It has been brought to my attention that WordPress is becoming a juicy target for hackers and bot-nets.  As such, here are some simple steps you can take to prevent your WordPress site from being hacked.

  • Change your admin password regularly.
    One strategy that hackers are using is simple brute-force attacks to try and guess your password.  You should change it regularly, and make sure the password you choose is very hard to guess.  Long combinations of letters, numbers and symbols are best.  Sentences can be good too.  Consider using a password storage solution such as LastPass.
  • Install a plugin to block bad logins.
    There are a number of plugins out there which can lock user accounts if too many bad login attempts are detected.  Installing one of these would be a good security measure.
  • Run VaultPress
    VaultPress is an excellent backup/security plugin that will both keep your site backed up, as well as searching regularly for suspicious code.  A really valuable addition.
  • Change the admin username.
    This takes a little more technical work because you have to modify the database manually, but changing the admin username to something other than “admin” can go a long way.

These steps are a great start to securing your site, but what if you’ve already been compromised?  How can you tell?  Here are some steps you can take to find out.  It’s somewhat technical in nature though so proceed at your own discretion.

  1.  Download the entire site.
  2. Use a search tool to search for suspicious phrases.
    Using a tool such as Eclipse, you can search the entire filesystem of a given site for particular strings of text.  Hackers will often hide backdoors in normal looking WordPress files.  You can find many of these by searching all the files on the site for strings like “eval” and “base64”.  Also look for backticks.
  3. Look for suspicious files.
    Search your wp-content/uploads folder for any files ending in .ph* (.php, .phtml, .php4, …)  If any are found, check them out to ensure they’re not running anything suspicious.  Generally, if there are any, they should be empty.
  4. Compare the files  to a clean WordPress folder.
    One thing you can do to determine if there are bad files is to compare your current site files to a clean WordPress install.  Download the same version of WordPress as you currently have running (hopefully the latest) and compare the files with each other.  One way to do that is to use a version control system like GIT.  You can commit the clean WP install first, then overlay your files on that, and easily see any differences.
  5. Download the raw database and check for suspicious code.
    Once downloaded as raw SQL, you should be able to search the code for strings such as “<?”, “eval”, “base64”, “<script”, and backticks.

Related Reading:

PHP and MySQL for Dynamic Web Sites: Visual QuickPro Guide (4th Edition)PHP and MySQL for Dynamic Web Sites: Visual QuickPro Guide (4th Edition)It hasn't taken Web developers long to discover that when it comes to creating dynamic, database-driven Web sites, MySQL and PHP provide a winning ope... Read More >
Murach's PHP and MySQL, 2nd EditionMurach's PHP and MySQL, 2nd Edition

"I can't count how many PHP books I have purchased over the years trying to learn the language. Murach's was the first book that helped me grasp th... Read More >

The Joy of PHP: A Beginner's Guide to Programming Interactive Web Applications with PHP and mySQLThe Joy of PHP: A Beginner's Guide to Programming Interactive Web Applications with PHP and mySQLThird Edition now with bonus chapters. Have you ever wanted to design your own website or browser application but thought it would be too difficult or... Read More >
Filed in: Information, PHP Programming, WordPress Related

One Response to “Steps to Keep WordPress Secure”

  1. Loren Says:

    Thanks, James! On your fourth point (about changing the admin login name), for those that are not technically inclined to go to those lengths a person can create a new admin level user, make sure that they can login with that new user name and then delete the original admin user.

    One thing I noticed about some of the plugins that block bad logins is that not all of them are kept up to date. So that is something that a user would need to be aware of and evaluate before using such a plugin.