Blog Security

Some idiots dropped a tonne of casino, poker and other files in a directory I left open to attack and then they spammed other sites linking to mine. You are probably coming here because I moved the folders that they wrote to and modified my .htaccess file so that you’re now seeing this.

If you did have your blog spammed and linked here, I apologize, it wasn’t me but I apologize nonetheless.

This is a newbie’s guide to securing WordPress.

  1. Disallow directory browsing
  2. Always stay on top of the latest version of WordPress.
  3. Add the following to your .htaccess file to prevent your database username and password from being compromised if your server has a problem serving PHP:

    <FilesMatch ^wp-config.php$>
    deny from all

  4. Report anything you think is a bug. This is useful because the WordPress crew can help you and eliminate this risk for everyone else which is very charitable of you and VERY cool.
  5. Make sure your web hosting company follows important upgrades with their server (usually Apache), database (usually MySQL) and version of PHP, although this should be a given from any reputable web host.
  6. Make a useful password – check the output from this utility. Although this isn’t necessary, I would suggest changing up a few characters and using non-alphanumeric characters in there like a “!” instead of “i”.
  7. You should not have to leave a directory open with chmod 777 permissions. Try using 755. If this does not work, try uploading with 777 then immediately setting the permissions to 755 on the directory. This (in most cases) should let the web server know that a web server is the owner of that directory.If you have to use 777 for images (for example) then at least add this to a .htaccess file in that directory:

    Order Allow,Deny
    Deny from all
    <Files ~ “.(jpe?g|png|swf|gif)$”>
    Allow from all

  8. Hackers trawl for footprints. A really big footprint is to display your blog’s version. You should remove this if you possibly can.

Remember, regular backups of your web-server are recommended. You can do this via a control panel (like Cpanel) or ask your web hosting company for more information.

I also advise that you search for WordPress backup plugins in the official WordPress plugin directory.

Leave a Reply

Your email address will not be published. Required fields are marked *