Newsletter

Download this set by subscribing to our freebies newsletter. No crap, no ads, no spam! only quality freebies.





Freebies by: Iconshock, Designshock and Themeshock

Amazing freebies every week in your e-mail, don't miss the next ones with our newsletter, Sign up now.

Tweet about us and say thanks in comments ;)

ThemeShock Premium Wordpress Themes, Freebies and Plugins

Powering WordPress and website security, Most complete guide


guard

One of the biggest problems that web universe faces nowadays, is the lack of security. A lot of really important information is being stolen directly and some other is being taken by viruses and trojans, which get to our computers and start taking personal information, sending those annoying and inconvenient spam messages, or just opening a backdoor and letting attackers enter to our computer to do whatever they want. Actually, even whole domains get hacked these days.
Now, WordPress is currently powering 48 of the top blogs on the Internet. Aside from this, WP is also powering 19% of the entire web. This is what Andrew Nacin, one of the WordPress developers, announced on his twitter account back on july:

“283 million people watch 2,5 millions blogs monthly, 500 thousand posts and 400 thousand comments daily, blogs in 120 languages where the first one is English with 66%, Second is the spanish, with 8,6%, and users as important as TED, NBC and  CNN.” 

Being WordPress such a success, it has besides a legion of loyal followers, a legion of loyal perpetrators always looking for weaknesses to exploit.
All these problems are not unknown to WordPress. This is why in order for you to avoid being harassed here we have some good tools and tips on how to avoid being the next victim, or if you’ve already being infected, will help you fixing your installation.

Understand Security

Basically, security is not about perfectly super protected CMS or systems in general. Something like that might well be impractical, or impossible to find or maintain. Security in most cases can be ensured just by following some simple steps. However, we cover in this post  the simple steps and also Some tips for advanced users, not intending as said before to create a perfectly secure system, but to provide all kind of resources to protect the system. Because in what matters to WordPress security, attacks can and will come from everywhere and you cannot think your blog is immune just because is a little and unimportant blog.
Andre Armeda, ( also known as Dre Armeda: co-founder of sucuri security and founder of CubicTwo. A very well known person in the WordPress world)  says the following about security.

“Security is a really relative term. Can you secure anything to 100%?(…), that’s not going to happen!. The percentage of risk can never be 0, that’s not going to happen!”

First Steps to follow

Considering that the security in WordPress involves not only the software but other elements, the following section will talk about network, PC, and other factors external to WordPress.

Check Vulnerabilities on Your Computer


Image provided by Shutterstock
Make sure the computer you use are free of spyware, malware, and virus infections. It doesn’t matter how secure is your server or your WordPress,  It won’t make the slightest difference if there is a keylogger on your computer.

Check Network Vulnerabilities

The network on both ends, the WordPress server side and the client network side should be trusted. That means updating firewall rules on your home router and being careful about what networks you work from. An Internet cafe where you are sending passwords over an unencrypted connection, wireless or otherwise, is not a trusted network.
Your web host should be making sure that their network is not compromised by attackers, and you should do the same. Network vulnerabilities can allow passwords and other sensitive information to be intercepted. Use SSL whenever possible, especially on an unverified connection. Enabling HTTPS is also a good way to ensure that your traffic is secure.

Check your FTP

When connecting to your server you should use SFTP encryption if your web host provides it. If you are unsure if your web host provides SFTP or not, just ask them.
Using SFTP is the same as FTP, except your password and other data is encrypted as it transmitted between your computer and your website. This means your password is never sent in the clear and cannot be intercepted by an attacker.

Check your Server and/or Web Hosting

You need to make sure that you are running stable and secure versions of the server software. Or make sure you are using a host that take these precautions. It could be that your site is on a shared server, and if other  site in the same server has its security compromised for any reason, yours can be compromised too. Even if you follow everything else on this guide. So ask your web host what precautions are taken. If you want to have a secure environment, try not to use free hosting. It becomes necessary to invest some money for your hosting and to make sure that the web host is offering basic security features. Check to ensure that it has good reviews from its users.

The directory trick

To create a web in WordPress in a way where the files are more protected, you can make your installation in a subdirectory with a very particular name. This subfolder won’t ever be seen on the navigation bar, that will give you a little bit more of protection. The index has to be moved to the root of the site, and your access to the admin will be www.your_domain.com/your_directory/wp-admin. The web address configuration  can be done in the WordPress admin, in general settings, where you must place in WordPress address (URL); the address of the directory where you have installed wordpress, and in site address (URL) the address of the index. This is known as the directory trick.

Update your version

It can be hard sometimes to decide to go with the next version of WordPress, because we can be afraid of losing our content, the plugins may stop working and else. It is true that things can go wrong, but it will never be as bad as staying with a vulnerable version of the software. Having in mind that with each update, also come really important security improvements. To have more control over the installation of the update, we can do it manually doing the following:

  • Do a backup of your website, your database and files.
  • Download the new version and decompress it  on your hard disk
  • Upload the new files to replace the old ones except for the themes folder, where every customization we have done is stored

As new WordPress versions are released, the security bugs for previous release become public information. WordPress could have vulnerabilities as result of how the program is written that allow an attacker to pass HTTP arguments, bad URI strings, form input, etc, that could cause bad things to happen. So always update your WordPress to the latest version to make sure that you are protected against any known security bugs.

Don’t Show WordPress Version on Your Blog!

You should not make the WordPress version that you are using visible to others because of what was explained above. The specific WordPress version that you are using can give the attacker an upper hand in finding a way to break in.
Check  your site periodically to ensure that everything looks the way it should. Log into your dashboard(s) and look around, updating any plugins or themes that are out of date. Even if your site is on auto-pilot, it’s important to check on it on a regular basis.

UPDATE: What site administrators have to say about this

Just a few days after the release of this post, surfing on the internet we have found interesting this reddit conversation where some wordpress sites administrators were discussing about the concern of the growing level of what seems to be brute force login attacks from proxies all over the world. Even being able to find sites that were created with the intention of remain  secret. This is certainly something worthy to review since as this post will explain below, sites are also vulnerable to attacks and brute force attacks can be performed by several infected computers. Having in mind that an infected PC turns into a potential attacker if not a real one. These administrators offered nice solutions, and we can get from that conversation, the importance of applying capcha to the login process to make things hard for bots. Specially this post wants to offer to you the list of advices suggested by the administrator of  600 sites based on its experience dealing all the time with this kind of issues. These advices are pretty self explanatory, however, we will try to get in details on some of them

  • DO NOT use plugins to secure WP. If you don’t understand how a plugin is securing your site, you shouldn’t use it. Most plugins are just .htaccess editors, anyway: This post recommends below to check not only reviews from users in the WordPress directory, but also the plugin descriptions and rankings on Google. Don’t let the plugin do the job that you can do on your own, if you can edit the .htaccess in a way that is ideal for you, do so instead of letting a plugin do it.
  • Password protect /wp-admin with .htaccess. If you are running a good firewall in the server, 5 incorrect logins to wp-admin are enough to ban the attackers IP address: the wp-admin folder contains all the files that have to do with administration, so we have to compromise it the least possible.  .htaccess file allows to ban ip addresses and domains.
  • Generate unique salt keys. It will make things a bit harder to attackers: This is explained with more details below as a way to avoid brute force attacks.
  • Enforce 20+ character password for author, manager and admin users. NO EXCUSES. Use a password manager instead of typing in the password. BEST PM is LASTPASS: due to distributed attacks which we will discuss below, long and complex passwords are a must for all users. If needed you can use a password manager, LASTPASS is discussed below.
  • Remove bad plugins. If you don’t need it and it is not doing anything more that enabling your lazy habits, remove it: As per what was said above, it is recommendable to use only the necessary plugins to make your WordPress site to run the way it is suppossed to. The less the plugins you have, the easier it will be to deal with updating what is outdated and .htaccess permissions.
  • Prevent template and plugins installations (unless you authorize them) Add this to your wp-config.php file: define(‘DISALLOW_FILE_MODS’,true)
  • Permissions for wp-config.php should be 0644 or 0444 for the paranoid: setting permissions over wp-config file to 644 will disallow others to configure the files in this folder. setting it to 444 will not allow anyone to make configurations over these files.
  • Get a bulletproof .htaccess (the one in HTML5 Boilerplate works pretty well): There are a lot of resources over the internet that can help you to build a good .htaccess file. HTML5 Boilerplate is a front end web development tool that includes an .htaccess file that you may find very useful. We show below some rules to enforce it.
  • Optional: Install ConfigServer eXploit Scanner. This little piece of software is absolutely amazing and keeps an eye for any attempt of uploading a shell, malicious code or virus in your system.
  • Finally. Almost every breach to WP installations happens from exploiting bad plugins. SEO, social networking and performance plugins are specially bad because they need write access to your server. Avoid as much as possible or obtain them only from reputable sources: Again, we strongly recommend not only to check the reviews from users in the directory but also the ones in Google. There is always the possibility of allowing an attacker find sensitive files through advanced search if SEO is not set to index only the appropriate files.

The following are some more technical security issues currently affecting WordPress reported by important sources.

An exploit attack: The TimThumb and Uploadify issue

Most of you should have heard about it, maybe you know the details, but for those who have just heard a brief version, here you’ll have a more clear one. First we must talk about what an exploit is, from Wikipedia: “An exploit (from the verb to exploit, in the meaning of using something to one’s own advantage) is a piece of software, a chunk of data, or sequence of commands that takes advantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic (usually computerized). This frequently includes such things as gaining control of a computer system or allowing privilege escalation or a denial-of-service attack.”
Basically the code from TimThumb was susceptible to an attack of this kind, and it was due to one of its functions, one which allows user to upload images from different sites and at the same time allows them to access freely. The accessed images are located on a cache directory that’s stored on the WordPress root directory, so that Timthumb doesn’t have to reprocess them again. This function is the vulnerability that was exploited, the process required the hacker to upload some files to the server which allow them to access freely to as many resources from the WordPress installation they want to access.
The exact same problem happen with uploadify, as you might deduce by the name, this plugin allows users to upload whatever file they need to their website. When this behavior is not properly controlled, it let hackers attack freely the site by uploading some PHP scripts that permit hackers to access and finally take control of the site and do whatever they want with it.  All of this sounds pretty complex and almost impossible to do for most of people but for a trained person it is a challenge that cannot be missed.
Basically the problem here was not WordPress itself but the plugins. This problem could be overpassed just by keeping your plugins up to date,  also remember that any bug you see should be reported, that way plugin developers could improve that bug before it turns into a vulnerability that hackers could use to attack our site. One can never be careful enough at the time of making plugin installation on our CMS. Danger is everywhere and a lot of plugins can have vulnerabilities despite the author’s good intentions. A good guide you can follow is the popularity. If a plugin is downloaded by a lot of people and it has good reviews, you know you are in the right way.
We must also notice that WordPress has its own security issues, most of them are related to SQL injections.

A big problem: SQL injection


Image provided by Shutterstock
By now the most common problem is that our WordPress installation could have some security holes (depending on the version), holes that can be sealed if we, the users have some knowledge about them. The first hole is SQL injection.  A SQL code that’s introduced without the permission of the web site administrator to ensure the attacker privileges of access to sensible data like usernames and passwords. The attacker could take full control of the database information allowing him to dump all the information from it, or to drop all tables from the database. So, to avoid this kind of problems it is recommended to backup the database as many times as possible, it’ll be even better if you can do that on a daily basis so that in the hypothetical case  you suffer an attack, you can rely on your backup.
To avoid that there are some ways in which your files could be secured, first use your apache service to close all doors, that is to avoid attackers to input some tags, characters and numbers in your URLs, this ensures you that most of the attacks will be repelled quite easily.  For all of you who need to secure yourself with apache here we’ve the code that can go in your .htaccessto ensure that SQL injections won’t pass.

RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC]
RewriteRule ^(.*)$ - [F,L]
RewriteCond %{QUERY_STRING} ../ [NC,OR]
RewriteCond %{QUERY_STRING} boot.ini [NC,OR]
RewriteCond %{QUERY_STRING} tag= [NC,OR]
RewriteCond %{QUERY_STRING} ftp: [NC,OR]
 RewriteCond %{QUERY_STRING} http: [NC,OR]
 RewriteCond %{QUERY_STRING} https: [NC,OR]
 RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
 RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]
 RewriteCond %{QUERY_STRING} base64_encode.*(.*) [NC,OR]
 RewriteCond %{QUERY_STRING} ^.*([|]|(|)|<|>|ê|"|;|?|*|=$).* [NC,OR]
 RewriteCond %{QUERY_STRING} ^.*.* [NC,OR]
 RewriteCond %{QUERY_STRING} ^.*(%24&x).* [NC,OR]
 RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127.0).* [NC,OR]
 RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
 RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare).* [NC]
 RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*$
 RewriteRule ^(.*)$ - [F,L] 

However, this will only bypass an amateur attacker, but a professional one will find another security hole that can be used to enter the data. However, most of the common attacks are made by newbies or spammers, most of them using scripts like PHP r57 Shell (a common php file that is always updated in hacking sites to gain access to potentially critic files and processes) or similar. This script gives the attacker some capabilities like downloading and uploading files, creating backdoors, bouncing a connection to avoid being detected and even take control of all the SQL database, so taking out one their tools will greatly reduce their chances to access.

Disable File Editing

The WordPress Dashboard by default allows administrators to edit PHP files, such as plugin and theme files. This is often the first tool an attacker will use if able to log in, since it allows code execution. WordPress has a constant to disable editing from Dashboard. Placing this line in wp-config.php is equivalent to removing the ‘edit_themes’, ‘edit_plugins’ and ‘edit_files’ capabilities of all users:

define('DISALLOW_FILE_EDIT', true);

This will not prevent an attacker from uploading malicious files to your site, but might stop some attacks.

The importance of the wp-config.php file

The wp-config.php file is the file that stores all the confidential details of WordPress. This file contains the name, address and password of the MySQL database that stores all of your user info, blog posts and other important content.

Apply Custom Secret Keys or SALT to wp-config.php file

Using a secret key, you can make it even more difficult for someone to gain access to your account.
Salting passwords protects WordPress installations against brute force attacks by appending complex hash strings (these will be random hash strings that will look different on every page refresh). Go to this link, and it will generate the random keys for you and copy the results into this section of your wp-config.php file if you haven’t already set up a secret key
the following video Shows how to remove the wp-config.php file out of the public HTML root folder.

The default user, the Admin account


Image provided by Shutterstock
The biggest security hole of every system is not inside the system but outside of it. It’s the end user. It doesn’t matter if your account password is the most complicated ever created, or if you haven’t shared it with anybody if you have bad practices. Are you sure you haven’t put it somewhere in your PC on an unsafe file? or are you sure you have not been a phishing victim?. Thinking about a big and complicated password that is hard to memorize, it is likely that users will put it on a .txt or .doc file anywhere on their computers, those files could be accessed if we execute a virus file, normally a  Trojan, that will give the hacker full access to our computers, ending up with them having our super secure password.
Having said this, the only place to securely write your password is your head.
Those we could say, are the elegant ways to access our WP admin account, but as you might imagine there are less elegant and subtle ways. They are called brute-force attacks.

This kind of attacks relies on trying as many combinations as possible. This is done using specially designed software and most of times it is done using distributed computing, i.e. it is not just one computer trying the combinations but 100 or even more attacking at the same time, this reduces the time needed to find the password;
But, you are not defenseless to blow away all the chances of a successful brute-force attack. You can implement things like:
a) Install a login limiter: this tool will give a small attempt frame for the attacker because you will limit the number of attempts before disable the account for let’s say an hour, that way the attacker will need way more time to find the password. For WordPress here are three plugins to help you with this issue: Limit Login AttemptsBetter WP Security and Login Security Solution. We’ll review them later on this post.
b) Use strong passwords: strong passwords are just passwords containing numbers, letters and symbols and are longer than the basic 6 letters. Also, put some effort on making this password hard to be related to you or the website. Are you looking for something that eases the process? then you can go to the Strong password generator website. which uses a javascript code to generate a password and show it on screen. The website does not send passwords across the internet. And it gives you also some useful mnemotechnic tips to remember the elements of your password like associating an X with X-ray M with Mike and so on. Or you can use pass-phrases: Something like 50uthC4l1f0rn14 is easy to remember and hard to exploit.

Password Management: there are a lot of tools available that allow you to manage your passwords, in the case you are a person who handles 5, 10, 20 or more passwords, you should consider using a password manager if you are not already. It’s transforming those 5, 10, 20 or more passwords into one.
These are some the password managers that are recommended by wordpress.com:

  • Keepass – Open Source, free to download and use. Available for Windows, Mac and Linux.
  • LastPass – Free service with premium option. Available for all major OSs, browsers and mobile devices.
  • 1Password – Paid download. Available for Windows, Mac and iOS, with support for all major browsers.

You should also take care of your username, because using the default one, (for WordPress is Admin) can make things easier for an attacker. Due to that they don’t need to guess the username, so always change the default username, in fact newer versions of WordPress allow you to change the default admin name to anything you want, if you haven’t changed your username while you were installing WP remember that you can still change it, to do it first login in your account and then create a new account with the new user you want, give it administrator permissions and then delete the admin account, now you are ready to use you newly created one.

Direct access and default URL


Image provided by Shutterstock
Another problem our WordPress sites could have is the direct access to the login page, that makes easy the attacking process, because if your password was stolen the attacker just need to access to your login page and enter the username and password and voila, they’re in. Without the login page URL the things could be a bit harder for him. We could change the login URL using a plugin; and not only the login but also the logout, administration and registration URL can be changed. The plugin that allow you to change the URL where your login page is, is Hide Login, with this plugin you can create a custom login URL either for ease the process of remembering the login URL or to avoid the ease of access of third parties.
Some files from our WordPress could be accessed if they are not secured properly, files like our WP config file could be accessed and modified. We can secure our sensible files by adding some more rules to our .htaccess file, so here they are:

Options All -Indexes
<files .htaccess>
Order allow,deny
Deny from all
</files>
<files readme.html>
Order allow,deny
Deny from all
</files>
 <files license.txt>
 Order allow,deny
 Deny from all
 </files>
 <files install.php>
 Order allow,deny
 Deny from all
 </files>
 <files wp-config.php>
 Order allow,deny
 Deny from all
 </files>
 <files error_log>
 Order allow,deny
 Deny from all
 </files>
 <files fantastico_fileslist.txt>
 Order allow,deny
 Deny from all
 </files>
 <files fantversion.php>
 Order allow,deny
 Deny from all

Default prefix for the database tables


Image provided by Shutterstock
The more information we give to possible attackers, the easier it is for them to success. for instance, the default WordPress tables prefix wp_ is the information we are giving to our attackers, so we should change that prefix to something else, this will allow us to stay “alive” for a longer time than if we don’t. In new WordPress installations we can make that change easily because the installer asks us for a prefix, if you haven’t changed during the installation, there is no problem, you can still do it, to accomplish it you’ve got two options; Doing it manually, this is the longest way and if you are unsure about what you are doing, better to have professional help. The other and maybe recommended option is using a plugin called  Better WP Security, this plugin will allow you not only to change the prefix of the tables but to secure many other WordPress features keeping your site safe.

What to do when infected or hacked?

If you are not sure if your site is infected or not, here is a good tool that will tell you if you are a victim or not, Sucuri SiteCheck, this site will scan your site or any site you want, and will show you your site status. If you are infected there a few things you should do to come back to normality:

  1. first make a backup of the site and the database. Yeah!, it doesn’t matter if it’s hacked. There is still valuable information in there;
  2. Make copies of all the items that are not in your database like referenced images
  3. Download the latest stable WordPress version, also download the plugins you need and remember to do your homework, i.e. see which plugins of those you need have some security holes and see if they were solved in new versions.
  4. Download the templates too, also go over if the template use plugins.
  5. Now that you are up to date, you should delete all files and folders in the WP directory, do it from your FTP or your cPanel
  6. Upload the new files you just downloaded
  7. Run the database upgrade, this will ensure your database structure supports your WordPress
  8. Next thing you should do is to change your password, you don’t want the attacker to come in again.
  9. Now here comes the boring part: you should go all over your posts to repair any damage done to them. Have in mind that not only on your dashboard but in your database you should check them out. To do that you can use this SQL query:
SELECT * FROM wp_posts WHERE post_content LIKE '%<;iframe%'
UNION
SELECT * FROM wp_posts WHERE post_content LIKE '%<;noscript%'
UNION
SELECT * FROM wp_posts WHERE post_content LIKE '%display:%'

This query will work if you have not modified the table prefix, if you have modified it you should change it on the query. All these steps will make the work; however, a deep revision of the database should be done in order to be completely sure that there aren’t strange elements still in it.

What to do if you are not a technician and you were infected or hacked?:


Image provided by Shutterstock
This is a special section of the post dedicated to people who are not webmasters and probably have  simply purchased a web hosting account, maybe set up WordPress using a one-click install, and started blogging.
Fixing a hacked website is technically speaking, a really hard thing to do.  So, if you are definitely sure that your site has been hacked and you do not have the skills to perform the actions we mention in this post, there are four things you need to do resuming:

  1. regain control of the site: get the passwords back for WordPress, your FTP, your web hosting, database password; change them, this codex post helps you to regain control even if you cannot get into the site. Take the site down!, it is better to have a site down that one that sends spam.
  2. don’t touch anything: at this point is where things need to be backed up or erased and is necessary to know what they are before proceeding. At this point whatever thing you do can destroy vital information if done incorrectly.
  3. hire a technically competent person to fix the site: this is a lot of work that requires special knowledge. Although the  majority of information provided in this post is technical information for you to do it yourself, we know that for some people, there are times when it’s just not possible to follow the steps. Besides, webserver security is a complex subject, with a lot of aspects to it. There is a lot of background knowledge you need to know. so leave it to an expert if necessary. Your site worth it.
  4. prevent: start from zero, follow the tips you are able to follow from this post and take some time to inform yourself on how to prevent future attacks. if necessary again, leave it to a professional.

Fighting r57 scripts and similar

As we discussed earlier in this post, r57 is a PHP script that gives attacker a wide range of capabilities. Although the attacker has these capabilities, these won’t work until the shell is on our web server, so we can avoid it to work by using the following commands.

find /var/www/ -name "*".php -type f -print0 | xargs -0 grep r57 | uniq -c | sort -u | cut -d":" -f1 | awk '{print "rm -rf " $2}' | uniq

This command will look for .PHP files located on your WWW folder. Then, on the found files, the command will look for any mention of r57 not only on the file name, but in the file content. When found, the command will avoid duplicated results to show, so we will only see one results per file scanned. Finally, the command will erase those files permanently and without asking questions.

find /var/www/ -name "*".txt -type f -print0 | xargs -0 grep r57 | uniq -c | sort -u | cut -d":" -f1 | awk '{print "rm -rf " $2}' | uniq

This one does almost the same that the previous one, except that this will look for .TXT files instead of .PHP files. Notice that these codes are Linux terminal codes, so don’t try to use it on Windows or MAC OS, also take care when using the awk rm-rf, as told before it will delete the files without asking you for permission, so as you can see it is very destructive. r57 could be injected, but now you know how to avoid injections and if you were attacked by this script, now you know how to find it and destroy it.

Obscured code? How to prevent being attacked from the shadows


Image provided by Shutterstock
We have mentioned that plugins could be infected and themes too, but we haven’t seen what exactly could affect a theme. Well, now it’s the time to see one of the reasons a theme can be as dangerous as a plugin. Themes can be affected by adding obscured code to it, we as users won’t see any particular change in our theme’s behavior; however, many problems could be happening while we are unaware of this problem. When we actually see the effects of that abnormal behavior it could be too late. First, our site could be redirecting to illegal sites without our concern or our site can be full of tag terms that will sunk our SEO, but this shouldn’t happen if you are aware of these problems.
To search for those problems here it is a plugin called TAC (Theme Authenticity Checker), this plugin will not only check the code looking for suspect or malicious code, but it will detect static links and obscured code. Obscured code is code that is not easily readable, like the code generated with base 64, and most of times probably you won’t see it. And not only infected themes could contain obscured code but also normal themes, normal themes use it to avoid the theme to be modified. Turning back to the plugin, what it will show is just the suspect code and the file where it was found, but as we have mentioned, some of the codes it will find will be encoded. So to be able to see what that code has, here are two tools that could help you decrypt it they are Otto decoder and base64 Decoder.  The final steps are as always user’s choice. So, it’s up to you if you delete the infected files or save it for a later check or any other option you can think of.

Securing yourself from future infections


Image provided by Shutterstock
If you still feel your installation is defenseless here we have some other advices on what you can do to secure yourself a bit more.

  1. Only permit PHP where strictly necessary, that way you avoid attacker to use scripts like r57 or c99, both written on PHP.
  2. Ensure that your web server does not allow clients to modify the .htacess file, remember this is the file that contains the rules that will avoid your site to be easily attacked with SQL injections.
  3. Not all the attacks are mean to be destructive, some attacks only need your site to flood Internet with spam. So your goal to stop the spamming. If you could achieve this, it won’t matter if the attacker can upload the malware if he can’t use it to flood internet. To ensure this won’t happen there some things we must do.
    1. Implement a firewall that will restrict the mail outbound in the port 25 to just the root and email server id.
    2. To restrict the port you can use ConfigServer Security and Firewall (CSF)
    3. You can use a Software that shows you the vulnerabilities of your site, here we recommend two the first one is ConfigServer eXploit Scanner (CXS) this one will monitor the FTP upload in real time for you and any unauthorized upload will be removed. The other one isBacktrack, Backtrack is not a single tool but a bundle of tools going from vulnerability scanners to computer forensic tools.

Another important thing is to find the shells that created backdoors to our site. We encourage you to check this useful tutorial on How to find backdoor PHP shell scripts on a server. For those who want to get the hands dirty with this, here is a small script in Perl created to find most Trojan shells, it is not mean to be an antivirus but it could help you identify the suspect files, the only thing you should do is copy and paste the script to a file, then save it as an executable file, run the script as a user with read access to the web hosting directories

./the_name_of_the_script [list of directories]

When the script finds something suspicious it will print a line like:

/var/www/malicious/.htaccess: Suspicious(RewriteRule): RewriteRule . /phpinf

Which will name the suspicious file, why it’s suspicious (above found “RewriteRule”), and a fragment of the file showing the pattern.

The .htaccess file is very important too, harden it!

The .htaccess file is the first line of defense against the hackers if you have an Apache server. We have a wide variety of rules that we can apply to it to achieve this goal. Through this post we have been showing rules to be applied on to the .htaccess file. this time, we recap and show you some lines you can apply to it to protect your system from hackers in a better way. Once done, remember to save the changes.

RewriteEngine On
# No access to proc/self/environ
RewriteCond %{QUERY_STRING} proc/self/environ [OR]

# Block any script trying to establish a mosConfig value through an URL
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]

# Block any script trying to input encrypted code base_64 through an URL
RewriteCond %{QUERY_STRING} base64_encode.*(.*) [OR]

# Block any script including the tag <script> in the URL
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]

# Block any script trying to establish the PHP GLOBALS variable through an URL
RewriteCond %{QUERY_STRING} GLOBALS(=|[|\%[0-9A-Z]{0,2}) [OR]

# Block any script trying to modify a a _REQUEST variable through an URL
RewriteCond %{QUERY_STRING} _REQUEST(=|[|\%[0-9A-Z]{0,2})

# Send all blocked requests to home with a 403 forbidden error
RewriteRule ^(.*)$ index.php [F,L]

Detect malware on your WordPress files with this Script

#!/usr/bin/perl
 # The above line may need to be changed to point at your version of Perl
 # Very simple web malware detection module.
 # Author: CBL Team
 # Version 0.02
 # Change history:
 # .01->.02: search 100 lines, add socket to scriptpat (2011/11/25)
 # List of access-control files to check
 my $access = '(.htaccess)';
 # Patterns to look for in access-control files
 my $accesspat = '(RewriteRule)';
 my $MAXLINES = 100;
 # List of files to check
 my $scripts = '.(php|pl|cgi)$';
 # Patterns to look for
 my $scriptpat = '(socket|r57|c99|web shell|passthru|shell_exec|phpinfo|base64_decode|edoced_46esab|PHPShell)';
 for my $dir (<a href="http://twitter.com/#!/@ARGV">@ARGV</a>) {
 &recursion($dir, $access, $accesspat);
 &recursion($dir, $scripts, $scriptpat);
 }
 sub recursion {
 my ($dir, $filepat, $patterns) = <a href="http://twitter.com/#!/@_">@_</a>;
 my (<a href="http://twitter.com/#!/@list">@list</a>);
 opendir(I, "$dir") || die "Can't open $dir: $!";
 <a href="http://twitter.com/#!/@list">@list</a> = readdir(I);
 closedir(I);
 for my $file (<a href="http://twitter.com/#!/@list">@list</a>) {
 next if $file =~ /^..?$/; # skip . and ..
 my $currentfile = "$dir/$file";
 if (-d $currentfile) {
 &recursion($currentfile, $filepat, $patterns);
 } elsif ($currentfile =~ /$filepat/) {
 #print $currentfile, "n";
 open(I, "<$currentfile") || next;
 my $linecount = 1;
 while(<em>) { chomp; if ($_ =~ /$patterns/) { my $pat = $1; my $string = $_; if ($string =~ /^(.*)$pat(.*)$/) { $string = substr($1, length($1)-10, 10) . $pat . substr($2, 0, 10); } #$string =~ s/^.*(.{,10}$pat.{,10}).*$/... $1 .../; print "$currentfile: Suspicious($pat): $stringn"; last; } last if $linecount++ > $MAXLINES; } close(I); #print $currentfile, "n"; } } }</em>

There is an excellent tutorial with additional information to protect your site. It can be found here.  And remember that the first defense line is the antivirus you have on your computer, even if it has a Linux distribution installed. that could save you tons of time and even your save site from being infected.

Check this cool infographic

The Tools needed to secure your WordPress installation

We have talked about some useful plugins that will allow us to secure our WordPress installation, now we’re going to take a closer look at them. An important tip we can give you now is to review every single plugin you install to make sure you are getting a plugin that do its job adequately, Its always good check reviews from users to make an idea of what you are getting.

BackWPup: Do more than backing up your site


The BackWPup is an useful plugin that has received very good reviews from the majority of its users. It allows not only to do a backup of your database, but also to optimize it and repair it, and regards the backup, you have a lot of options, like saving your database in cloud services as Google storage, Microsoft Azure, Dropbox, RackSpaceCloud etc; as well as saving it into your FTP server, as a zip file and some other useful options. Full features here

Sucuri Security: A free 5 stars malware scanner


This Plugin can do several important security tasks such as  check for malware, spam, blacklisting and other security issues like .htaccess redirects, hidden eval code, etc. and its for free. Is currently one of the most used ones.  Why? because it is as simple to use and install  as

  1. Downloading the plugin.
  2. Go to the WordPress Plugin menu and activate it.
  3. Use the 1-click hardening

The reviews that users make to this plugin speak about its excellent quality. This is a plugin that you cannot miss out. Full features here

Cloudflare: The anti-spam plugin


CloudFlare is basically a plugin that allows your WordPress site to run into the CloudFlare platform. This way you will be able to protect it from hackers and spammers. It reduces greatly the amount of spam via comments and contact forms. So if this is one of your biggest problems, you may want to pay attention to this plugin and of course, the Cloudflare platform for which you will need an account. Don’t worry, it should not take more than 5 minutes to create one. Full features here.

Better WP Security


Better WP Security allows user to control many things from their WordPress installation such as modifying the default table prefixes, changing the default admin account name, these modifications let users obscure the sensible data, so attackers cannot see it easily. Some features listed below as seen in WordPress.org plugin directory regarding the obscure options.
Obscuring your data to avoid easy access

  • Remove the meta “Generator” tag
  • Change the URLs for WordPress dashboard including login, admin, and more
  • Completely turn off the ability to login for a given time period (away mode)
  • Remove theme, plugin, and core update notifications from users who do not have permission to update them

After obscuring your sensible files and data you must secure it, therefore Better WP Security offers some other options regarding the protection of those and other elements. Again, here are the features that fall to protection in the WordPress.org, plugin directory.

  • Scan your site to instantly tell where vulnerabilities are and fix them in seconds
  • Ban troublesome bots and other hosts
  • Ban troublesome user agents
  • Prevent brute force attacks by banning hosts and users with too many invalid login attempts

Full Features here
Better WP Security not only protects your WP when you make scans, but it also offers you constant monitoring, like most Antivirus do, so it will provide you info regarding bots that try to attack or that are looking for vulnerabilities on your site. Also tells you if there are changes done inadvertently. At the same time, Better WP Security makes backup copies of the database, so in the worst situation you will have a copy to save you out.

Wordfence Security


Like Better WP Security, Wordfence Security is a plugin that will allow you to keep your WordPress as safe as possible, giving you options like real time traffic supervision letting you to discriminate between IPs, users and many other options. As the previous tool, this one allows user to obscure their WordPress data avoiding information that could be used against our WordPress security to appear, things like our WordPress version, administrator failed login errors. This tool also offers options for scanning our WordPress installation comparing our files against the official files giving us alerts when something different has been encountered, comments can be scanned too, avoiding us to host malware or phishing links. Some other options like Theme and plugin scanning are payment only, but for $17.95 a year your site could be completely safe. Listed below are some of the plugin’s features, taken form the WordPress’ plugin repository.

  • Scans core files, themes and plugins against WordPress.org repository versions to check their integrity.
  • WordPress Multi-Site (or WordPress MU in the older parlance) compatible.
  • Wordfence Security for multi-site also scans all posts and comments across all blogs from one admin panel.
  • Premium users can also block countries and schedule scans for specific times and a higher frequency.
  • See how files have changed. Optionally repair changed files that are security threats. More features here

Limit Login Attempts


Limit login attempts lets users to limit the number of attempts a user or software can do, i.e. if someone tries, let’s say 10 times, and fail to enter the correct username and password, the plugin will restrict the access to that person for any given time. Here are the features taken from WordPress.org, plugin directory.

  • Limit the number of retry attempts when logging in (for each IP). Fully customizable.
  • Limit the number of attempts to log in using auth cookies in same way.
  • Informs user about remaining retries or lockout time on login page.
  • Optional logging, optional email notification.
  • Handles server behind reverse proxy.
  • It is possible to whitelist IPs using a filter. But you probably shouldn’t. Full features here

Login Security Solution


In a similar way Limit Login Attempts does, login security solution allows the user not only to restrict the access but also allows things like IP tracking, forced breached accounts log out forcing the breached user to use the reset password utility. The next are some features as seen on WordPress.org, plugin directory.

  • Tracks IP addresses, usernames, and passwords
  • Monitors logins made by form submissions and auth cookies
  • If a login failure uses data matching a past failure, the plugin slows down response times. The more failures, the longer the delay. This limits attackers ability to effectively probe your site, so they’ll give up and go find an easier target.
  • If an account seems breached, the “user” is immediately logged out and forced to use WordPress’ password reset utility. This prevents any damage from being done and verifies the user’s identity. But if the user is coming in from an IP address they have used in the past, an email is sent to the user making sure it was them logging in. All without intervention by an administrator.
  • Can notify the administrator of attacks and breaches
  • Supports IPv6. Full features here

WP-DBManager: The ideal plugin to manage your database


To make the security backups of your WordPress installations, you can use the WP-DBManager. This plugin allows you to do automatic backups with the frequency that you choose and send them to your email. Which makes, by the way, that your database is out of the server, protecting you from losing it  due to errors from the same server. It also allows you to optimize or repair the database. Full  features here

WordPress Firewall: A stop to most obvious attacks

This WordPress plugin investigates web requests with simple, WordPress-specific heuristics, to identify and stop the most obvious attacks. There are a few powerful, generic modules that do this; but they’re not always installed on web servers, and usually difficult to configure.
This plugin whitelists and blacklists pathological-looking phrases, based on which field they appear within, in a page request (unknown/numeric parameters vs. known post bodies, comment bodies, etc.). Its purpose is not to replace prompt and responsible upgrading, but rather to mitigate 0-day attacks and let bloggers sleep better at night. Full features here

Some useful videos to recap and complement

For those looking a very fast and effective way to harden their WordPress  and for those who learn better watching how to do, the following video shows how to harden your WordPress using four of the plugins and telling you some of the tips we have already mentioned. a very good and easy to follow tutorial.

Here is another video with Dre Armeda and Brad Williams. These two are brilliant minds exposing the basics for WordPress user security.

So as you can see, some of these are WordPress related issues, and some others are derived from administrator’s bad practices. For quite some time we’ve been checking the WordPress security best practices from several sources that we thank for making their info available, some of them are condensed in this article. We hope you can implement some of these on your site, to keep security holes off, and have more time to spend in the actual reason of your site

Comments and suggetiions in here




Commenting is the best way to say thanks :)

99 people showed their love and said thanks, will you?

*

  1. MikeJ - November 21st

    Thanks for great tips. I’ve never tought about password strenght until my wp site was hacked few years ago. I like to create password from a memorable phrase and break it down to special symbols, numerals and upper-lowecases and as you mentioned, it’s important to store the passwords away from curious eyes (txt, doc etc). Also, regular password changing might help.

    For a strong password i like to use http://www.keyspinner.com generator.
    Cheers :)

  2. Cloudflare it’s great plugin. Thank you article :).

    • ThemeShock - October 1st

      You are welcome, glad you took the time to check this article!

  3. You said not to use plugins to secure WP, but Better WP Security and Wordfence are very popular and effective tools to secure WP.  They automate many of the tactics you discuss.   I particularly like changing the WP login screen from mydomain.com/wp-admin to anything I want, such as mydomain.com/chocolate-admin.  Anyone trying to use wp-admin to hack into my site is automatically redirected to a 404 screen.

    • ThemeShock - April 29th

      Greg, thanks for your comment, we recommend not to use plugins if you don’t fully understand what they do, and let an expert to decide which is the best solution, in our case, we are not using any security plugins, all security changes were adaptade server side for an expert, instead, in case you wnat to install something, we highly recommend ConfigServer products, we use them and they are simply great, they also offer support and custom installation services. (we don;t have any commercial relationship with them, we recommend them only becouse of its quality)

  4. I always update my WP and plugins, since patch are always helpful and welcome. Also delete the plugins or themes that you are not using to avoid injection. Thanks for the article!

    • ThemeShock - April 10th

      Thanks for your feedback, Mike! Stay tuned for upcoming posts.

  5. wtf - January 22nd

    Not sure what is wrong with your blog. There is no content to this article. Is there a problem with your site or is this article only about 20 lines? I checked it with multiple browser, but only see the top of the article.

  6. A bunch of copy paste from around the internet, not impressed.

  7. A work mate referred me to your site. Thnx for the information.

  8. Alex - January 13th

    Thanks for the great article!

  9. Very good write-up. I certainly love this website. Continue the good work!

  10. You suggest changing the admin name, and yet, from the comments replied to, it appears you’re still using the default “admin” name? What gives?

    • ThemeShock - January 14th

      carl, we actually changed it but was showing the old one, now updated. thanks ;)

  11. Best article I read some time. Appreciate the effort. I will be practicing what you preach.

    Would like to use your article on my blog with referance to your site if that is OK.

  12. Pretty good article and I learned very much from it.

    Very well written!

  13. Great article covering all the basics and adding some new information and security techniques.

    Suggest users review plugins before installing them. For example Hide Login’s support forum indicates many users have had issues that have gone unresolved for as long as two months:

    http://wordpress.org/support/plugin/hide-login

    • admin - January 10th

      Flash, thanks for your comment, well, we checked and the plugin is working, it might have some issues, if you can proppose a similar plugin would be great.

  14. Great! Thanks a lot for this huge security documentation!

    First time I saw all this security related things all together and also read a lot I didn’t know before!

    Best security article i ever read!

  15. Windows User - January 9th

    What about CloudFlare?

    • admin - January 10th

      yes, we will include them, sucuri and cloudflare are great.

  16. Powering WordPress and website security, Most complete guide http://t.co/4SDI9RKkEQ via @themeshock

  17. Marc Punch says:

    Hi…

    [...]surely pick up some valuable suggestions as well as guidance the following to implement to create[...]…

  18. Homepage says:

    … [Trackback]…

    [...] There you will find 44939 more Infos: themeshock.com/wordpress-security/ [...]…

  19. Powering #WordPress and Website Security : http://t.co/uJDT0DxL1G

  20. Powering WordPress and website security, Most complete guide http://t.co/jU36dCxnZq RT @Frugalfigure

  21. Powering WordPress and website security, Most complete guide http://t.co/wANsYeaw

  22. WordPress and website #security — A complete guide http://t.co/PpW7UsSH

  23. Powering WordPress and website security, Most complete guide http://t.co/QIAswyfK RT @Frugalfigure