WordPress Blog Hacking – How to secure your blog and website

Blogging is a very good way to make money online. Making money through blogging is sufficient for some people to make a living. I am an example of this. Yet what happens if that source of income suddenly becomes destroyed? What happens if a building which has been your major income source is suddenly gutted by fire? You know it is a terrible experience.

If you are making money through blogging with the wordpress platform, you should take security steps to ensure that your wordpress blog cannot be taken over by internet thieves. You might never have experienced hacking yet you should never wait until you are a victim before you take necessary actions.

Website hackers steal website information and destroy the data of the site, making not only the hacked website useless yet in some cases, the entire server hosting all other websites on it!

Here are 13 ways of securing a wordpress blog against hacking:

1) Hide your plugins folder

Anybody can gain access to your blog folders containing themes, uploads and plugins. This is a good opportunity for hackers to gain access to your blog and your entire server. Your wordpress blog plugins are located in http://domainname.com/wp-content/plugins. To hide the plugin folder is very easy. There are two ways to do it.

a. Using the .htaccess file. This method is used to disable browsing the directory of your site sensitive files. To do this, go through the FTP client, locate the .htaccess file. Then right-click to open it with Notepad. After that, add this code:

Options All-Indexes

In some cases, you may not be able to locate the .htaccess file. This depends on the type of FTP client you use. For FileZilla, go to SERVER and click FORCE SHOWING HIDDEN FILES.

b. cpanel – Directory browsing can also be turned off through the cpanel. This is very easy if you cannot handle .htaccess files. Cpanel displays your entire website files anf folders through the “Index Manager”. Using the cpanel option, the server automatically creates the necessary .htaccess for you. Some people find the tree format display of cpanels easier.

Some web hosting companies do not have appropriate security measures to prevent hackers from gaining entry into website files. To know how your hosting company compiles your site files, simply create a phpinfo.php file. This file will display how your hosting company compiles and configures php. This will give you a lot of information if there are any security loopholes. After you are done with your investigation, make sure you delete the phpinfo.php file in order to prevent unauthorized people from gaining access to it. Most of these things are easily changed by .htaccess and php.ini files.

2) Define user privilege for your multiple-author blog

If content of your blog is contributed by multiple authors, there is need to assign access rights limits or privileges to each author. To make the administration easier, you should install the User Access Manager. The plugin enables you to manage the access to the blog posts, pages and files. To use the plugin, you only create a user group, put registered users to this and set up the access rights for the group. The post/page will then only be accessible and writable for the specified group

3) Always upgrade WordPress and plugin versions to the latest ones

Make sure the version of WordPress is the latest. Latest versions always fix the bugs and other security issues of the previous versions. This also applies to plugins. It might be difficult to upgrade at once if you have multiple niche blogs. How can you upgrade 100 niche blogs at once? This is a disadvantage of maintaining multiple blogs. In my own case, I do not just install plugins. I make sure that the ones I install are ones I really need for making the site make money. Not just fancy plugins. I don’t install plugins because everyone else is installing. This makes it easier for me to plan and upgrade all of the wordpress versions and plugins in no time.

4) Do security scan regularly

On a regular basis, do a security scan of your blogs. A security scan reveals if you have correct CHMOD permissions for all website files. A good plugin to do this is the wp-security-scan plugin. The plugin also proposes the correct ways to fix those security loopholes found in any file or folder.

5) Use Secret Keys in the wp-config file

Hackers are getting wise everyday. They are always creating new ways of hacking websites after new version of wordpress is developed to combat the security vulnerabilities of the previous one. Hence, you need to use a security key in order to completely put your site under tight security.

A secret key is very good because it makes a blog difficult for hackers to hack. Not only that, secret keys make access to a blog harder to crack by adding random elements to the password. A secret key is a password with elements that make it harder to generate enough options to break through your security barriers.

Security Keys are single-line definitions in your WordPress configuration file, the wp-config.php. If you don’t know what the wp-config.php file is, it is the file that stores the names, address and password of the database that the blog needs to function. The file also stores user details and blog posts. It is in fact the engine that keeps a wordpress blog moving.

6) Encrypt your login

WordPress has some security weaknesses. One of them is that whenever you login to your blog, your password is not encrypted. The security flaw is more serious if you are on a public network where a hacker can easily download your login information with login harvesting scripts. Encrypting a wordpress blog is to be done with the use of SSL or other secure protocols. The problem is that most people don’t have the technical skills to do this. Hence, if you are one of them, you should use the Chap Secure Plugin. The only problem I have noticed with this plugin is that it can give errors even when you have set the parameters correctly.

7) Prevent brute force attack

A brute force attack is when a hacker uses all possible keys against an encrypted data until the correct key is found. There are many ways of doing this. A script can be written to send automated requests to the system, seeking permission to gain entry to your server with different keys. If a key does not gain entry, another one is automatically developed. This system is also used for hacking twitter accounts. To stop brute force attacks, you should install the AskApache Password Protect plugin. This plugin is designed to stop automated attempts to exploit your blog vulnerabilities. Another one is the Login LockDown plugin. The plugin limits the number of login attempts from a given IP range within a certain time period. Once a certain number of failed login attempts are reached, the plugin automatically disables the login function for all requests from the IP range.

Use strong password

Don’t just use any word for a password. Don’t use dictionary words, birthday, names of spouse, children, etc. Use a combination of digits, upper and lower case letters and special characters that will not even be easily remembered by people, including you. Write the password down and keep it in your home. Do not store passwords on your computer. Use a minimum of 8 characters for your password.

9) Protect the wp-admin folder

The wp-admin folder is where the main information directing how your blog functions is kept. Most hackers enter through this folder before gaining access to other files in the server. Use the WP Scan plugin to always scan all your blog files to determine which one is vulnerable. The plugin will reveal if some file do not have the correct CHMOD permissions. You can also use the AskApache Password Protect. This plugin enables you to use password to protect the directory and give access right only to authorized people.

10) Remove WordPress version information

Each wordpress version has its security weaknesses. Hackers use the wordpress version of a blog to easily create and launch hacking strategies and bring the blog down in minutes. Therefore, you should prevent the version of your blog from being displayed. If you are using general wordpress themes for your blogs, make sure they do not display your version of wordpress.

To remove the WordPress version info, log in to your WordPress dashboard. Go to Appearance->Editor. Then click on the header.php tab and the file codes will be displayed. Click Ctrl+F on your keyboard and paste this code:

<meta name=”generator” content=”WordPress <?php bloginfo(’version’); ?>” />

Delete the entire line and click Update File.

11) Do not use “admin” login name

WordPress 3.0+ allows you to choose your own username. The previous versions of wordpress had “admin” as the username. The use of a login name different from “admin” makes it difficult for hackers to use automated means to guess your login information.

12) Backup the wordpress database

Even after taking all necessary security steps, you still need to always backup your wordpress database. This is because anything can happen at anytime and what you thought was secure might not be secure. The WordPress EZ Backup plugin allows you to create backup archives of your entire site (not just the wp installations). It also allows you to backup any mysql database. Another plugin is the wp-db-backup plugin. This does a complete backup of your core wordpress database and other tables in the same database. You can also schedule the backup process so that the plugin automatically does a backup at your specified time interval.

Most of the backup plugins are not written to be compatible up to the current version 3.0.1 version of wordpress but they can still work with it.

13) Don’t download plugins from just anywhere

Plugins are what make the wordpress blogging platform very robust. With plugins, you give flexibility to your blog to fit in to internet marketing situation. This is why it is very easy to make money with wordpress blogs than any other blogging patform or static html websites.

However, there are security risks in using plugins. Plugins can contain malicious codes that store and relay back your site information to the plugin author. This is why you should not just download and install any plugin you find around. Do not install plugins unless they are really necessary for the smooth-running or survival of your blog in any niche market you are targeting.

 

 

HOW AND WHERE TO CREATE A PHPINFO.PHP FILE

The information will only be displayed if your server supports php. The phpinfo.php file shows how the php of a server is configured. It is very easy to create this file. Just follow these simple steps:

The only requirement for this to work on your web pages is that you have PHP in your hosting. IF you don’t have php, you can signup with www.webune.com for a php plan. if you have php, continue on…

STEP 1: Open a text editor like notepad.

STEP 2: Copy and paste the following code into a blank notepad:

<?php

phpinfo();

?>

STEP 3: Save this file as phpinfo.php. Note that the .php extension is to show that the file is not an ordinary text file. The extension is to give command to the server to display your server information on your web browser.

STEP 4: Upload the file to your server using FTP Client. You can upload the file to a folder in your website. For example, www.domainname.com/phpinfo.php

STEP 5: Enter the location of the file in Step 4 in your browser just as you would visit any web page. That is www.domainname.com/phpinfo.php

STEP 6: Now wait for the browser to display your entire server php configuration. All these configurations are located in a file called php.ini.

HOW TO GENERATE SECRET KEYS

The secret keys can be generated from www.wordpress.org. It is better to use the current version 3.0+ in order to fully enjoy secret keys. Other previous versions only have 3 layers of secret keys

To generate a secret key, just do a search in www.wordpress.org and you will be shown a link that generates random secret keys automatically. Just copy that and paste in your config file

TYPICAL MALICIOUS CODES IN PLUGIN AND HOW TO FIND THEM

There are many types of malicious codes. To do a check for a malicious code, go to the source code of your homepage. You can click on view –> page source in firefox to view the source of the page. Most malicious codes are embedded between <iframe>.. </iframe>. When you see a code here, it is obvious that your wordpress blog is under attack.

If you don’t know anything about coding or would like to confirm the existence of the malicious code, you may use the firebug addon for your Firefox browser. You can install Exploit Scanner plugin to scan your plugins and other files for malicious codes

HOW TO KNOW WHETHER A THEME OR PLUGIN CONTAINS CALL BACK FUCNTIONS OR NOT

At the beginning, you really cannot know whether a theme or plugin contains callback function or not. A callback function is designed to work underground without the knowledge of the victim until all personal information is stolen and the wordpress blog finally hacked.

In most cases, wordpress blogs that are hacked have had callback function installed by the hacker working underground for many days and weeks before the whole site is finally brought down by the attacker.

To discover a callback function, log into your web hosting’s File Manager and open any file with the php extension. If the file is infected, you should see code like this at the top:

<?php /**/ eval(base64_decode(“aWYoZnVuY3Rpb25fZXhpc3R

 

 

Keep it real, keep it safe!!!!

 

James P Tyler

 

http://philadelphia-marketing-consultant.com/