Wordpress Stats, Security Tips, Tools, Plugins — A Pocket Guide

WordPress security is no laughing matter. While a vast majority of hackers get blocked, there are those few who are persistent. With the sheer number of websites on WordPress, any vulnerability or security flaws are likely to affect thousands, if not millions of users across the world.

Ready to be baffled? Then just read on.

These WordPress Usage Statistics Will Make Your Jaw Drop

If you are running a WordPress blog chances are it will be hacked at some point due to the many vulnerabilities that are constantly being uncovered in both WordPress and plug-ins.

How do hackers get all the information they need?

The problem is, that if you are like most people, you don’t consider website security to be an exciting topic. You acknowledge it’s important, but, hey, it’s also kinda boring and technical.

If you’ve been hacked

  1. Upgrade to the latest version of WordPress.

The best time is right now. Spammers are taking advantage of exploits in old versions of WordPress and inserting hidden spam links in posts and using WordPress powered blogs to distribute viruses and malicious software. They’re also using these exploits to run their own code on your server

This morning I spotted a spanish blog in my feedreader that had hidden links added to it. I contacted the blog owner and she’s going to upgrade her blog soon.

  1. The best way of stopping them is by downloading the latest version of WordPress.
  2. Make sure there are no backdoors or malicious code left on your system. This will be in the form of scripts left by the hacker, or modifications to existing files. Check your theme files too.
  3. Change your passwords after upgrading and make sure the hacker didn’t create another user.
  4. Edit your wp-config.php and change or create the SECRET_KEY definition. It should look like this, but do not use the same key or it won’t be very secret, will it?
  • define(‘SECRET_KEY’, ‘1234567890’ );

Where to find the Hidden Code?

Where to find the Hidden Code?

Backdoors on a WordPress install are most commonly stored in the following locations:

Check Themes — Most likely it is not in the current theme that you are using. Hackers want the code to survive core updates. So if you have the old Kubrick theme sitting in your themes directory, or another inactive theme, then the codes will probably be in there. This is why we recommend deleting all the inactive themes.

Check Plugins — Plugins are a great place for the hacker to hide the code for three reasons. One because people don’t really look at them. Two because people don’t like to upgrade their plugins, so they survive the upgrades (folks keep them up to date). Three, there are some poorly coded plugins which probably have their own vulnerabilities to begin with.

  • The simplest way is hiding their code in your php scripts. If your blog directory and files are writable by the webserver then a hacker has free reign to plant their code anywhere they like. wp-blog-header.php seems to be one place. Theme files are another. When you upgrade WordPress your theme files won’t be overwritten so make sure you double check those files for any strange code that uses the eval() command, or base64_decode(). Here’s a code snippet taken from here:
  • < ?php
  • Another hack adds different code to your php files. Look for k1b0rg or keymachine.de in your php scripts and remove that offending code if you find it.
  • Check your .htaccess file in the root of you blog. If you’ve never edited it, it’ll should look like this:
  • # BEGIN WordPress
     <ifmodule mod_rewrite.c>
     RewriteEngine On
     RewriteBase /
     RewriteCond %{REQUEST_FILENAME} !-f
     RewriteCond %{REQUEST_FILENAME} !-d
     RewriteRule . /index.php [L]
     </ifmodule>
     # END WordPress
  • That file may have this chunk of code too which is to do with the uploader:
  • <ifmodule mod_security.c>
     <files async-upload.php>
     SecFilterEngine Off
     SecFilterScanPOST Off
     </files>
     </ifmodule>
  • They’re also uploading PHP code disguised as jpeg files to your upload directory and adding those files to the activated plugins list. This makes it harder to find them, but not impossible:
  1. Open PHPMyAdmin and go to your blog’s options table and find the active_plugins record.
  2. Edit that record. It’s a long line. Scroll through it and you’ll find an entry that looks like ../uploads/2008/05/04/jhjyahjhnjnva.jpg. Remove that text, and make sure you remove the serialized array information for that array record. If that’s beyond you, just delete the active_plugins record and reactivate all your plugins again.
  3. Check your uploads directory for that jpg file and delete it.
  4. This Youtube video shows how to do that. I don’t think there’s any urgent need to remove the rss_* database record but it won’t hurt to do it.
Update! To find any posts with hidden links search your posts for any of the following:
  • display:none;
  • height:0

You can use the Search box on the posts edit page, or phpMyAdmin.
 Open up phpMyAdmin, go to wp_posts, click Search and in the box next to post_content type %string% where string is one of the two options above.
 That may return posts that don’t have any hidden links but it’s better to be safe than sorry.

12 Ways To Prevent Your WordPress Blog From Being Hacked

Now that you know how to fix hacked wordpress site, its time to know few tips which would ensure it doesnt gets hacked again.

1.Always keep your WordPress account updated.

2.Be careful while applying themes or plugins for your blog.

3.Always find a secure hosting service.

4.Check Option to limit Login attempts.

5.Keep file editing via dashboard disabled.

6.Keep your WordPress version always hidden.

7.Always block the directory and plugin access.

8.Always keep the WP- admin directory secure.

9.Always keep a backup.

10.Keep usernames hidden from your author archive URL.

11.Please avoid applying free themes.

12.Periodically check your blog for vulnerabilities,

Wordpress Scanner Tools — Check For vulnerabilities

It’s a good idea to periodically check your blog for vulnerabilities, malicious code and hacks. Here’s some tools to help you with this by checking your site externally:

  • Aw Snap — has a good collection of tools and information to both check your blog for malicious code and recover from hacks. The File Viewer will check a website for malicious redirects, malicious scripts and other bad stuff.
  • WP hacked help: With over 15 years of experience, their WordPress security experts specialize in website malware removal & cleanup WordPress websites. They strive to exceed expectations when it comes to securing WordPress site. It is one of the best website malware removal services found on the web today..
  • Is It Hacked? -checks to see if your site is cloaked to GoogleBot, has spammy links, funny redirects, or otherwise appears to be hacked. They’ll fetch your site and analyze it for signs of an infection by doing multiple checks, from detecting spam links, hidden text, up to sophisticated cloaking.
  • Sucuri SiteCheck — will check the website for known malware, blacklisting status, website errors, and out-of-date software.
  • Google WebMaster Tools — add your site as a property and then you can see any security issues that Google has detected when they crawl your site, you can also request a re-crawl (fetch) of your site.

You should also check your site internally as well, external scanning can’t check your files and database so you need a security plug-in to scan internally.

Wordpress Security Plugins

Here’s a couple good ones, I wouldn’t recommend having these all active simultaneously but sometimes one scanner will find something that another doesn’t so it’s good to activate and use them one by one and use the one that works best for you:

  • Wordfence Security — Has tons of customization option for scanning and real-time protection. It does vulnerability scanning, user monitoring, anti-virus, firewall, high speed cache and much more. It does a deep server-side scan of your source code comparing it to the Official WordPress repository for core, themes and plugins, it also checks your WordPress database.
  • Theme Authenticity Checker (TAC) — searches the source files of every installed theme for signs of malicious code. If such code is found, TAC displays the path to the theme file, the line number, and a small snippet of the suspect code.
  • Exploit Scanner — searches the files on your website, and the posts and comments tables of your database for anything suspicious. It also examines your list of active plugins for unusual filenames.
  • Sucuri Security — a security suite meant to complement your existing security posture. It offers it’s users four key security features for their website, each designed to have a positive affect on their security posture.
  • Anti-Malware Security and Brute-Force Firewall — searches for Malware, Viruses, and other security threats and vulnerabilities on your server and it helps you fix them.
  • All In One WP Security & Firewall — will take your website security to a whole new level. this plugin is designed and written by experts and is easy to use and understand.It reduces security risk by checking for vulnerabilities, and by implementing and enforcing the latest recommended WordPress security practices and techniques.

Prevention is better than cure. I cannot personally guarantee that your blog will not get hacked after implementing the methods I have mentioned but, I am sure the chances of getting attacked will be very less.