Make WordPress More Secure

August 10, 2010

hackerRecently there have been several injection exploit attacks on WordPress through specific hosting companies. Godaddy, Network Solutions, and most recently Media Temple hosted sites were targeted for the attacks.

The one I just dealt with on this blog (and 23 of my own and client blogs) was called JohnnyA. It inserted a Javascript that re-directed my site to a spam site and then spread PHP files through the site like fwrite.php, fclose.php, eregi.php and modified several including index.php. It created new users with admin permissions on some of the blogs affected. Once we got in there, it turned out there were more than one type of Javascript inserted so find and replace caught only some of them initially. And of course this happened less than an hour after we’d launched our new WordPress Classes! Yucko. (We shut the offer down, it will be re-released soon, I promise!)

Cleaning all this up requires knowing what to look for and finding it file by file including every file in the database. A hugely daunting task when you manage as many WordPress installs as we do. Even though we’d taken a lot of precautions, we still got sucked into I signed up for service on, a security consulting firm that scans and restores sites that have been attacked with Malware. I spent all weekend working with it. The team at Suciri went above and beyond to get me the information and tools I needed to get up and running quickly and their support team was helpful and responsive even outside of their posted support hours.

After running the scripts they gave me I spent the rest of the weekend tightening up all of the installs and making it at least a little harder to hack in. I know it’s not going to stop a dedicated hacker attack, but something more random might bounce off and Sucuri will let me know the minute it happens again so I can deal with it.

Now I have to say that although Media Temple initially sort of threw up their hands and passed the buck to WordPress when they realized the damage it was going to do to their reputation they stepped up and created a bunch of support docs and the Media Temple support team made every effort to answer calls. That said many clients reported 30 minute or longer support queues which is not at all common on Media Temple.

Bottom line it could have been any server. Maybe it could have been handled differently but it IS true that not updating often enough and being a bit sloppy about making your WordPress install secure is asking for trouble.

So, enough griping.
The fact is some of us have been lazy about security and that’s gotta stop now. It took me many hours of stress to resolve this, and a lot of frantic client calls in between. These kinds of things happen and as WordPress is so popular, PHP based AND open source it’s bound to happen again. Should you change blogging platforms? Probably not. It could happen to any of them. So I’m sharing with you what I did to resolve it, how to know if something happens again, and some steps to take to make WordPress secure. At least a little more secure than a standard install.

Set up an account with Sucuri
At least you’ll know when it happens the next time and the team at Sucuri will help you solve it before you lose everything.

Update WordPress
Although Media Temple inferred that this didn’t happen on up-to-date installs that’s not true. I had updated several blogs to the most recent version and they still got hit. Still, update frequently. Here’s how to know when to update WordPress.

Admin user name
It used to be the default for the admin username to be “admin”. WAY to easy to guess and then all they have to do is figure out the password. Set up a new user and give that user admin permissions. Then demote the old admin user name to subscriber, or if you haven’t got any posts associated with the admin user then delete it.

Using the default name in your database tables “wp_yourdatabase” is asking for trouble. Many hosts give you the option of creating new names. Avoid using wp at all costs.

Login Lock down
Doesn’t it make sense that you don’t want an unlimited amount of login tries from the same IP address? That’s a common way for a hacker to find your password. This plugin blocks them after a set number of tries.

Secure WordPress Plugin
This plugin removes code that is easy for a bot to find and link to WordPress. It removes the version except in the admin area, sets permissions so only the admin is able to update plugins and themes etc and a slew of other things. They also offer a free security scan as well as a paid service on

Windows Live Writer
This is notoriously vulnerable and so it makes your WordPress install vulnerable too. Learn how to use WordPress and you won’t need it.

Do regular backups of your database and your themes. That way if you have to restore them you won’t lose too much. If you’re using Amazon S3 there’s a great plugin to update directly to Amazon. WP S3 Backups.

Add a robots.txt file so search robots don’t index folders they don’t need to.
Here’s an example:

User-agent: *
 Disallow: /spamming/
 Disallow: /wp-content/
 Disallow: /wp-includes/

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  1. glad you are happy, i canceled, were a waste of my money

    happened 3 times in the last few months, contacted them last night about 2:00 am, wasn’t till late in the afternoon they contacted me, i do have to say i am really disappointed because they did do a good job for many years, just of late no help at all.

  2. Interesting, that hasn’t been my experience at all. They’ve given me stellar service on over a dozen accounts. I set them up with their own FTP access and passwords so I know it’s the correct one. (I’d given them the wrong pass more than once!). I’m loving the quality of their work and support.

  3. sucuri was good at one time, no more, had them for years,
    before they would catch hacks before they created a problem, get right on
    cleaning it up, now they miss everything, contact them and takes 12 hours
    minimum, sometimes days. I
    believe that they now claim the info I gave them to get access into my site is
    always incorrect, i think it is just a ploy to stall you. seems the last 3
    times someone might check things once a day, maybe less, this same routine
    happened the last 3 times i needed them, like an instant replay. exact same
    routine the last 3 times I needed them, heaven forbid you did give them the
    wrong password or something probably have to wait another day! get on the chat
    they say they will escalate it, ha, another line of bull.

    think sucuri sucks of late.

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}