A couple of weeks ago I got an unhappy email from my web hosting provider telling me I was in violation of their Terms of Service. Of course I called them immediately and was told that there was a “phishing page” hidden in one of my web directories. My blog had been hacked, so I immediately started doing some house cleaning.
After the initial once over and deletion of any suspicious files I went looking for advice on how to “harden my installation”. Here’s what I found:
- WordPress.org Codex Hardening WordPress - Lots of good information here on hardening WordPress including a general overview of WordPress security considerations.
- Security Scanning Plugin – WP Security Scan is a plugin to alert you to vulnerabilities in your WordPress installation
- Nice List of Tips from Noupe – Lots of simple to implement tips on how to lock-down WordPress
- Change your Database Prefix from the Default WP – I used SEO Egghead’s WordPress Table Prefix Rename Plugin to do this then deleted the plugin once I was done, worked like a champ.
- Blog Security Whitepaper – This was another good, comprehensive source of information on blog security but the last update was in April 2008 so I am not sure if everything is still relevant.
- 9 SEO Security Tips for WordPress - Nothing unique from the other links but probably the best succinct list of things to do to secure your WordPress blog
- Monitor your Blog – I am trying the PHPIDS for WordPress plugin which is an implementation of the PHPIDS (PHP Intrusion Detections System) for WordPress. However this plugin seems to interfere with the WordPress media uploader in my installation. (The effect of using the media uploader when this plugin is active causes the new post page to refresh to the home page of my blog).
- 20 WordPress Security Plug-ins And Tips To keep Hackers Away – A bunch of plugins to consider to help tighten up your WordPress security. Remember to turn them on one by one in case they generate conflicts.
One other key piece of advice, if you aren’t using a plugin or other code then remove it.Unused directories are great hiding places for malicious code and web pages.
Hopefully this will be a good resource for others and not an invite to anyone to test these tactics 
A few more tips:
Be very selective about which plugins you use. One of the latest WordPress exploits targeted plugins that didn’t properly check their permissions. The latest WP 2.8.1 has corrected this issue.
If you are going to use plugins, I suggest you use one that filters bots from creating users on your site. Many exploits rely on having a valid user on your system.
Renaming your WP tables is also a smart move as well, as it confuses most bots.
Cheers,
Mark
http://www.markturner.net
Oh, and one other useful tip. I found that changing the file permissions on my wp-content/uploads directory greatly reduces the ability of bad guys to upload their own arbitrary code. I have a cron script which changes the ownership of this directory (and everything under it) to a user other than my webserver user.
Cheers,
Mark
[...] Hinkle at socialized software shares some resources to harden your WordPress installation. Unfotunately for him, he discovered [...]
Thanks for the tips, Turnerman.
[...] Securing WordPress (socializedsoftware.com) [...]