Ten Ways to Avoid WordPress Crackery
M. Jackson Wilkinson, Former Viget
Anyone who has been blogging for more than a few months knows that WordPress is one of the dominant blogging platforms, with millions of blogs using it as a content management system. This makes it an attractive target for bloggers, who look to it for its abundant repository of plugins and addons, as well as to attackers, who only need to find a single security hole to unlock the entire install base (again, millions of blogs and other sites) to serve whatever purpose they like.
The attractiveness in cracking blogs lies in the SEO value of established sites. If you create a new site to sell something like Xanax or Viagra, you won't register in search engine listings for quite some time, until other sites link to you to demonstrate the value of your site.
Initially, these folks would resort to the black-hat plan B of creating hundreds or thousands of other sites with the sole purpose of providing links to their primary site, therefore demonstrating value. Google caught onto this, and changed the search algorithm to discount links from sites that had no significant inbound links themselves.
Plan C is where WordPress enters the picture. If you found a way to get links to your Viagra site onto many well-established sites that are trusted by Google, your site will climb the rankings. And when many well-established sites are running WordPress, the easiest way to get links on those sites is to find a security exploit in WordPress that will allow you to put a link on someone else's site. That's what has been happening lately to countless WordPress sites, large and small.
So now, every time a new version of WordPress comes out, addressing the current security concern, crackers get to work on finding a new bug to exploit in the system. All software has bugs, and so they almost invariably find something to capitalize upon, which WordPress then chases down and fixes in a new version. In the meantime, sites that have been cracked are sometimes punished by Google for the spammy links, occasionally not recovering for weeks or months.
So how do you avoid being taken by these nefarious evil-doers? Here are some tips:
1. Stay Up-To-Date
The number one way to avoid having your site compromised is to keep WordPress up-to-date. As of May 19, 2008, this means running WordPress 2.5.1, or, if you're running the legacy 2.0 branch, 2.0.11.
Upgrading your WordPress codebase is a relatively simple matter, and usually takes no more than an hour (and usually more like 15 minutes). Instructions for doing this can be found at the WordPress Codex, or you can have your friendly support contact manage this for you.
After making sure you're up-to-date, you need to ensure you stay there. New WordPress versions come out when necessary, rather than on a schedule, so it's advised that you pay close attention to either the WordPress releases page on the WordPress website or follow the WordPress blog, which also announces releases.
2. Keep Your Plugins Up-To-Date
While WordPress may have security bugs, so might any plugins you use. Every plugin is another opportunity to find a bug that can be exploited.
The most secure way to keep plugins up-to-date is to simply not use them. Secondarily, you should routinely visit the websites for each plugin, or follow any relevant RSS feeds, to watch for new releases.
3. Kill Old-School WordPress URLs
The evil-doers whole goal is to create a link under your domain name that references their site, and often this happens by creating posts that are dated well in the past with a redirection to their site. You don't see the very old posts they've made, and they just need to link to you from somewhere else, and their efforts have paid off. Often, these URLs reference the posts via their serial number, rather than their name, like so: http://mydomain.com/?p=12882
If you're using prettified URLs, like http://mydomain.com/posts/this-is-a-post/ rather than the above, and most people are, you can simply disable the ability to access the old-school ?p=12 style URLs, cutting off their plans at the knees. This involves editing a file called .htaccess, and disabling requests to the old-style URLs. This is probably a job for someone experienced with htaccess configuration.
4. Keep an Eye Out
The other method these folks use is inserting links in the source HTML of your pages, usually in the footer. They visually hide these links, but they're still visible to search engines.
Be sure to check your source code for bizarre links at least once a week to ensure you haven't been cracked.
5. Limit Access to Your WordPress Admin URL
Crackers often take advantage of security flaws that allow them access to the WordPress administration interface, from which place they can do pretty much whatever they like. By protecting your administration interface more strongly, you can disable this method.
Using that same .htaccess file, you can limit access either to a specific IP address, a batch of IP addresses, or to a username and password combination. While the first two methods make sense if you always blog from the same one or two computers, the third option is usually the most convenient. For added security, you can use one of the first two AND the third at the same time.
6. Restrict Access to Your Configuration File
Your database password and other sensitive information is stored in a file called wp-config.php. In some instances, it may be possible for an attacker to simply read this file, at which point they can log into your database directly and make the changes they need, without a need to get to the administration interface.
You can use .htaccess to disable visitors from ever viewing the contents of that wp-config.php file by adding the following lines:
Deny from All
7. Get Rid of Admin
Every WordPress blog starts off with an admin user who has global rights. This is a risk, since it makes it easier for a cracker to find an account to crack.
Basically, just create a new account with administrative privileges, log in with the new username and password, and delete the admin user. You should be prompted to transfer old posts to the newly-created account.
8. Post as a Lower-Level User
If the account from which you post only has permission to post, and not to do much else, you can limit the damage that can be done with that account.
To do this, create a new account with only enough privileges to post, and use that one.
9. Use Captcha for Logins
If you prevent a user from logging into the admin console without completing a captcha, you can be reasonably sure that you are not being cracked by an automated process. This can be a simple way to remove another alley from being exploited.
A decent plugin to do this is Raz-Captcha. Remember, though, if you install this plugin, you need to keep up with its updates, per #2 above.
10. Keep on Top of Other Exploits
This is the hardest one, but if you're paying attention to posts on the web about WordPress security exploits, then you probably won't be surprised by anything. You just need to make sure you act on the news whenever you see it and think it might apply to you.
Then again, if you're not using WordPress, you won't be one of those millions of potential target sites. You might use another platform that puts you into a different target category, but the more technical differentiation you have, the less likely someone will be trying to automate a process to crack your site anytime soon.