It happens all the time. Websites get hacked. Especially websites that use common software packages. Hackers want the most bang for their buck, and under-maintenanced WordPress sites are a great target because so many people utilize them.
How Hackers Do it
Most hackers use a script that crawls your server looking for “holes” they can use to do their dirty work. Some generous hackers will even write scripts and post them on the internet for anyone to download and use. They don’t need your login or your password — just an entry point into your code. One common script finds a susceptible site, and replaces your front page with a custom page that says “you’ve been hacked”. There is often a fair amount of bragging that accompanies this type of hack.
A hacker just runs the scripts, and everything happens quickly and automatically on entire servers full of websites. Most likely the “drive by” hacker doesn’t even know who they’ve hit. They perform a “hit and run” and move on to the next target.
This kind of hack isn’t too hard to fix, but it is still a pain to deal with and would be better if it never happened at all.
Types of Attacks
Here are some of the top attacks I have seen recently:
- Vanity attacks. The hacker just wants to announce to the world they hacked you. Sometimes they think enough of themselves they will contact you afterwards and offer to fix your site for payment. (Please don’t do this.)
- Spam. The hacker wants to send out spam and will add code to your site to automatically send it out for them. They want to use your server’s power instead of their own. Over time your site will get slower and slower and you will most likely get blacklisted. Some clients won’t be able to receive your email until your site is clean again. There is a high chance that your web host will shut down your website until you clean it up.
- Forwarding. In this scenario the hacker puts code in your theme so that your links get forwarded to another website. The other website benefits from extra hits and their rankings go up.
A Good Defense is a Good Offense
If something happens you want a backup of your website. Make sure your web host keeps unique backups of your website and database on a daily and weekly basis. Most web companies do not do this. It’s up to you to ask or set it up.
You could also set up a plugin to handle this as well. Just make sure it is automated. Backups left to memory will fail.
Keep a good, strong password. Hackers will search for words in the dictionary and other common words automatically. If you aren’t sure what constitutes a good password, you can read this article on creating a good password.
- Keep your WordPress version up-to-date. Whenever WordPress finds an exploit they are quick to fix it and issue a new version. Don’t fall behind with your updates.
- Keep your plugins up-to-date for the same reasons.
- Don’t download themes and plugins from suspicious sites. They could have malicious code in them.
- Install a security plugin to notify you of bad behavior and out-of-date core files or plugins.
- Remove inactive WordPress users. If someone from your business never uses WordPress or leaves the company, you should remove them from the users list. It poses a security risk in several ways. It’s like allowing an ex-employee to have access to your business, as well as another way for a hacker to try to get in.
Logins and passwords
- Don’t have a login/user with the name “admin”. “Admin” is the default username and you are giving hackers one half of the credentials needed to get in. Change “admin” to a person’s name or something else meaningful for you. Admin is common and easy to guess. Avoid “Administrator” as well.
- Make your password a good one.
- Hide login errors. If you try to login with a bad password, by default you get an “Error: Incorrect Password”. This is valuable information to a hacker. They can figure out what part of the login they have correct. If you add this code to the functions.php file, it will hide the error: add_filter(‘login_errors’,create_function(‘$a’, “return null;”));
Does your website scream “WordPress”?
The first thing you should do is prevent the average Joe from being able to recognize your site as a WordPress site. This means removing all the WordPress tags and versions. If a WordPress hacker can’t tell you have a WordPress site, he won’t bother to case your virtual joint.
- Remove the “Powered by WordPress” link at the bottom of your site.
- Remove the WordPress login location (wp-login.php) at the foot of your page or change it to another location.
- Remove the HTML tags that identify the wordpress version:
- Remove the generator Tag in the RSS Feed by removing (or commenting out) the function in the general-template.php file
Permissions, permissions, permissions
Set your permissions to these:
- 755 = ./
- 755 = wp-admin
- 755 = wp-content
- 555 = wp-includes
Ask search engines to stay out of your admin sections.
Search engine crawlers will index your entire site if you don’t tell them not to. This means a road map is being created for all of your web files. It’s a good idea to just ask them to stay out of all WordPress directories. You can do this by creating a robots.txt file containing: Disallow: /wp-*
Secure your plugin directory
If a malicious user knows what plugins you are using, they have information that could be used against you. The answer is to hide the plugins folder by adding an empty index.html file in the wp-content/plugins directory to prevent browsing.
Secure your wp-admin directory
If you are the only person making changes to your blog you may want to restrict access by IP address. This means that only users from whitelisted IP addresses can access the back-end of the site. If you have many users and many points of access, you may want to skip this one.
To set this up, create an .htaccess file inside your wp-admin directory and add this code to it. Make sure to replace the dummy IPs with your own.
AuthName “Access Control”
deny from all
# whitelist home IP address
allow from 12.345.678.91
# whitelist work IP address
allow from 12.345.678.91
allow from 12.345.678.91
Katey bar the door (let’s make some serious changes)
- Disable your Indexes so when someone navigates to your site they can’t see a list of files and folders. You can do this by adding “Options -Indexes” to your .htaccess file on your Apache server.
- Change your database table prefix to something other than the default “wp_” to something more complex and unique. If you have already installed your site, you can find plugins that will help you do this after-the-fact.
- Block Server-side directories like your wp-includes directory. Add this line to your .htaccess file:
“RewriteRule ^(wp-includes)/.*$ ./ [NC,R=301,L]“. If you want to block multiple directories, you can add a pipe between directory names like this:
“RewriteRule ^(wp-includes|other-directory-name)/.*$ ./ [NC,R=301,L]“
- Use Database Encoding UTF-8 as other character sets are vuneralbe to SQL injection.
- Remove the WordPress version string. In the code of your site there is meta information that will show what version of WordPress you are using. Hackers will take note if yours is outdated and and use the information to attack your site. You can remove this information by adding this string of code to your functions.php file: <?php remove_action(‘wp_head’, ‘wp_generator’); ?>. Double-check your source code to make sure it is gone.
- Use HTTPS When logging into your dashboard: This is a way to login to your site and encrypt your login/password so it won’t be decoded easily if your information is intercepted while logging in. To do this, add this code to your wp-config.php file: define(‘FORCE_SSL_LOGIN’, true);
Limit Access to the wp-content Directory
If you add the code below to the htaccess file inside your wp-content folder, you will limit the types of files allowed to be in this directory:
Deny from all
<Files ~ “.(xml|css|jpe?g|png|gif|js)$”>
Allow from all
Secure your wp-config.php
This is the file that holds all your basic access information about your site. Here are some ways to make it more secure:
- Rename your configuration file. Find your config.php file and name it something else. Now require the location of the new configuration location – a directory that is blocked from outside access.
- Place your config.php file above your root folder on the server
- Add some extra code to the htaccess file preventing access
- Add WordPress authentication keys to the wp-config.php file
If you add the code below to the htaccess file that shares the same root directory as your wp-config file it will prevent all access to it:
# protect wp-config.php
Deny from all
Notes about screwing around with your .htaccess file
After you implement changes to your site, especially with the .htaccess file, you may find you need to clear your cache, and restart your browser if things are acting funny.