With all this crazy hacking going on, it’s the perfect time to buff up any WordPress blog or website install. Especially considering how many exploits and vulnerabilities external plugins could present to outside sources.
There are quite a few source edits that can be done to prevent outside parties from accessing integral WordPress system information.
Confine The Search Query
When someone performs a query of your site through a search engine, if they are clever enough, they can gain access to the rest of your site’s source files.
To protect your WordPress blog or website from this issue simply change the following code, in the “search.php” source file, from this:
<?php echo $_SERVER ['PHP_SELF']; ?>
<?php bloginfo ('home'); ?>
The code above ensures that a search query can’t access the entire WordPress server and directory.
It’s also a good idea to block or prevent search engines from indexing important WordPress folders. This can be done by adding the following line to the “robots.txt” file:
Don’t Announce Installed Plugins
By default there is a vulnerability in the standard WordPress install that allows outsiders to view what plugins, and more specifically what version of those plugins, are installed. This is definitely not good.
If the outside source knows specific vulnerabilities and issues with plugin versions they can get all the information they need to hack your WordPress blog or website.
This issue can be prevented by implementing the following code into the “.htaccess” file in the root install directory of WordPress:
Options All -Indexes
Also, many WordPress themes include the WordPress install version in the header source code of each page. This means that the same outside parties can identify which version of WordPress your blog or website is running.
To prevent this information from showing look for the following line of code in the “header.php” file and remove the version number:
<meta content="WordPress <?php bloginfo(‘version’); ? />" name="generator" />
Protect The “Wp-Config.php” File
When setting up WordPress for the first time, users are directed to enter in the admin login account and password in the “Wp-Config.php” file. This means that anyone who is able to access the server and retrieve this file subsequently can find the admin login and password information.
In order to protect the “Wp-Config.php” file during such a server problem or attack the following line of code should be implemented into the “htaccess.txt” file:
<FilesMatch ^wp-config.php$>deny from all</FilesMatch>
Protect From External File Injections
There is a serious vulnerability that allows malicious parties the option to inject harmful files into any WordPress install (provided they know how to use the advantage). Some spam bots can also gain access this way, littering your blog or website with unwanted files and information.
In order to protect the blog properly you need to search for the following code, which is usually found in the title tags or search template of any page:
<?php echo $s; ?>
The above code should be replaced with the following:
<?php echo wp_specialchars($s, 1); ?>
It’s important to note that this tag may depend on the active WordPress theme, so you will have to search for the actual tag in the proper WordPress source files.
Alternate Security Procedures
Of course there are alternate methods to prevent outside sources from gaining improper access to any WordPress enabled blog or website.
One of the most important steps involves using a strong password with a combination of upper-case, lower-case and number characters. This step is of course pretty self-explanatory.
Always stay up to date with the latest plugin versions and the latest WordPress install version. Never allow any of the software to get too out of date, because this opens up your WordPress blog or website to many compounding vulnerabilities.
Of course the best solution is to install external plugins that enhance WordPress security. For a good selection of plugins to install see our previous post on WordPress Security Plugins.