Jun. 25, 2010

Posted by in General | 19 comments

Secure Your WordPress By Learning From My Mistakes

Several weeks ago, I managed to create a small ruckus on Twitter by issuing a warning about a possible WordPress vulnerability. I was rather embarrassed to eventually discover that the actual problem related to a backdoor still on my server from a previous hack. This was not my first lesson in WordPress security, but it was certainly a memorable one.

I first created this blog in 2007 after finding basic CSRF issues in the first publicly available OpenSocial application. At the time, I admittedly knew very little about application security (not that I know much now!), but I was interested in many aspects of building online social networking systems, and that led me to research security issues more and more. Over time, this blog grew and several other projects hosted on the same server fell by the wayside. As my understanding of security also grew, I found some of my sites hacked a few times, and I undertook a number of steps to secure this WordPress installation.

That maintenance contributed to the confidence I had in my warning on Twitter – malicious scripts kept popping up in my site’s footer, and the only apparent problem were some suspicious requests to a particular WordPress interface. I had looked gone through all my plug-ins (the apparent source of previous attacks), double-checked my permissions, changed passwords, etc. I finally did a thorough sweep of every single folder on my site, and lurking in an upload folder, I found a sophisticated PHP backdoor.

I’m guessing that file originally been placed during a much older attack and I’d simply missed it until now. Since deleting it and taking even more steps to protect my blog, I’ve not had any more trouble. I wouldn’t presume to think this site is 100% secure and I’ve never claimed to be an expert on application security, much less WordPress or PHP security, but I’m now quite confident that I’ve taken enough precautions to avoid most attacks.

That leads me to the following list of steps I’ve performed to harden this particular WordPress site. If you’ve not taken the time to ensure your blog is secure, this may be a good guide for you to start with. I’m indebted to many websites on WordPress security, and while I would want to link to all of them, I’m honestly not sure of all the specific ones I’ve drawn from and it would take a while to piece them together. A quick search will bring up many helpful recommendations, and I encourage you to check them out in addition to these tips.

  • Stay updated. Running the most current version of WordPress is probably the most important step. My host offers automatic updating for my installations. Also, be sure to keep your plug-ins updated as well.
  • Protect other sites. If you have more than one website running on the same server, make sure all of them are secure. One vulnerable application can compromise others. If you have sites that you don’t maintain, consider deleting them or locking them down to avoid future problems.
  • Scan through all of your folders. If you haven’t done this in a while, now would be a good time. Look through what files are present and keep an eye out for anything suspicious. Check your WordPress files against a fresh download to make sure they line up.
  • Scan through all of your permissions. This should be fairly easy with an FTP program that displays permissions settings. With rare exception, I keep files at chmod 644 and folders at chmod 755.
  • Periodically change passwords. Definitely modify your passwords if you’ve recovered from an attack. Remember to change your database password (and corresponding line in wp-config.php) as well as account passwords.
  • Use modified passphrases. This is one tip I don’t see often, but it’s one of my favorite tricks. Rather than simply jumbling characters into a password you have trouble remembering, start with a sentence. Not something terribly common, but something familiar to you. Pick one with at least six words in it. Take the whole sentence, with capitalization and punctuation, and add some complexity – append some numbers and punctuation at the beginning or end, and maybe change a few letters to numbers (such as “3″ for “e”). You should then have a very strong “password” that’s much easier to remember. Many websites and applications will let you use spaces and hundreds of characters in your password. But once again: avoid common phrases, include at least six words, and don’t just use a sentence without adding some numbers and special characters.
  • Check your users table in the database. I’ve seen attacks before that lead to the creation of an administrative account which is then hidden from the list of users in the web-based control panel. I’ve never quite understood why hidden users should be allowed, but that could be part of the attack to begin with. Anyway, just to be careful, I like to look at the actual table in the database and see if any other accounts have administrative privileges.
  • Double-check and clean up all plug-ins. I’ve deleted every plug-in I don’t use, and I try to keep all of my active plug-ins current. If you have a plug-in that’s no longer maintained or hasn’t been updated in a long time, you should probably check and see if a newer replacement is available. In my experience, plug-ins can be one of the weakest points in your WordPress installation. It’s kind of like a certain other site I know well – Facebook itself tends to be pretty secure, but you can often access data through vulnerable Facebook applications.
  • Add HTTP authentication to your wp-admin folder. This is covered in many places online so I’ll not recap specific steps here. And I’ll add that I realize this is not a silver bullet – basic authentication sends passwords in cleartext (so don’t use the same credentials as your WordPress account), and the traffic is not encrypted if you’re not using SSL/TLS. But adding another login prompt for the admin panel adds friction and may repel less-determined attackers. (This tip is obviously geared towards those who don’t have user accounts for non-admins.)
  • Move wp-config.php to a folder not as easily accessible. You can place wp-config.php one folder above your WordPress install; under my hosting setup, this location does not correspond to any public website folder. I also set mine to chmod 644 after changing it.
  • Rename your admin account. Several means exist to do this; I simply edited the record in the database.
  • Change your table prefix. This can be a bit of a hassle, but plug-ins exist (see below) to help. I’ll admit that I still need to check this one off my own list; long story.
  • Disable interfaces such as XML-RPC if you don’t use them. I don’t doubt that the programmers behind WordPress have worked hard to secure these interfaces, but I simply don’t like having another avenue of accessing administrative functions. And I think it’s not a bad idea to disable features you don’t actually need.
  • Use security tools. I installed the WP Security Scan plug-in after reading about it on WordPress’ own hardening guide.
  • Keep monitoring your site. I make a habit of loading up my homepage ever so often, hitting “View Source,” and scanning through the HTML. If I ever see an unfamiliar script or iframe element, I look closer.

That’s my personal list of WordPress security tips, based on many helpful resources and my own experiences of getting hacked. These certainly don’t apply to everyone, more could be added, and your mileage may vary, but hopefully this will help others avoid some of the problems I encountered. Be sure to look at other people’s advice as well and watch out for any WordPress security news.

  1. Great post, and timely.

    I do note that you several of your suggestions amount to manual processes. For security mechanisms to be really effective long term we really should advise people to strive for automated, set-and-forget processes. It’s just a truism of human behavior; we get lazy, sloppy, distracted, etc.

    Consider setting up weekly (or nightly) backups using the “WordPress Database Backup” plugin (for the core database) and “WordPress Backup (by BTE)” for plugins, uploads and themes. You can arrange to get them emailed to you for that extra peace of mind, or set up a cron job to push them to another server.

    Another excellent line of defense is to register your site with http://www.changedetection.com (or similar service) so that you get emailed any time something changes on your page. It’s not foolproof, but it’s one more tool (and again, automated).

    Good luck!
    ~PST

  2. I also like pointing a free sucuri.net account at the home page of your wordpress blog.

  3. “backdoor still on my server from a previous hack.”

    “I found some of my sites hacked a few times”

    Your officially a whitehat Joooooey.

    “I found a sophisticated PHP backdoor.”

    So how do you know that was the end of it? That, that isn’t a secondary backdoor? I wouldn’t trust the box.

    Your tips are largely the same internet myths that have been regurgitated for the past twenty years. It’s fine, it’s mostly common sense stuff but it hasn’t changed anything.

  4. Curious says:

    Are you going to try to update the code for the Facebook public hidden albums?

  5. Thats unfortunate. I am also a pentester and have done the samething, so I developed a simple script that blocks all possible shells as it opens the page and analysis’s it. Still has bugs but at beta stages.

  6. Check your wordpress directory into SVN then you can quickly tell what was modified and what dosen’t belong with svn diff/status.

  7. When you install a mod, either yours or someone else’s, make sure all forms of user input are secure and escaped.

  8. Thanks! And great post. We used this in concert with a few other sources to go and reinforce several of our blogs like news.edvisors.com. Keep up the good work. Sources like these are invaluable for good research alongside the Word Press official docs. Its good to know what people are doing out there.

  9. Love this blog post. Where did you find this information?

  10. Sorry to read about your situation. I’m glad that you shared your mistakes for us to learn!

    Pretty sure,a lot will learn from it. Appreciate your effort on warning us!

  11. Hi Webmaster! Check out this awesome wordpress plugin for your site! I use it for all my sites http://bit.ly/jigDZk

  12. When you’re in uncomfortable position and have no money to get out from that, you would need to take the credit loans. Because it will aid you definitely. I get credit loan every single year and feel myself OK just because of this.

  13. Don’t have a lot of cash to buy a building? You should not worry, because it is possible to get the mortgage loans to solve such kind of problems. Hence take a secured loan to buy everything you require.

  14. I appreciate our effort on sharing your experience! It’s good way to learn from others mistakes!

  15. I would like to propose not to wait until you get enough amount of money to buy goods! You should just take the mortgage loans or just college loan and feel fine

  16. You could also add to the list, “use second factor authentication” instead of standard passwords.

    There is a new website authentication method https://www.shieldpass.com where you buy cheap access cards and then install the WordPress plugin. You then place your card onto the screen to see the dynamic login numbers instead of a static password. It is unique in also being able to encode transaction digits for mutual authentication which stops attackers man in the middle tactics, even one with access into your laptop or mobile.

  17. Wonderful posting. I was looking at your blog so i’m impressed! Useful details particularly the last aspect :) I attend to this kind of info lots. I wanted this particular details for some time. Thanks and all the best ..

  18. Very nice layout and wonderful content, very little else we require : D.

  19. Thank you for this information.

Trackbacks/Pingbacks

  1. Secure Your WordPress By Learning From My Mistakes | Social Hacking | All About WordPress Themes - [...] Read the rest here: Secure Your WordPress By Learning From My Mistakes | Social Hacking [...]
  2. Secure Your WordPress By Learning From My Mistakes | Social Hacking - [...] See the original post here: Secure Your WordPress By Learning From My Mistakes | Social Hacking [...]
  3. - CNIS mag - [...] à sécuriser WordPress en 15 étapes : un papier très didactique sur Social Hacking et destiné à tous les ...
  4. Tweets that mention Secure Your WordPress By Learning From My Mistakes | Social Hacking -- Topsy.com - [...] This post was mentioned on Twitter by Sam Hunt, Yvan. Yvan said: 15 étapes pour sécuriser son Wordpresse, très ...
  5. Search Engines And A Website Outage - [...] Secure Your Wordpress By Learning From My Mistakes [...]
  6. Search Engines And A Website Outage | periscopeUP - [...] Secure Your WordPress By Learning From My Mistakes [...]
  7. Secure Your WordPress By Learning From My Mistakes | Social Hacking | Wordpress Develop - [...] More: Secure Your WordPress By Learning From My Mistakes | Social Hacking [...]

Leave a Reply