ‘lockdown’. I would try re-naming the plugin and then, whilst logged into the admin area, re-activate the plugin and if the IP lock still exists you should be able to delete it from the list.
Alternatively you could try deleting and reinstalling the plugin.
Let me know how this works out for you and if the above works.
Ben
Ben,
Renaming the plugin, getting in and reactivating and deleting my IP did the trick. I just didn’t scroll down far enough in the settings tab to see the list of blocked IPs.
I just hope that Xmarks doesn’t do this with every site. Firefox didn’t want to ask about the new passwords either which I thought was odd but I’ll work around it.
Thanks,
Jeff
Great stuff Jeff, glad it worked okay.
[...] I’ve been working on improving the security of my sites (thanks to the excellent post at Ben Johnson’s blog), and that has kept me busier than I anticipated. In addition to that, I was working on a [...]
Hi Ben,
Would SiteLock be of any value to WordPress bloggers? I see 3 levels starting at $14.95/year.
Or are there too many things that fall outside their purview to be of any value?
Jeff
There’s another file may show your wordpress version: readme.html
Delete it !
Thanks Gordon, a great suggestion, thank you for your input.
Ben
Hi Jeff,
Sitelock seems like a pretty neat service to help identify vulnerabilities within your WordPress installation, I’m not sure if it would be necessary for WordPress though.
I think with a few free plugins (such as login lockdown and wp security scan) along with making a few changes WordPress can be made very secure indeed.
Ben
Thanks, Ben.
I’ve made almost all of the changes you’ve recommended to nearly all of my sites and I think that will go a long way but I just wanted to check to see if you thought SiteLock was worth the additional expense.
I’ll just keep updating and locking down my sites now.
Jeff
I meant to ask…
What is the rough percentage of success with wp-security scan for change table prefixes successfully without blowing up a blog?
Not sure, Jeff. It’s worked fine on the sites I’ve tried it on but I know people have reported problems with it so I think the best way to do it is either during setup of the blog OR by doing it manually through phpMyAdmin, the second can cause problems too though so have to to be careful.
Just wanted to add that I was finally able to manually change the prefix of my tables successfully. I had missed the step about modifying the wp-config.php file. All worked fine after I did that.
Rochelle
.-= Rochelle´s last blog ..Auto Content Cash Will Soon Launch, And I Have a Bonus For It =-.
Thanks for adding that, Rochelle.
I see that there is a link during the wp-security scan to a how to do it manually and it sounds like it combines what Ben and you have said.
My main concern was whether that plugin would change the wp-config.php file and I guess it does most of the time.
I’m still not sure how to change table prefixes using the plugin because I don’t see where you can specify what you want to change it to.
Jeff
Jeff,
I wasn’t able to use the plugin to change the tables, either. If you are going to try it manually, make sure you follow the instructions provided by the plugin to the letter. And, try it on a site that you don’t care about, in case it gets mucked up. And don’t forget to backup your database first, so you can restore it if it does get mucked up.
Rochelle
.-= Rochelle´s last blog ..Auto Content Cash Will Soon Launch, And I Have a Bonus For It =-.
I eschewed any and all techno solutions to this and did it by hand – much easier that way, I was in control. Only had one issue on one site and that was through trying to be clever and not following the instructions – I forgot to do the wp-config edit. But backup taken before and after means that like Rochelle says, if you do go wrong, you can always go back to square one.
.-= Simon Lewis´s last blog ..Motivation =-.
Oh yeah, I have enough DB experience to know when you start messing with table names you BETTER have a backup very handy-LOL!
It’s good to know that their manual instructions do work because they are clear and straightforward.
Excellent post! Thank you.
No problem Sallie, glad it helped :)
Ben
Hi Ben!
Your blog for sure helps a lot of people to learn more about wordpress and the plugins.
I have WP Robot and what plugin should I buy to work with WP RObot?
Reviewazon or PhpZon?
Thanks
.-= Ronaldo ´s last blog ..Acai Berry Side Effects =-.
Hi Ronaldo,
Thank you, I’m glad to hear that. I haven’t used wp-robot much, only with clients websites. As a plugin though I would have to say ReviewAZON, I own both phpZon and ReviewAZON and RZon is fantastic, having said that though phpZon is undergoing a massive update and I’m sure Wade won’t disappoint.
Ben
These are good tips Ben. WordPress can be notorious for getting hacked if a few precautions such as these are not taken.
I remember back when guestbooks were the “in” thing before blogs and those became a crazy spam infested app not even worth having anymore.
Nice post, Ben. This is great advice for anyone who wants to protect themselves against hackers. And remember to also backup your stuff because you just never know!
Leave your response!
Most Popular Posts
Categories
Further Reading
Archives
Recommended
Copyright 2012 Affiliate Wizard Ltd. All rights reserved. | Design By Ben Johnson