Wordpress the most used content management system which won the Open Source Social Networking CMS Award can be easily Hacked!. You need to always make sure that you have the latest wordpress version installed on your blog and always try to install the wordpress blogs using cpanel, this way you are going to install a safer version of wordpress on your domain because the script handles the whole job and you wont be missing any permissions or files on your server which the hackers can enter into.
Always make sure that the plugins you use are verified by the wordpress themes and are available at WordPress Plugin Database and try to avoid plugins which are made by wordpress plugin generators because these are not fully working, developed and tested and are just developed by experimenters.
Permissions : While installing a wordpress plugin or wordpress theme you may change the permission of the files and some plugins like the wordpress anti-spam plugins need you to change permissions so the cron jobs are created and the files are executed automatically but give permissions very carefully and dont do a quick job by giving wrong permissions to important files.
Software Version : Even though there were many problems in the recent wordpress 2.3 upgradation you still need to keep your blogs updated to the latest versions so your blog is safe from the hackers and you dont get into sudden troubles. Just make sure you take a backup of your blog before making the upgrade because it helps in case your blog has some problem with the already installed plugins and themes.
Passwords : Make sure you have strong passwords for your blog rather than just setting it to john, 123456, 654321, wordpress, myname etc etc but FYI these all are already in the hackers database and your blog can be easily comprimised. Try to set up passwords which has some local words with some numerical combinations. A Strong password is always important because the most strength you have in your password the more secure you are.
You can check out with the microsoft password checker to test the strength of your passwords. Make sure the password you are planning to use is nowhere used online because search engines like google will easily index it. Also try out using firefox add-ons like PwdHash which automatically generates per-site passwords.
Avoid logging into your blogs from unsecured computers like Internet cafe’s , public PC’s because there might be keyloggers installed and try to access if you can use SSL to secure the connection. Make sure your local computer has a good antivirus program which can secure all the theme and plugin files you are going to upload. Also keep checking your blogs source code from the frontend to see any extra outbound links which may be added without your knowledge.
If you find any other loopholes or options with which you can secure wordpress blogs do let me know so i can add them up here and we can have a better and safer blogging environment.
December 20th, 2007 at 3:39 pm
Nice. But for me, the most important thing when you dealing with wordpress is to upgrade your version as soon as the new version is released.
December 20th, 2007 at 4:27 pm
Loved the post and would seriously follow the rules to avoid being hacked.
December 20th, 2007 at 4:30 pm
@ CypherHackz : The passwords security option is also very important make sure you check out the password strength tool.
December 21st, 2007 at 12:19 pm
What a great article! Nicely done
The place to fix security is ALWAYS at the application level but another way to help protect your site is by choosing a web host that runs Suhsin (a hardening patch for PHP) and ModSecurity (an apache module that protects against common application-level attacks).
But you still need to keep WordPress up to date ;p
February 9th, 2008 at 3:51 pm
Great article there… As for the passwords, don’t use common words. I have written a simple yet powerful password ebook for those who opt-in at my site. Feel free to opt-in with your name and email =)