A couple of weeks ago I got an unhappy email from my web hosting provider telling me I was in violation of their Terms of Service. Of course I called them immediately and was told that there was a “phishing page” hidden in one of my web directories. My blog had been hacked, so I immediately started doing some house cleaning.
After the initial once over and deletion of any suspicious files I went looking for advice on how to “harden my installation”. Here’s what I found:
- WordPress.org Codex Hardening WordPress - Lots of good information here on hardening WordPress including a general overview of WordPress security considerations.
- Security Scanning Plugin – WP Security Scan is a plugin to alert you to vulnerabilities in your WordPress installation
- Nice List of Tips from Noupe – Lots of simple to implement tips on how to lock-down WordPress
- Change your Database Prefix from the Default WP – I used SEO Egghead’s WordPress Table Prefix Rename Plugin to do this then deleted the plugin once I was done, worked like a champ.
- Blog Security Whitepaper – This was another good, comprehensive source of information on blog security but the last update was in April 2008 so I am not sure if everything is still relevant.
- 9 SEO Security Tips for WordPress - Nothing unique from the other links but probably the best succinct list of things to do to secure your WordPress blog
- Monitor your Blog – I am trying the PHPIDS for WordPress plugin which is an implementation of the PHPIDS (PHP Intrusion Detections System) for WordPress. However this plugin seems to interfere with the WordPress media uploader in my installation. (The effect of using the media uploader when this plugin is active causes the new post page to refresh to the home page of my blog).
- 20 WordPress Security Plug-ins And Tips To keep Hackers Away – A bunch of plugins to consider to help tighten up your WordPress security. Remember to turn them on one by one in case they generate conflicts.
One other key piece of advice, if you aren’t using a plugin or other code then remove it.Unused directories are great hiding places for malicious code and web pages.
Hopefully this will be a good resource for others and not an invite to anyone to test these tactics