Having your blog hacked isn't fun, and the standard WordPress installation is not impermeable. Here I explain the whys, the whats, and the whatnots.
Not only does a hacked blog result in downtime, while you work with your ISP to track the problem and ensure it doesn't happen again, it can also mean you spend time, for instance, getting your e-mail client resolving properly once more
. All in all, valuable time wasted.
Prevention is better than cure. Here are 10 tips to make WordPress hack-proof.
What You Need
- a WordPress installation
- the WordPress plugin, wp-phpmyadmin
- the WordPress plugin, wp-security-scan
- ftp access to the server on which your blog resides
Before You Begin
- backup your files, using your FTP client
- backup your database, using wp-phpmyadmin. If you don't know how to do that, check out this video tutorial:
Ten Steps to a Secure WordPress Installation
1. Upgrade WordPress To the latest version. If you're using 2.7 or later, this can be done from your admin dashboard, at the click of a button, automatically. Just look for the "upgrade" button. If you're using an earlier version, read this.
2. Update Plugins Make sure all are upgraded to their latest versions. If they're not, you are notified on your plugins admin page. Old versions can present a security risk.
3. Change "wp_" Database Table Prefix
I use wp-security-scan, from the same guys that developed the popular All In One SEO Pack *, Semper Fi Web Design. Once activated, on the left-hand menu, click on "Database" in the "Security" drop-down. The page that loads allows you to easily change the prefix. If that doesn't work, instead throwing an error, do this:
- i. Deactivate all WordPress plugins, as a precaution.
- ii. Backup the database, as explained in the video above.
- iii. Open the downloaded *.sql file with a text editor (where * is the name of your database.)
- iv. Find and replace all instances of your "wp_" prefix with your new prefix.
- v. Within your WordPress database, drop all the tables. DO NOT DROP THE DATABASE itself, only the tables. Wp-phpmyadmin is a great plugin to use.
- vi. Still within your WordPress database, import your newly-amended *.sql file, the one you edited by changing the prefix. Wp-phpmyadmin or similar again.
- vii. Open and edit your wp-config.php file, in the root blog folder, changing $table_prefix = ‘wp_’; to $table_prefix = ’yourNewPrefix_’;.
- viii. Reactivate your plugins.
* Truth is, I prefer HeadSpace to the All In One, but that's another story.
Article comments
1 - Relevant Trafik
This is a good read and well worth the effort to employ. Also let me add that changing the "powered by Wordpress" to something different is also a good tactic to use. Thanks for posting this.
2 - My Blogging School
Part of the problem is the widespread use of Fantastico for installing Wordpress in the first place. I will be updating my Fantastico Fix report to include the additional plugins you have mentioned, as well as the tweaks for securing Wordpress regardless of the installation method.
Good stuff!
3 - cfazendin
Besides removing the admin account, you should also have each account use a different account name and nickname. Then set their posts to display nickname. Can't hack an account name that doesn't exist.
4 - the_guv
tx folks,
appreciate those comments and tips.
..pleased you like my article.
the_guv
5 - Mike
That makes so much sense. admin is too easy - make it hard to figure out what the admin username is! Brilliant! Thanks!
6 - Joe
Hey these tips worked! Thanks
7 - Cool K
Thanks for the tips! I will try them out.
8 - TV Surfing Solutions
Some brilliant information, these tips are great, something many should follow. Thanks
9 - Dave Metz
Wow, so simple and yet completely out-of-the-box. I will definitely follow this great advice. Many thanks.
10 - Lyle
Excellant information. Many of us don't do these inportant tasks. I will be more aware in the future.
11 - Lyle
Very good I will keep that in mind. I thank you.
12 - Article Directory
Great tips and advice for WP bloggers. As said above, some I would never think of so I'm off to do it right now! :)
13 - Chris Beaumont
"Blog Security" is one of the top security blogs out there keeping an eye on all things blog security and WordPress.
They’ve just released two great articles WordPress fans need to check out.
First is news of a video and blog post by Guvnr called “10 Tips to Make WordPress Hack Proof. The effort involved tips from BlogSecurity’s popular WordPress Security Whitepaper, inspiring them to update and improve it soon.
Enjoy.
14 - the_guv
tx all ..
appreciate your kind words.
and am glad you found this Guvnr.com tutorial handy.
15 - Twitter Trends
Great WP tips!
16 - Larry C.
Excellent Article, will be doing this in the AM. thanks much for the good security topic.
Larry
17 - the_guv
@TwitterTrends and LarryC
pleased you like .. best to you.
18 - Bob N
Thanks, Guv. Followed a few of your tips - hope I don't get hacked again! Thanks for writing this up.
19 - empathype
A lot of of folks talk about this matter but you said some true words.
20 - the_guv
@Mike, Zedd, Bob N & empathype
... many thanks for your kind comments. sorry for delay, but a Mighty Merry Christmas!!
21 - Dave Korpi
Wowieee! That is a lot of stuff to do...
I like the videos and have it marked to do for my upcoming blog... But now I am a bit paranoid and at the same time chicken to try all that stuff!
ADDITIONALLY.. I am not sure what folks do to hack it and why would they hack it anyway? Can you go over what hacking can result in?
Do they figure out weak passwords and then just edit it like I would? Or, do they hack it by somehow getting to the files another way? Like why change the names and hide the version number??
Just seems you describe something that really needs to be done but a quick example of what can go wrong if we do not would help little ole me out for sure!
Also, why would I use wordpress MU for a blog that only is one one subject?
22 - Adam
Very timely article as I got hacked twice early this week right after upgrading to 3.0. I added an .htaccess file to my admin directory that limits what IP addresses have access to it. The only problem is my ISP has dynamic IP so I have to constantly change the file.
Can you explain how the code in the .htaccess file for the admin folder you listed above works? Since it doesn't involve an IP address, it seems like a better option for me.
Thanks!
23 - Mohanraaj
Really informative, i got hacked two time while using wordpress. thank god you saved my time...
Thank you the_guv
24 - Brian
Until recently, I rarely updated plugins or my WP install. I'm getting quite concerned with security now and update everything immediately. These are good tips. The changing of the db prefixes may be a bit longer until I do that. I'll look further into it though.