Blog Security Tutorial

Not so much time ago, blogs became an alternative method to publish on the Web, instead of the traditional crafting method using HTML. A branch of the well populated CMS --content management system-- tree, blogs offered a kind of personal CMS to people who were not Web professionals, and that could install one of the early blog systems, like Wordpress or Movable Type, or that could get some other person to install it for them. Lately, things were still easier when sites appeared like Blogger that allow people to publish their own blog without having a hosting account or a domain.

Nowadays, this trend seems to be fading away. It seems that not so many millions blogs are added each day as it were in the past years. The idea that everybody would have a blog to air his feelings seems to be vanishing, and blogs are more and more being seen as the communication tool of people that really have something important and interesting to say, and that do not want to bother with or do not need a full Web site do it.

Nevertheless, blogs have attracted the attention of those people who are on the Internet to do the evil, sometimes known --maybe erroneously-- as hackers, and who try to break into another person's blog to replace its contents or to perform some sort of phishing activity. As you may know, phishing is an illicit activity that consists in faking a legal site with the intention of getting private data such as account numbers and passwords. This kind of activities becomes more aggravating as blogs become more important.

Here I present some tips to increment the security of your Wordpress blog, assuming that you are either a webmaster or a person who takes blogging seriously but who has not a big company's budget to take care of your information technology needs. So, I will suppose that you know a little about UNIX servers and Web hosting, but I will not present here advanced methods that would require a high-level knowledge.

Of course, general good security practices also apply to blog management. The choice of sound passwords is capital. A good password should have no less than eight characters, include numbers and letters in lower and upper case, and should not resemble your name or your dog's one. You should periodically change your passwords. If in spite of all your safety measures, an intrusion occurs, a recent backup copy will be needed to make the situation come back to normality. As when administrating any system, the administrative user (called super-user or root in other contexts) should be used only when necessary. A less-privileged user should be used for normal work. This prevents the stealing of a password, which may greatly compromise the blog's security.

This article's tips tend to make more difficult for a Wordpress blog to be hacked. While Wordpress is not the only blog system, it is certainly one of the most used and I expect that many people will benefit from the tips that even if will not make a blog invulnerable, will certainly lessen the probabilities that it is compromised.

Many of these tips deal with a file called '.htaccess'. This file is a regular UNIX text file that can be located in any directory and that is used to contain directives for the Apache Web server. A directory can have one or zero files with this name, and there may be so many of them as there are directories. Each file's directives have effect on the directory where the file is, and on its sub-directories. For example, if you want to protect the 'foo' directory with an .htaccess file, you must place the file in the 'foo' directory. Bear in mind, however, that its effects will propagate to the sub-directories, if they exist. You create the file using a text editor that can save it as a UNIX file, and upload it using common FTP techniques.

1. Secure the wp-admin directory

You can secure the wp-admin directory (the favourite target of hackers) by using different approaches. I will explain them in order of increasing security and complexity. If you always use the same computer to access your blog, and this computer has a static IP address, you can make an .htaccess file specifying that the directory can only be reached from that address.

order deny,allow
allow from 19.234.25.1 # This is your static IP
deny from all

This method also can be used if you use always a small set of computers with static IP addresses. Simply repeat the second line as many times as needed using each time a different address. The method is not useful if your IP addresses changes constantly, or if you must access the blog from a different computer each time.

The next level of security is achieved by asking a user name and a password each time someone must access the files in wp-admin. This is achieved using Basic HTTP Authentication and it can be done most easily from the Web hosting control panel, which usually has an option called 'Web Protect' or something similar. People trained in the UNIX system can manually implement it by using an .htaccess file like the following.

AuthType Basic
AuthUserFile /home/user/blogpasswd
AuthName "Wordpress"
Require user validuser

The user name is 'validuser' and the password is encrypted in the file '/home/user/blogpasswd', where 'user' is your user name in the host machine. This approach is not practical if more than one person must access the directory, as is the case when blog users can perform administrative duties.

The final level of protection is achieved using HTTPS (secure HTTP) to perform all your administrative cores. This method can be used when you have a site with SSL enabled. In this case, you may force Wordpress to use HTTPS in administrative sessions by setting a variable or a constant in 'wp-config.php' (see the Wordpress documentation).

2. Prevent the plug-ins you use from being known

The plug-ins you use may have known vulnerabilities that hackers can exploit. To prevent people from knowing which plug-ins you are using, you can place an empty 'index.html' in the wp-content/plugins directory. This way people cannot use their browser to see the files in this directory. This can be done with any directory that we want to hide from normal browsing, but there is a more practical method -that we will see later- when there are several directories to hide. The file needs not to be empty (of zero length); it may contain anything, for example a page that displays “Access forbidden”.

3. Maintain your Wordpress system updated

You can diminish significantly the possibilities of being hacked by regularly updating your Wordpress system as new versions are released. To keep yourself informed, subscribe to the feed of the Wordpress development blog, http://wordpress.org/development/feed.

4. Avoid advertising the version number of your Wordpress system

As said before about the plug-ins, the Wordpress system itself may have vulnerabilities. Hackers know which vulnerabilities correspond with each version, so it is not good to let people know which version you are running. With older versions of Wordpress it is enough to delete this line in the 'header.php' file.

<meta name=”generator” content=”Wordpress <?php bloginfo('version'); ?>” /> <!-–
leave this for stats please -->

For Wordpress version 2.5 and above this approach is not feasible, as the version number will still appear even if you delete the line. In this case the workaround is to locate in the Wordpress directory tree the theme you are using (usually in the 'wp-content/themes' directory) and include the following line in the 'functions.php' file.

<?php remove_action 'wp_head', 'wp_generator'); ?>

Alternatively, you may modify the version number or make it blank by changing the global variable 'wp_version'.

5. Protect your SQL login information

The Wordpress root directory contains important files, including 'wp-config.php' that, among other things, records your database user name and password, that is, your SQL login information. If you want to protect this file from remote access, create an htaccess file like the following.

<Files wp-config.php>
Order Deny,Allow
Deny from all
</Files>

6. Prevent wp-config.php from being modified

As was already mentioned, the user name and password of the SQL database that holds the blog contents and control data are sensitive information that must be preserved from being modified by unauthorized people. A way to achieve this is using the file permissions of the UNIX system. Set the permissions for the 'wp-config.php' file to 600, thus ensuring that only you can modify it.

Another slightly more complex method involves moving the file to the upper directory. If the blog is installed in a sub-directory of your 'Document Root' (the place where your HTML files are uploaded), this method does not provide additional protection, but will do if the blog is installed at the 'Document Root' directory.

7. Prevent the browsing of the wp-content/uploads directory

An approach similar to the one explained for 'wp-content/plugins' can be used.

8. Restrict access to wp-includes

While it would not be practical to forbid access to all files in this directory and its sub-directories, a selective approach can be taken using a modification of the htaccess file. The following file will allow access to only image, CSS, and JavaScript files.

Order Allow,Deny
Deny from all
<Files ~ "\.(css|jpe?g|png|gif|js)$">
Allow from all
</Files>

9. Use a defensive file permission scheme

The UNIX file permission system should be used to prevent unauthorized access. As a general rule, all file permissions should be set to 644, what means that only you have write access and all the rest have only read access. Similarly, directory permissions should all be set to 755. The only exception to this is 'wp-config.php' that, as was previously explained, should get 600. If there are files that you want to be modifiable by others, set their permissions to 666. This includes files that you want to edit in the Wordpress Theme Editor.

10. Rename the administrative user

According to the Wordpress Codex, among the commonest attacks against a Wordpress blog are the attempts to gain access to the blog using “brute force” password guessing. If you leave unmodified the default administrative user name (“admin”), you are giving the hackers half of the puzzle solved. However, changing this name is not so easy. You must know how to use a command-line SQL client --and be able to use it, as not all the host companies allow to do so--, or else must use a front-end like phpMyAdmin that is called from the Control Panel. In the first case, the SQL statement to use is something like the following.

update wp_users set user_login='newuser' where user_login='admin';

Note that the default table prefix is used here.

11. Change the table prefix

Each SQL table used by Wordpress has its name beginning with a prefix that is set in 'wp-config.php'. Changing the default 'wp_' contributes to make harder the work of hackers, as they will have to find out which is the prefix. The moment to do that is when installing the blog because later this modification cannot be made easily by the blog owner, although there are plug-ins that do the job.

12. Prevent directory browsing

If you want every Wordpress directory to be inaccessible using an Internet browser, place this htaccess file in the blog's root directory.

Options All -Indexes

Of course, if you do this there is no need to place dummy 'index.html' files in the sub-directories.

13. Block search engines access

To diminish even more the possibility that some inadvertent person looks for something that is not there in your Wordpress files, you can declare them as forbidden for the search-engine indexing robots. This is done by placing this line in your main 'robots.txt' file.

Disallow: /<blog-directory>/wp-*

14. Use encrypted connections

For those people very technical and heavily concerned with security, here is the last tip. As you surely use shell and FTP access to manage your blog, you cannot allow these transactions to occur in the clear. Use SSH for your shell access and SFTP for your file transfers.

Previous | Contents | Next

	| HOME | FEEDBACK | BOOKMARK | Build your Website © 1999-2008 Hector Castro -- All rights reserved