Is your wordpress secured? You should really move on!
2009/01/09 - By Kurt Avish - 77 views
Hey its already Friday and I have about only one week before the university course get back to rant us! So today I’ll talk about something really important. Is your wordpress secured?
I am not sure but I think that many of us here mostly my Mauritian bloggers buddies do not secure their blog as it should be. Everyone heard about the Tamasa.mu hacker attack some days ago? So some of you must be saying that Tamasa had a weak script with loopholes and so on and thats why it was easily hacked by a son of a “Bitch”?!
I will agree about the last part whether the hacker is a son of a bitch… that not my problem, but did you know that even if wordpress is secured, it can be hacked if you on your side you do not abide by the preventive measures?
I won’t go into the details of how a wordpress can be hack but I’ll tell you one simple example. Assume your blog is hacked and the hacker delete your database or modify it in some ugly ways. Its really simple to restore another wordpress installation within minutes. However, do you have a backup?? By backup, I mean about a database backup and also the wordpress files backup! Do you have one? And if you have one… is it a recent one?
That’s where you can lose a lot of data if you dont do backups. Island Crisis and other blogs hosted on my account do 24 backups everyday! Thats is each hour the blogs are backup and saved at a restore point. No need to worry if you do not do backups. I’ll tell you how easy it is.
Those on blogspot need not to worry much about backups. But those on private wordpress should do it. Grab this plugin for database backup and install it to your plugins directory. Enable the plugin and go to setting to configure it.
There is a section where you can email the backup to an email address. No need to bulk your sever with backups. Use the email backup feature and create an email address just for backups. Now you set the backups to hourly or twice a day… as you need it. The plugin will automatically backup your database and email it to the backup email everyday or every hour.
Now concerning your wordpress files, you can do a manual backup everyday within your adminitration panel or try to see if your host gives you a backup utility.
Now backups is not a real preventive measure. Its more like a solution if ever you get hacked. So how to really secure your wordpress.
A hacker can brute force attack your login page. So to fu*k him, use the login lockdown plugin. Also consider using the Chap Secure Login to encrypt your login information while logging to your blog. Who knows… if our local hackers did get some nutritional milk from his mother then he could have the idea to sniff networks. So lets make him sniff our socks!
Another thing is to add an index page to all your folders! For example your plugin or theme folders, create a blank index.html page and upload it everywhere there. The most important is to secure these two folders:
- /wp-content/plugins
- /wp-content/themes
Now, time to also remove your wordpress version from your blog! Why? Simply because it will just make a hacker’s job easier to know what version of wordpress you are using and hence he can look for loopholes! So go to your header.php file and remove this part of the code:
<meta name=”generator” content=”WordPress <?php bloginfo(’version’); ?>” />
Ok you are now more secure than before but there is two silly mistakes that I often see many people do! What is your blog username? Admin?? Change that buddy!! Its too easy to guess. If a hacker can guess this then the only job he remain is to find the password! So use a weird and original username to login! Avoid using your name too!
Second mistake is password? What is your password? Btw i heard that the admin of Twitter had password as ‘Happiness’!! Lol. Use a strong password which contain atleast 12 words and also contain atleast 1 digit and 1 symbol! plugins, Blogging,
Well thats all for now concerning security. If you guys know some more working methods do share with us here.
Loading ...
Even better… use Blogger. Unhackable. Totally secured…. except if the Big One hits Mountain View.
[Reply to this comment]
Kurt Avish Reply:
January 9th, 2009 at 3:31 PM
@Carrot: Haha.. thats an advantage of blogspot
@Ashesh: Thanks for reading.
[Reply to this comment]
very informative post. thanks
[Reply to this comment]
:S well this is interestin … who will want to hack blogs ?
[Reply to this comment]
Kurt Avish Reply:
January 9th, 2009 at 6:26 PM
@Yusha: Dont ask me this question again
Ofcourse there are some P**** who dont have anything else better to do than spending their night trying to find loopholes to hack in.
[Reply to this comment]
Avish i’ll post my system info below, let me know it its secured or not
1. My database tables use a different structure not the default by wordpress
2. The wordpress script i use have many changes like, the coding structures are changed
3. My webserver has auto-back feature every 4 hours (once a new back-up is made, the older one’s are deleted)
4. My .Htaccess file has special instructions to prevent attack or leeching
5. My server has DDOS protection
Anything else is needed?
[Reply to this comment]
Kurt Avish Reply:
January 9th, 2009 at 6:32 PM
@Sailesh:
Point 1: I completely forgot to mention about table prefix. Thanks for adding it here. Yea its better also to not use the default wp prefix. Easy…replace it with another set of characters. You can also edit your sql file if you have already install your blog bt dnt forget to change the config.
Point 2: Thats good. Thats to your advantage. Its always better to be away from the default ones.
Point 3: Thats good. So auto backup is one of the service that you obtained if you are ready to spend more on the hosting.
Point 4: Give me your hta i have a look lol
Point 5: Thats good for both of us then
Even I do lol.
Anything else…hmm…. yea u gave yashvin his gift lol?
[Reply to this comment]
One thing. I actually used 301 permanent PHP redirects in the index pages in folders and subfolders. This way the person is sent directly to the homepage without ever getting into the folder. Second, it helps in redirecting search bots also.
[Reply to this comment]
Kurt Avish Reply:
January 9th, 2009 at 6:34 PM
@WDB: Hey… how come i didnt thought abt this?
Yea you’re right buddy. Using a 301 redirect is much better 
I’ll check that.
[Reply to this comment]
Informative post Avish. But you do know the problem associated with my wordpress, right? How to tackle that? Should I be creating another account for myself and my priority set to Administrator?? Help please
As for the other issues, i’ll try to settle them with the plugins.
By the way, can you please share the link for themes/plugins again with me (on msn), I kinda forgot on which browser I bookmarked it
With thanks
Chaya
[Reply to this comment]
Kurt Avish Reply:
January 10th, 2009 at 10:37 AM
@Chaya: Thanks for reading
Ya for your problem la, I already told u what to do on msn 
For the plugins, just contact me if your forgot the link.
@Yudz: LOL. Yea i think wat you said will be better for them
@Coffee buzz: I dnt think he is too sad too lol. The hacker will most probably be having password as sadness
[Reply to this comment]
i learnt many things from this post.. i will make my blog private soon
[Reply to this comment]
very useful..
but i dont agree with your “sniff our socks” phrase.. it should have been “sniff our asses” (just imagine you are on the verge of farting!..aww!) LOL
[Reply to this comment]
did the Twitter Admin change his password to “sadness” after he was hacked? haha… ok not funny
[Reply to this comment]
uuhhmmm interesting
:)
[Reply to this comment]