It has been brought to my attention that WordPress is becoming a juicy target for hackers and bot-nets.  As such, here are some simple steps you can take to prevent your WordPress site from being hacked.

  • Change your admin password regularly.
    One strategy that hackers are using is simple brute-force attacks to try and guess your password.  You should change it regularly, and make sure the password you choose is very hard to guess.  Long combinations of letters, numbers and symbols are best.  Sentences can be good too.  Consider using a password storage solution such as LastPass.
  • Install a plugin to block bad logins.
    There are a number of plugins out there which can lock user accounts if too many bad login attempts are detected.  Installing one of these would be a good security measure.
  • Run VaultPress
    VaultPress is an excellent backup/security plugin that will both keep your site backed up, as well as searching regularly for suspicious code.  A really valuable addition.
  • Change the admin username.
    This takes a little more technical work because you have to modify the database manually, but changing the admin username to something other than “admin” can go a long way.

These steps are a great start to securing your site, but what if you’ve already been compromised?  How can you tell?  Here are some steps you can take to find out.  It’s somewhat technical in nature though so proceed at your own discretion.

  1.  Download the entire site.
  2. Use a search tool to search for suspicious phrases.
    Using a tool such as Eclipse, you can search the entire filesystem of a given site for particular strings of text.  Hackers will often hide backdoors in normal looking WordPress files.  You can find many of these by searching all the files on the site for strings like “eval” and “base64″.  Also look for backticks.
  3. Look for suspicious files.
    Search your wp-content/uploads folder for any files ending in .ph* (.php, .phtml, .php4, …)  If any are found, check them out to ensure they’re not running anything suspicious.  Generally, if there are any, they should be empty.
  4. Compare the files  to a clean WordPress folder.
    One thing you can do to determine if there are bad files is to compare your current site files to a clean WordPress install.  Download the same version of WordPress as you currently have running (hopefully the latest) and compare the files with each other.  One way to do that is to use a version control system like GIT.  You can commit the clean WP install first, then overlay your files on that, and easily see any differences.
  5. Download the raw database and check for suspicious code.
    Once downloaded as raw SQL, you should be able to search the code for strings such as “<?”, “eval”, “base64″, “<script”, and backticks.

Related Reading:

Learning PHP, MySQL, JavaScript, CSS & HTML5: A Step-by-Step Guide to Creating Dynamic WebsitesLearning PHP, MySQL, JavaScript, CSS & HTML5: A Step-by-Step Guide to Creating Dynamic WebsitesThe 3rd edition of the best-selling introduction to using PHP & MySQL to create dynamic, interactive websites - also includes coverage of JavaScript, ... Read More >
PHP Objects, Patterns, and PracticePHP Objects, Patterns, and Practice

PHP Objects Patterns and Practice, Fourth Edition is revised and updated throughout. The book begins by covering PHP's object-oriented features... Read More >

Programming PHPProgramming PHP

This updated edition teaches everything you need to know to create effective web applications with the latest features in PHP 5.x. You’ll start w... Read More >

Filed in: Information, PHP Programming, WordPress Related

One Response to “Steps to Keep WordPress Secure”

  1. Loren Says:

    Thanks, James! On your fourth point (about changing the admin login name), for those that are not technically inclined to go to those lengths a person can create a new admin level user, make sure that they can login with that new user name and then delete the original admin user.

    One thing I noticed about some of the plugins that block bad logins is that not all of them are kept up to date. So that is something that a user would need to be aware of and evaluate before using such a plugin.

Feedback