How to Stop Your WordPress Blog Getting Hacked
Un-beknownst to most people who set up a website, you are also putting up a big banner saying, "I am ripe for hacking."
While the situation is better than it was two years ago, WordPress is still a major target for hackers and some of the problems like lack of proper escaping (relatively simple to fix) seem to have been forgotten about.
1) Blocking access to certain folders commonly used by hackers used to abuse wordpress sites.
In your wordpress site's folders (ie wwwroot) is a file called web.config. This file allows you to control access and many other areas of your websites hosting settings. This file is an XML file allowing you to configure certain parameters for your website, like file access, etc. The below web.config file will block access to the uploads folder and to the wp-includes folders generally targeted and abused by hackers. you will need to change the domain name under the urlrewrite area to the same url as your wordpress sites url.
NOTE : If you are not familiar with XML or feel you dont know what you are doing please contact our support desk so we can help you.
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<!-- Prevent PHP usage in Wordpress Uploads Folders. Stop Hackers -->
<location path="wp-content/uploads">
<system.webServer>
<security>
<requestFiltering>
<fileExtensions>
<add fileExtension=".php" allowed="false" />
</fileExtensions>
</requestFiltering>
</security>
</system.webServer>
</location>
<system.webServer>
<directoryBrowse enabled="false" />
<defaultDocument>
<files>
<clear />
<add value="Default.htm" />
<add value="Default.html" />
<add value="Default.asp" />
<add value="default.aspx" />
<add value="index.htm" />
<add value="index.html" />
<add value="index.php" />
<add value="index.asp" />
<add value="home.html" />
<add value="home.htm" />
<add value="holding.aspx" />
</files>
</defaultDocument>
<httpErrors errorMode="DetailedLocalOnly" existingResponse="Auto" />
<rewrite>
<rules>
<rule name="WordPress: http://yourwordpressurl.goes.here" patternSyntax="Wildcard">
<match url="*" />
<conditions>
<add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true" />
<add input="{REQUEST_FILENAME}" matchType="IsDirectory" negate="true" />
</conditions>
<action type="Rewrite" url="index.php" />
</rule>
<!-- Prevent Access to Wordpress WP-Includes Folders. Stop Hackers. 4 Rules here-->
<rule name="WP-Includes Block" stopProcessing="true">
<match url="^wp-admin/includes/" ignoreCase="false" />
<action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Forbidden" />
</rule>
<rule name="WP-Includes PHP Block" stopProcessing="true">
<match url="^wp-includes/[^/]+\.php$" ignoreCase="false" />
<action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Forbidden" />
</rule>
<rule name="WP-Includes Tinymce Block" stopProcessing="true">
<match url="^wp-includes/js/tinymce/langs/.+\.php" ignoreCase="false" />
<action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Forbidden" />
</rule>
<rule name="WP-Includes Theme-compat Block" stopProcessing="true">
<match url="^wp-includes/theme-compat/" ignoreCase="false" />
<action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Forbidden" />
</rule>
</rules>
</rewrite>
<security>
</security>
</system.webServer>
</configuration>
2) Removing Footprints in wordpress to Stop Hackers Finding You
- Remove the Footer Credit
Most WordPress templates will come with a link back to WordPress in the footer saying, "Powered by WordPress". If you don't want to get hacked, this absolutely has to go. It is used as a marker by hackers who query search engines to compile lists of WordPress sites. This is known as dorking; implying that people who leave such footprints on their sites are dorks. Removing this will probably stop you from getting hacked as your site will probably not be found once it is removed. If you would like to give credit to WordPress for making a free publishing platform in some other way, you could link to them on your about page.
To remove the footer credit, open up wp-content/{name of the theme you are using}/footer.php and delete the link to WordPress. - Remove the Meta Generator Tag
Most WordPress templates will also come with a HTML tag in the head like this:<meta name="generator" content="WordPress 2.7" />
This has to go too as it gives away what version of WordPress you are using. All a hacker would have to do is look up a hack for your version of WordPress and if you are vulnerable (some vulnerabilities require certain server settings or environments) they will take you down.
To remove the meta generator, open up wp-content/{name of the theme you are using}/header.php and delete the meta generator tag. - Remove the Generator Tag in the RSS Feed
WordPress also gives away which version you are using in the RSS feed with a generator tag like this:<generator>http://wordpress.org/?v=2.7</generator>
Again, this gives away the version you are using so is particularly dangerous. RSS feeds are another way in which hackers compile lists of sites which they might be able to attack.
To remove the RSS generator, open up wp-includes/general-template.php and search for the function called the_generator (around line 1858). It will look like this:
and place a hash (#) in front of the word echo, so it looks like this:
- Remove Other Footprints
There are a number of other ways that someone might be able to tell that your site runs on WordPress, such as installing it at, http://domain.tld/wordpress/ and if you have links to specific WordPress files names, such as wp-login.php. The later can easily be found using a search engine, e.g. WordPress Logins
Two file names that are visible on all WordPress installs will be the the wp-content/ directory (where WordPress stores media) and the wp-comments-post.php. You can change the name of the wp-content directory in the WordPress admin under settings > miscellaneous. To change the wp-comments-post.php, you will need to edit your template to use a different URL and forward the new URL to wp-comments-post.php. It is unlikely anyone uses these methods to find WordPress blogs to hack, but they are considerations you can take if you want to be extra careful.
Also make sure you have deleted the licence.txt and readme.html in the root directory.
3) Locking Your Wordpress Install Down
- Hiding or changing the Admin user
Securing the administration is important as it is an easy place where your username and password can be yoinked. First of all, you will want to put the website on an encrypted connection (SSL).
To do this login to the SolidCp control panel, click on websites, select the website you are working on, select the SSL tab, and enable the Letsencrypt SSL certificate.
NOTE: If you do not know how to do this please contact support,
Using a secure connection for your website is important because without it your login credentials will be banded around the internet as plain text. - Move the Config Data
As mentioned above, some text editors will make backups of your PHP files which can be opened by anyone, or if you have server problems your PHP files could be output as text. This opens up the problem of someone opening up your wp-config.php file and snafing your database credentials. The best thing to do is:
- Copy the contents of wp-config.php
- Create a new file in a directory (e.g. wp-includes/conf.php) and paste the contents into it
- Then delete the contents of the wp-config file and add the following line to the wp-config file, which will Require the location of the new config location. This will look something like:
- Save the new wp-config.php
It is essential that your new config file is in a directory that you have blocked from outside access using the method above. Otherwise, you will just be telling people where you have moved your config.
4) WordPress Trojan Horses
Themes and Plugins - Last but not least, you can run into serious trouble by installing plugins and using themes without checking them for malicious code. If you don't know PHP, I'd recommend only installing plugins and themes which are listed in the official WordPress directories as I'd image those are veted for nasties.