Security and Hacking: Protect Thyself and Thy WordPress Blog

Filed as Features on January 19, 2009 4:47 am

WordPress Security Tips and TechniquesThe front page of CERT/CC, the Carnegie Mellon Software Engineering Institute and cyber security experts, looks back at 2008 as the 20th anniversary of the Morris worm, sometimes called the “Great Worm,” which crippled the Internet in 1988. Created by Robert Morris, now an associate professor at MIT, it was one of the first computer worms to infect the brand new Internet, exploiting known vulnerabilities and causing millions in damages. It also was the first conviction in the United States as part of the 1986 Computer Fraud and Abuse Act.

Years ago, a friend of mine worked for Boeing IT and taught many company workshops and training programs that began with an amusing lecture on “Safe Computer Sex.” She taught fellow employees to take care when flipping floppies to avoid transferring computer program infections across the network. How far we have come from those days.

As our dependence upon the web increased with email communication, spammers, hackers and attackers spread evil through your email inbox. Now, they are attacking our websites, social media tools, and web browsers.

Microsoft announced recently security issues with the Internet Explorer web browser and the dangers of visiting websites that could exploit that security vulnerability. Many warned to not use Internet Explorer until it was patched and updated.

Google created the Browser Security Handbook to help people and developers understand the security issues facing web browsers and the steps to take to protect individuals and web applications.

As mentioned in the last article in this series on web and blog security and hacking, Security and Hacking: The State of WordPress Blogs, WordPress, Movable Type, and other popular web services are not immune from security hacks or vulnerabilities.

Tracking WordPress and Web Security News

WordPress is a web application at its core, and we depend upon web browsers for our blogs and online activity, as well as all the parts and pieces that make our blogs and the Internet run. If any one of those parts or pieces goes bump in the night with a lack of security protection, we all suffer.

responds immediately to any security vulnerabilities with patches and upgrades for their core program, and offer alerts for security issues on WordPress Themes and Plugins. Reports on security issues are published on the , and on the if the issue relates to WordPress.com bloggers.

Other top sources for WordPress-related security news are , , and the also report on security issues regarding WordPress.

is behind the WordPress Whitepaper, and reports frequently on security recommendations and information for WordPress. They also offer the WPIDS – WordPress Intruder Detection System Plugin and WP Scanner WordPress Plugin to test your WordPress blog for known security vulnerabilities and issues.

Other resources for tracking security issues across the web that may include WordPress and its related program partners include:

Don’t forget that the WordPress Community is one big news agency for reporting on hacks and attacks towards WordPress blogs. They are also very self-policing and educating as well. During the recent remv.php hacker attack, a lot of bloggers reported that they received emails from their web hosts regarding the remv.php file creating malicious behavior on WordPress blogs. Hackers place a file called remv.php into easily accessed WordPress Theme directories to add malicious links and content.

The community spread the word and WordPress fans like Jason Cosper and Ronald Davies stepped up with tutorials and videos on how to remove this malicious file from your WordPress Theme folder.

Protecting Your WordPress Blog

The simple answer to protecting your WordPress blog is to upgrade immediately when a mandatory security upgrade is announced.

To thoroughly protect your WordPress blog takes a few more steps:

  • Upgrade to the latest version of WordPress and use the new automatic upgrade feature to keep your blog current and secure as possible.
  • Backup, backup, backup. Backup your blog’s database. Backup your Theme. Backup your Plugins. Backup all content on your server. Backup everything on a regular basis, and learn how to restore your WordPress blog.
  • Use strong passwords for your WordPress blog, as well as FTP, MySQL, and other web access.
  • If you changed your server file permissions to open access during testing, making the directories writable and hackable, change them back to a more secure setting.
  • Use WordPress Themes and Plugins from known and respected sources like the official WordPress Plugin Directory and WordPress Theme Directory.
  • Monitor your WordPress Theme author’s blog regularly for announcements of upgrades. Future versions of WordPress will have an auto upgrade and notification feature for WordPress Themes, making this easier to track and upgrade.
  • Use WordPress Plugins found in the WordPress Plugin Directory in order to take advantage of notification and warnings about Plugins through the Administration Panels Plugin update feature.
  • If you are reliant upon a WordPress Plugin not in the WordPress Plugin Directory, monitor their site and other WordPress news sites for mention of vulnerabilities or upgrades and upgrade immediately if one is found.
  • Monitor WordPress news sites for information on security issues and respond immediately to upgrades and patches.

Take care reporting security issues to the world before reporting them to the proper authorities. Know the difference between a bug and a security vulnerability. Bugs in WordPress are to be reported via the WordPress Bug Report, but security issues are to be made to [email protected].

For more specifics on protecting your WordPress blog, see Protecting Your WordPress Blog, WordPress Security Prevention, Reactions, and Scares, and Protect Your Blog With a Solid Password.

Again, the best recommendation to protect your blog from hackers? Update. Now.

In the next issue in this series, I’ll talk about how to report a cyber crime.

Tags: , , , , , , , , , , , , , , , , ,

This post was written by

You can visit the for a short bio, more posts, and other information about the author.

Submissions & Subscriptions

Submit the post to Reddit, StumbleUpon, Digg or Del.icio.us.

Did you like it? Then subscribe to our RSS feed!



  1. By H.K. posted on January 20, 2009 at 7:31 pm
    Want an avatar? Get a gravatar! • You can link to this comment

    Lorelle, justaskgemalto might be a worthy addition to your list as well. It’s a new site an IT friend of mine just found that’s pretty easy to use. Interested on hearing your thoughts on it.

    Reply

  2. By David Kierznowski posted on January 25, 2009 at 8:02 am
    Want an avatar? Get a gravatar! • You can link to this comment

    As more and more people rely on blogging for income, security and continuity planning is becoming increasingly important!

    This is an excellent overview with whats going on in the WordPress Security space. Great stuff Lorelle.

    Reply

    • By Lorelle VanFossen posted on January 26, 2009 at 10:40 am
      Want an avatar? Get a gravatar! • You can link to this comment

      @David: Thank you so much. What you and your BlogSecurity team do for the blogosphere is sincerely appreciated and necessary. I rely upon your work to help me learn more about the the holes and problems with security issues facing the whole bloggy world, not just WordPress. Thank YOU.

      Reply

    Your words are your own, so be nice and helpful if you can. If this is the first time you're posting a comment, it might go into moderation. Don't worry, it's not lost, so there's no need to repost it! We accept clean XHTML in comments, but don't overdo it please.

    Current ye@r *