Securing Your WordPress Blog

Last week I noticed that someone had injected my index-file with a javascript-snippet. It gracefully placed itself at the end of the markup, right before </body>-tag. The script was executed when you clicked on a link (random on page). It then created a pop-up window to a specific site.

After searching the WP forums, I found out there was more people who’ve experienced the same thing. I’ve done these steps to secure my weblog from external injections and attacks:

CHMOD index-file to 0444

The index-file for WordPress, the file which gathers all necessary output for visitors, is one of the smallest php-files in the WP-system, and by default looks like this:

<?php
/* Short and sweet */
define('WP_USE_THEMES', true);
require('./wp-blog-header.php');
?>

It was right before the ?>-end tag the JavaScript was injected. I removed it by editing the file directly. Can also be done by uploading a fresh index.php-file from your local computer. Then, in the FTP program, I changed the file permissions to read-only (CHMOD 0444).

If you don’t know how to change your files permissions, there’s alot of tutorials out there. Also, if anyone got something against CHMOD’ing the index-file to 0444, I would sincerely like to read it.

Install security plugins

Though I removed the injected script, it wasn’t enough for me to make my weblog feel safe. At least not as safe as it could’ve been. So I started searching, and ended up with two different plugins which’ve helped out alot:

WP Security Scan

This one really helps you out, especially by suggesting to you what folders should have read/write-permission, and those that don’t. Short and easy explanation of the plugin, by the author:

Scans your WordPress installation for security vulnerabilities and suggests corrective actions.

• passwords
• file permissions
• database security
• version hiding
• WordPress admin protection/security
• removes WP Generator META tag from core code

Visit WP Security Scan own plugin page for download and FAQ.

.htaccess Password Protect

Thanks to WP Security Scan I felt safer, but since I’d done some research on weblog safety, I wanted more. And more I found:

This plugin doesn’t control WordPress or mess with your database, instead it utilizes fast, tried-and-true built-in Security features to add multiple layers of security to your blog. This plugin is specifically designed and regularly updated specifically to stop automated and unskilled attackers attempts to exploit vulnerabilities on your blog resulting in a hacked site.

This is an incredibly powerful plugin that modifies your server not wordpress. This can easily take your site down. If you experience a bad error, delete the .htaccess files on the server.

Visit AskApache Password Protect page for description, download and FAQ. I recommend you to back up all your data before activating this plugin.

Conclusion

If you want your weblog completely safe and sound from hackers and script-kiddies, you got to go offline. Alternatively you could do the publishing through NASA’s own .gov-servers, and only by giving the staff floppy discs with the content to be published.

The truth is simple: If a hacker really wants to take down your site, he’ll do it. Not because your ISP has bad firewalls or anti-hacker security, but because there’ll always be vulnerabilities and hackers learns more tricks.

The steps I’ve taken, and hopefully the same steps you’ll take (or already have taken), diminishes the risk of having my weblog injected with javascript or other exploits. If you have other suggestions on how-to improve WordPress’ security, please share them through a comment.