Securing WordPress is one of those topics a lot of people need to do, but not many have a defined guide of how to do it. When securing WordPress remember it is about making trade-offs between usability and security. For everything you want lock down it will make access for your users and yourself harder or add an extra step to get in.

Today I will go over the basic things you can do to secure your version of WordPress. For some parts of this guide I assume you have your own server with root access; I will note where you can do things in a shared hosting environment or your own.

Hosting

The first thing to consider when securing WordPress is your hosting. Is your hosting service provide secure? Do they do updates to the newest versions of their respective software? What other measures have they taken to mitigate attacks on your site? If you are using a shared hosting provider or have managed hosting this should all be taken care of for you; don’t be hesitant to ask as not all hosting providers care. If you are managing your own server you need to consider all the steps necessary to secure it all the way down from keeping your OS (Operating System) updated, to how you are going to squelch a DDoS (Distributed Denial of Service) attack when you make someone mad.

The Basics

Throughout my guide you find find the following ideas; they may be repeated but all follow four basic ideas of security:

1. Limit Access – Making decisions on permissions or access to files that will definitely lower points of entry available to a malicious person or bot (most WordPress attacks are carried out automatically.
2. Password Security – Most people don’t realize the easiest points of entry is by knowing the user name and password.
3. Containment – If you know of a weak point in your installation contain it so there will be minimal damage to your system if this point of entry is used. If you get hacked figure out where the point of entry was and harden its security.
4. Snapshot – What I mean by this is keeping a snapshot of your WordPress configuration: Regular database backups, File/Folder backups even noting changes to your code so you know what was changed, why it was changed and can easily be tracked so you know you did it!

Common Vulnerabilities

1. Your Computer – Remember that anything you do won’t matter if your computer has been compromised. Be sure to have the latest updates on your Operating System, Virus Scan, Malware/Adware scan.
2. WordPress Itself – WordPress itself can have vulnerabilities it the way it handles data, form input, etc… The only real way to keep up with this is to use the latest version of WordPress. It may be a pain to do it once a week or bi-weekly but the enhanced security is very important.
3. The Server – What ever server you are using whether it be your own or a shared server needs to be kept up to date. If it is not you may be compromised from outside of WordPress. Things to check for are newer versions of: Apache, PHP, MySQL, IIS (on windows), MsSQL (on windows).
4. The Network – If the network isn’t secure or made to automatically squelch a DDoS attack you are probably hosting in the wrong place.
5. Plugins – Many bots look for known plugins that have easy to exploit vulnerabilities. I have found my plugins tend to be my easiest point of entry. If you can obscure your plugins of versions of the plugins it will mitigate there use.

Attack Types

The most common attack typed against WordPress are:

1. Sending special made HTTP requests to the server with a payload to try to get results from wordpress or a wordpress plugin, this may be automated or not.
2. Brute force password attacks

Implementation

1. Securing your /wp-admin directory. Your /wp-admin directory needs to be secured from outside of WordPress. The way I would recommend you to do this is with a simple .htaccess and .htpasswd file. I would definitely not recommend any sort of plugin to do this as it is vital to add this extra layer of security to stop almost all bot (automated) attacks and attacks from the unlearned hacker. Keep in mind your users will all need to know the user/pass to get in. What I have done is create a .htaccess that lets humans know what user and password to use. The biggest benefit here is making your attacker go through HTTP Auth first, thereby not allowing a http request beyond it without authentication.
2. Changing the admin username – If your attacker has no username he has nowhere to start a bruteforce password attack. You can change your admin username either through MySQL commands or using phpMyAdmin.
3. Obscurity – if a bot or attacker doesn’t know what your running or its version this decreases chance of an attack. Here is a plugin to help: Plugin Page
4. Backups – Please people backup your stuff, regularly (daily or better).
5. Logs – If you don’t have good logs you won’t find any points of entry when you do get attacked.

The moral of the story

WordPress is popular, popular things get hacked more often…..learn from others mistakes take your blogs security seriously.

As always any questions just leave a comment.

Bookmark It

Well, everyone wonders how to make money with their blog!

The first step is to build your content! Without content your blog is useless!

The second step is to advertise it! IE…….press releases, community events, support something and advertise it, adwords, MSN Ads, Overture Ads. You get the picutre right? You can’t and won’t make money from nothing, you need to invest it!

Step Three is use some quality money generating advertising programs!

I am going to shortly release a paid book on monetizing your blog, optimizing your blog, and making your blog goog-a-licious!

For more info contact me!

Bookmark It

You’ll know your blog is special when you get stupid comment spam!

Comment soam is annoying and when someone spends the time to try to figure out how to get past your link and comment spam blockers you know you’ve made it!

I am projecting every link leaving this blog will be recieving a PR 4-5 within about three months so I guess the spammers are using the same algorith as I am!

UNITE AND FIGHT THE POWER!

KILL ALL SPAMMERS!

Bookmark It

Well, to make someone appreciate your blog you need to offer incentives and gifts! Be creative offer something like I do

A FREE PROXY!

If you make your users feel wanted like they are a part of a community rather than just an onlooker they will join in and contribute!

Once you have a decent amount of users offer users additional incentives as I do, if you join my blog and your link bait traffic generates revenue I share it with you on a percentage basis! It is based on tenure, content, and several other factors determinied by out contribution widget algorithm!

REMEMBER IF THEY FEEL LOVED THEY WILL SHARE IT WITH YOU!

UNITE AND FIGHT THE POWER!

Bookmark It

This week, a new variant of the so-called Storm worm was discovered insinuating itself into various blogs, Webmail, and Web-based message forums in an effort to infect even more PCs, a researcher at security firm Secure Computing said.

ADVERTISEMENT Principal research scientist Dmitri Alperovitch said on Monday that the worm — known as the ‘Small.DAM’ Trojan that first swept into the U.S. in mid-January after ravaging Europe — is using a unique new approach to further spread itself into PCs. While the initial infection is still carried out through e-mail????????by offering up a link that, when clicked on, downloads a series of malware components onto a given computer????????once on that computer, it is able to further inject itself into the network stack as a rootkit.

After doing so, the Storm Worm can analyze all outbound Web traffic, according to Alperovitch.

Alperovitch says that when someone with an infected PC sends a message with Hotmail, Gmail, or Yahoo! Mail, or posts a message to an online forum or blog, the Trojan is actually able to add text to the entry or message.

The Storm Worm will append a ‘Have you seen this?’ link along with another link to what appears to be a video, according to Secure Computing. If anyone proceeds to click on that link, their computer will become infected.

Alperovitch said that Secure Computing has seen examples of the worm’s bogus postings on messages forums, including one for Men’s Health, as well as in thousands of blog entries.

The best way users can protect themselves is still to refrain from clicking on such links, Alperovitch said.

At last count, thousands of computers, most in private use, had been affected in the U.S., and although most users will not notice the Trojan, many antivirus companies????????including Authentium, BitDefender, clamAV, eSafe, FProt, Kaspersky, Norman, Sophos, and Virusbuster????????have been able to successfully detected the worm.

From: ExtremeTech????

Bookmark It