post

‘How To Guide’ for WordPress security and protecting websites (website security).

I’ve finally eradicated the virus that has plagued my WordPress blog for almost 2 weeks now! Woohoo, after a 2 week crash course in web security and learning how to lock down WordPress, it’s finally time for me to get back to blogging again!

As another ‘How To Guide’ for making WordPress secure, this post is an attempt to summarize some of the things that I learned about web security, the methods that I used to identify malware was on my website, and the many resources I currently use to secure my website from future malware attacks.

Securing WordPress

About 2 weeks ago I realized that several of my websites were hacked and some malicious code had been inserted into them. I know I’m not the only one who has dealt with or is currently dealing with website hacking, viruses, malicious code injections, and overall blog security…so hopefully summarizing my experience will help someone out there get a handle on any problems they are having.

Featured within this article:

HOW I DISCOVERED THAT MY WEBSITE HAD BEEN HACKED

The first thing that brought to my attention that I might have a problem with my website is that someone mentioned to me that when they went to one of my websites that their virus detector warned them that my site had malware. Since this was the first time I had heard of any problems with any of my websites, I was surprised and at first I didn’t believe it, and thought it might just be some tracking code that I use from Google Analytics or Quantcast(which was not the case).

Then next thing that clued me in to the fact that I had malware injected into my website was that my RSS feed for my blog under WordPress would no longer validate.

So after searching the WordPress forums I ended up shooting an email to WordPress Support, and I was pleasantly surprised that they responded quickly with an answer, but unpleasantly surprised when WordPress Support advised me that my website had been hacked! They noticed some JavaScript code stuck at the bottom of my index.php in the root WordPress directory that didn’t belong there since it was apparently injected outside of the closing html tag…

< / html >

…at the bottom of the page.

I found validating the site’s RSS feed to be one of the best methods for quickly determining if a website has been hacked and injected with malware:

feedvalidator.org

To see if your website contains malware, go to feedvalidator.org and test your RSS feed to see if your feed validates. If your RSS feed doesn’t validate then you probably have some malicious script injected into your web page which creates a malformed RSS feed which prevents it from validating.

For WordPress users the URL for your RSS feed should be like this:

http://your-wordpress-domain.com/feed

What is my WordPress website’s RSS feed? Learn more… (update v1.4)

OTHER SYMPTOMS AND TELL-TALE SIGNS THAT MY WEBSITE HAD BEEN HACKED:

Another indicator that my site had been hacked was that I noticed that as one of my web pages loaded it would take an inordinate amount of time to load, and that the status bar within the browser would indicate that my website was reaching out to some unfamiliar domain like zctk.ru or pwgegrsdfs.ru. I could see it happening, but when I searched my web pages with a word search these domains didn’t show up since the malicious code was comprised of JavaScript with a bunch of ‘unescapes‘ using encrypted code that hid these domains.

I even found that there was some bogus code that was very well disguised to look like Google Analyticscode (I think only a trained eye would even see this one). The bogus Google Analytics code was easy to spot since it was located outside of the header tag and before the opening body tag towards the top of the page (normally the Google code is either within the closing /body tag at the bottom of the page or in the header).(update v1.4)

Also, when loading my site under Safari (which I only do on occasion since I am a big huge Firefox fan), I would get a warning that my site was unsafe and that Safari advised that I shouldn’t load that web page.

You can check your site for malware by using the free online tools Norton Safe Web or McAfee Site Advisor, but there is no guarantee that these sites will identify your site as having a virus (however these sites are useful for identifying suspected blacklist sites if they are notorious enough).

Digging deeper, to my horror and further embarrassment I discovered that not only was the virus injecting malicious code into my web pages, but it had also created a folder within the root of one of my parked web domains that contained about 100 html pages of some terrible stuff that I won’t mention here. This domain is not a place I would normally look at since it is a parked domain that I’ve had for over a year that I have tagged mentally for ‘long term’ plans for development and basically ignored, so there should have been nothing (no files or folders) within this domain.

Yet another reason why security should be the first thing on your mind even pertaining to parked domains or old installs of Joomla, WordPress, Drupal, etc.

SCOPE OF THE VIRUS PROBLEM:

I have several websites at various stages of development. This blog (www.milehighcentral.com) is a fairly recent WordPress site (2008) (see post of this websites history) hosted as an add-on domain with my HostGator under my main domain and VPS account. Using add-on domains helps me to manage my sites and my customer’s sites centrally with uniform security and management tools. Even though I have several websites I initially suspected my WordPress site as the culprit since this virus seemed to show up soon after installing WordPress (although inconclusive, later I found WordPress to not necessarily be the leak in security, but possibly Joomla was since I hadn’t implemented any security for the domain containing the Joomla install once it was installed…I may never really know 100% if this was the case). With further investigation I found that there was malicious code in the form of either JavaScript or an iFrame that was injected outside of the closing html tag < / html > at the bottom of just about every index.php, index.html, and default.html file within my whole website tree within my hosted web package with HostGator.

So the scope of the problem, like a cancer, seemed to have infiltrated all of my domains, not just my WordPress blog

The infection included 2 Joomla sites, a standard HTML site, and a couple of parked domains awaiting development. (And as I mentioned, the virus may have possibly originated with the Joomla install even though it was my WordPress install which I was focusing on fixing). With even more investigation I found malicous code had even infected directories outside of the public_html directory that I upload files to, but the infection had also corrupted files within the ‘tmp‘ folder hosted on HostGator’s server in the root of my HostGator account that holds web logs and reports such as AWStats and Webalizer. With the recent knowledge that my whole web tree was infected and not just my WordPress blog, I knew I was in a real fight that could even affect my livelihood if I didn’t come out on top (and soon!), so I began searching the web in earnest for information on locking down all of my websites, and not just being concerned about WordPress security.

RECURRING PROBLEM – MY WEBSITE KEPT GETTING HACKED:

Before I list out the steps that I took to finally gain victory over this malicious attack which took 2 weeks out of my planned schedule to address fixing it, I want to mention that going through the cycle below time and time again is what is took to erradicate this virus and to keep the virus from returning:

  1. I would remove the malicious code (once I learned all of the many places my website had been compromised)…
  2. Try a solution to secure my website (from the list below)…
  3. Give it a little time (usually 2-3 hours is all it would take for the malicious code to show up again)…
  4. Then look for signs of the virus to see if it was still present (usually attempting to validate my RSS feed was the quickest way to see if the virus had returned).
Rinse & repeat…

WHY LOCK DOWN AND SECURE WORDPRESS AND PROTECT YOUR WEBSITES:

I’m going to keep this short and simple. I recommend implementing the security measures mentioned within this post for even the casual blogger or website owner for the following reasons:

Keep malicious code and viruses from infecting your customers or site visitors.

Having a virus infected website hurts your reputation if you are a web developer, web designer, blogger, IT person, or just a self proclaimed ‘tech head’.

WordPress is the most popular blogging platform in the world, so if you use WordPress you are a huge target for malware and you will eventually become a web hack victim if you do nothing.

Don’t let your website be used by spammers.

Don’t let your website be used by unscrupulous jerks(putting it mildly to keep this G Rated!) who want to exploit your website for their malicious purposes.

Keep malicious code and viruses from infecting your local computers that you use to manage your website (and from obtaining passwords to other personal data).(update v1.1)

Viruses can hurt your bandwidth, you web traffic, and your search engine page ranking (and possibly cause havoc with your credit cards and other personal accounts).(update v1.1)

There are probably many more reasons!

WordPress is a great platform for blogging and creating websites, but out-of-the-box it has vulnerabilities that need to be addressed immediately after a new installation. I believe that new and unprotected installations of WordPress is where most malicious attacks occur.

Many WordPress users probably think they can simply:

  • Install WordPress.
  • Configure WordPress.
  • Install a theme.
  • Install some useful plugins.
  • Make some basic design modifications.
  • Begin blogging and live happily ever after!

Rather, what WordPress users should do immediately after installing WordPress is to do some basic research about WordPress security, then immediately implement basic security measures to lock down and secure WordPress before proceeding on to other tasks.

If WordPress users don’t immediately secure their WordPress installation they will likely soon become a victim of malicious attacks on their website resulting in exploitations of vulnerabilities, which typically includes malware being injected into their website.

So I highly advise anyone starting out fresh with a new WordPress install or new WordPress site to take the necessary precautions as outlined below immediately.

Similarly, if anyone is considered a newbie with WordPress, Joomla, Drupal, Mambo, or any other CMS (Content Management System) or blogging platform, they should research and implement security measures as a priority before website creation and design. Every hour a site is not protected increases the chance of a ‘bot’ exploiting some aspect of a website installation. The possibility of vulnerability is especially exasperated if not using a high quality Premium Theme (update v1.4)

HOW TO LOCK DOWN WORDPRESS, REMOVE MALICIOUS CODE, AND PROTECT YOUR WEBSITES:

Most of the security measures outlined below apply to WordPress.org installs of WordPress (not WordPress.com blogs) (click to see the difference between WordPress.com blogs and WordPress.org websites using installs of WordPress | WordPress.com vs. WordPress.org) (update v1.4), and some apply to general websites, but each platform has it’s own distinct methods for protecting it’s vulnerabilities, thus I encourage you to research what will suit your case best depending on your configuration.

In my recent research and in learning how to eradicate the malicious code that infected my websites I learned that there is no ‘silver bullet‘ that exists such as a simple plugin solution that solves every problem of vulnerability and protects your websites and your computer.

Securing WordPress

A multi-pronged approach with a diversified strategy is recommended as the best approach to protecting your website from the many various types of potential threats that exist.

SECURING WORDPRESS

The following is a summary of the steps that I took over the course of 2 weeks to secure WordPress and to eradicate a malicious virus that had infected my websites (with some further explanation and detail provided later in this post). I would recommend taking all of these measures (and perhaps more) as soon as possible to protect your WordPress blog and to protect all of your websites from malware:

  1. First make a backup of your website and all of your files. If you use WordPress I recommend the BackupBuddy plugin from iThemes (update v1.4).
  2. Start with a good web host provider who is known for good security (I recommend my company SiteSubscribe provides Managed WordPress Hosting, or use HostGator) (update v1.4).
  3. Keep WordPress updated to the latest version (always backup first…the same goes for any other web platforms you may have installed such as Joomla, Drupal, etc).
  4. Use something other than Admin for your Administrator username (using Admin for your username gives hackers a huge advantage of only having to guess your password and not both your username and password combination…use a username that makes sense and is meaningful but don’t use Admin. On a new install you can simply create a new Administrative account and delete the default admin account. On an existing WordPress install you may rename the existing account in the MySQL command-line client with a command like UPDATE wp_users SET user_login = ‘newuser’ WHERE user_login = ‘admin’;, or by using a MySQL frontend like phpMyAdmin. Or try WordPress pluginBetter WP Security plugin.) (update v1.4).
  5. Identify if you have malware on your website.
  6. Remove any identified malicious code within your web pages by reviewing the remote pages either via FTP or using the web console provided by your web host; particularly look for and delete anything outside of the < / html > tag (global search and replace doesn’t always work here since the threat may be disguised in various ways).
  7. Install the recommended essential security plugins for WordPress (listed on this page).
  8. Keep all of your plugins up-to-date (check for plugin updates daily if you can, or at least once per week).
  9. Install a high quality Premium Theme from StudioPress I can’t emphasize enough how important this step is…this is the most likely reason why my site got hacked in the first place since I don’t believe I was using a secure theme. (update v1.4)
  10. Keep your computer protected with anti-virus software (for my Mac only Norton Antivirus for Mac detected any viruses, where ClamXav and iAntiVirus did not detect anything).
  11. Use strong passwords. This is especially true for your FTP/SFTP login credentials. (Try this online password generator from pctools; don’t re-use the same passwords for many different accounts).
  12. Update your passwords frequently (if you are suspicious of a keylogger resident on your computer try calling in to your host provider to make changes over the phone and see if the virus persists, thereby ruling out keyloggers to some degree if the problem returns).
  13. Change the security keys in wp-config.php (use the online WordPress security key generator to replace the existing keys).
  14. CHMOD web file attributes (using the file manager within the web console provided by your web host):
    1. .htpasswd files to 640
    2. .htaccess files to 644
    3. index and default files to 644
    4. php files to 600
    5. chmod files that you really dont want people to see as 400
    6. any requested 777 to 766 or even try 755 first instead (NEVER chmod 777, if something requires write access use 766 or 755)
  15. Place .htaccess files where needed (see securing your website using htaccess section of this post).
  16. Place empty index.html or index.php pages within the following directories: wp-content/plugins, wp-content/uploads, and wp-includes (use ‘silence is golden’ within comment tags within the index file so you remember that the index file is there just as a placeholder to block access to browsing files within that directory) (update v1.4).
  17. Add this line of code to your theme’s functions.php: add_filter(’login_errors’,create_function(’$a’, “return null;”)); This will suppress login error messages, which would otherwise let hackers know that they were half-way into your website. For example, the error message “Incorrect password” means the username is correct and the password is incorrect. Why give out that information and let the hacker know they are halfway there to cracking your credentials?(update v1.2)

Other security options to consider for advanced users:

  • Rather than uploading your files using FTP try using SFTP or SSH (update v1.4) (PuTTY is free SSH software; Coda and Dreamweaver also support SFTP and SSH) (update v1.4)
  • PHPIDS (PHP-Intrusion Detection System)
  • Maximum Security (looks promising but not available yet)

LIST OF ESSENTIAL WORDPRESS PLUGINS FOR SECURING YOUR WORDPRESS INSTALLATION:

These are the WordPress plugins that I currently recommend using related to security:

WordPress

  1. WordPress pluginAkismet (rated 10 out of 10)*: Part of a standard WordPress installation that identifies and blocks comment and trackback spam on blogs.
  2. WordPress pluginLogin Lockdown (rated 10 out of 10): Records the IP address and timestamp of every failed login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that IP. Highly configurable (update v1.4).
  3. WordPress pluginTimthumb Vulnerability Scanner (rated 10 out of 10): Scans your wp-content directory for vulnerable instances of timthumb.php, and optionally upgrades them to a safe version (update v1.4).
  4. WordPress pluginBlock Bad Queries (BBQ) (rated 9 out of 10): Helps protect WordPress Against Malicious URL Requests. BBQ checks for excessively long request strings (i.e., greater than 255 characters), as well as the presence of either “eval(” or “base64″ in the request URI (update v1.4).
  5. WordPress pluginBad Behavior (rated 9 out of 10): Blocks link spam and the robots which deliver it. (Note: BadBehavior interferes with some ecommerce plugins.) (update v1.4)
  6. WordPress pluginWordPress Firewall (rated 9 out of 10): Investigates web requests with simple WordPress-specific heuristics to identify and stop most obvious attacks (conflicts with FCK Editor).
  7. WordPress pluginWP Security Scan (rated 9 out of 10): Scans your WordPress installation for security vulnerabilities and suggests corrective actions.
  8. WordPress pluginBetter WP Security (rated 8 out of 10): Takes the best WordPress security features and techniques and combines them in a single plugin thereby ensuring that as many security holes as possible are patched without having to worry about conflicting features or the possibility of missing anything on your site.
  9. WordPress pluginWordPress Table Rename (rated 8 out of 10): Facilitates renaming all WordPress tables with a custom prefix helping prevent SQL injection attacks (conflicts with FCK Editor).
  10. WordPress pluginDigoWatchWP (rated 8 out of 10): Scans your blog posts and pages for changes and sends email notification of any changes.
  11. WordPress pluginTyrone (rated 8 out of 10): Tyrone turns a WordPress installation into a website monitoring tool. Check the status of your sites, and keep tabs on which need upgrading, and scan for known spam terms, as well as changes to site content (update v1.4).
  12. WordPress pluginSecure WordPress (rated 8 out of 10): Performs basic security housekeeping for WordPress like remove error information on login page; adds index.html to plugin directory; removes the wp-version, except in admin area.
  13. WordPress pluginWP Scanner (rated 8 out of 10): Scans your WordPress installation and provides a measure of your WordPress security level (requires install of WP-Scanner Activator; at time of this writing their site was down and throwing an internerl server error).
  14. WordPress pluginParanoid911 (rated 8 out of 10): Checks your WordPress directory with all subdirectories on the server’s filesystem and a few WordPress database tables for changes and sends an email when changes occur.
  15. WordPress pluginTinfoil Hat (rated 8 out of 10): Provides users with more configuration options regarding what information is sent by WordPress to sites other than your own.
  16. WordPress pluginTTC WordPress Security Tool (rated 8 out of 10): Blocks cross-site script attempts by blocking IP except for a WordPress site/blog hosted by WordPress.com like http://you.wordpress.com), then in addition to using security related plugins for WordPress and other security methods mentioned already, you should also secure certain folder locations within your websites with .htaccess files containing code that will help to prevent unauthorized access and malicious attacks of your web files.
  17. WordPress pluginSafer Cookie (rated 7 out of 10): Ties the WordPress session cookie to the user’s IP address which ensures the cookie can’t be used to access the admin panel from another computer.
  18. WordPress pluginExploit Scanner (rated 7 out of 10): Searches the files on your website, and the posts and comments tables of your database for anything suspicious. It also examines your list of active plugins for unusual filenames (update v1.4).
  19. WordPress pluginHTML Purified (rated 7 out of 10): Replaces the default WordPress comments filters with HTML Purifier, a super HTML filtering library to remove all malicious code (better known as XSS) from within comments (will also make your documents standards compliant).
  20. WordPress pluginLimit Login Attempts (rated 7 out of 10): Limits the number of login attempts possible, therefor reducing brute-force password attacks.
  21. WordPress pluginAnti Virus (rated 7 out of 10): Scans your blogs files and will protect you when something is being downloaded to your computer (similar to WP Scanner plugin but covers different issues).
  22. WordPress pluginAskApache Password Protect (rated 6 out of 10): I was unable to use AskApache Password Protect since based on self-tests that this plugin runs my particular web host configuration was shown to not support it, but if you are able to make it work then I advise you give it a try.
  23. WordPress pluginWordPress Tweaks (rated 6 out of 10): Adds many useful settings pertaining to comments, posts, SEO, security, the administration back-end. (Note: I discovered that 2nd & 3rd options of Comments and Pings section of WordPress Tweaks are not compatible with IntenseDebate plugin; disable these options if you use IntenseDebate) (conflicts with FCK Editor).
  24. WordPress pluginWP All-in-One tools (rated 6 out of 10): Performs basic security housekeeping for WordPress like replace WP-Version, wp-config.php SECRET_KEY edit, image upload HTTP error fix, minimum comment length, etc. (similar to Secure WordPress plugin but covers different issues) (conflicts with FCK Editor).

Beware that not all plugins play well together. The plugins within this list all work together for me (with the exception of conflicts with FCK Editor), along with a couple of dozen other plugins that I am using. I find that I often need to do a process of elimination (disable plugins one-by-one) to find what plugins are not cooperating with other plugins. In fact, I have disabled some of these security plugins in favor of using FCK Editor (for the time being) since they don’t play well together (if my site ever gets hacked again I will probably change my mind on this one, or, more likely I may just disable plugins that conflict with my WYSIWYG editor while creating posts, then turn them back on when I’m finished posting to ensure security). (update v1.1) Note that some security based plugins for WordPress directly help to protect your WordPress installation, and others only serve to notify you of any malicious activity so that you can take corrective action. *(Ratings are my own evaluation based on usefulness, features, and compatibility.)

For Advanced Users ONLY - SECURING YOUR WEBSITE USING .HTACCESS

For Advanced Users ONLY

SECURING YOUR WEBSITE USING .HTACCESS

Htaccess files are server-level files that allow server ‘directives’ to help configure and manage your server. They are a type of text file. The file name always starts with a dot “.” like “.htaccess”, with no file extension (update v1.4).

Generally you would want to use FTP to make updates to your htaccess files, or you can also make changes directly within most web hosts file editors directly within c-panel (though I don’t recommend this method since it is much more risky). I recommend downloading the latest htaccess file, making a duplicate, making any desired changes, then re-uploading the changed file (update v1.4).

Note: Some web hosts do not permit access to htaccess files. Also, in some cases, htaccess files are hidden system files that may not initially be viewable like under Mac’s Finder or Windows Explorer. You may need to change your computer settings or use a third party app to be able to view hidden files (if you are a Mac user try Pathfinder) (update v1.4).

There are a lot of things you can do with .htaccess files, and many ways to ‘skin a cat’ using .htaccess files, so again this is not a comprehensive ‘silver bullet’ solution, but one suggested way to protect yourself that should be combined with other protective measures.

There is a fine balance between securing your website using .htaccess and breaking functionality

In other words if you aren’t really careful you may disable certain functionality on your website, especially with regard to WordPress plugins. So be sure to check your website functionality, like plugins, rotating banners, comments, and your Admin login each time you make a change with .htaccess.

Also run a check of your website functionality before using .htaccess just to be sure it isn’t a plugin conflict (and not .htaccess) that is causing disruption to your website functionality. I found that I had to dumb down several of the .htaccess suggestions that others had made on their websites just so that my website would work properly (just remark out any offending lines using the pound character ‘#’ at the front of the command until everything works). At the very least you should have an .htaccess file within the root of your public_html directory if you have many websites under that root, or possibly just the root of your website or WordPress installation if you are working with just one website.

Always make a backup of your .htaccess file before making any changes! (I like to copy the file, add a date to the file name, then add a .txt extension to it.) You may need to refer to an older working version if things go awry. (update v1.2)

Keep in mind that usually a simplified htaccess file will do the job, and if you are having any problems try commenting out lines that may be unnecessary.

Htaccess files are recursive, meaning if you place a .htaccess file in the root directory of your website then the scope of the .htaccess file also covers all subdirectories. Htaccess files located within subdomain directories or subdirectories will take precedence for that directory over .htaccess files located within higher level folders such as the root directory. This can be useful, for instance, for when you want to assign specific commands within your WordPress root or other sub-directories that apply only to WordPress or that particular folder but not to other sub-domains or folders within your public_html directory tree.

Below are the suggestions for your .htaccess files.

These are the areas that I have .htaccess files, with their associated command codes (directives):Having trouble reading the code? Download the text file here. (You’ll need to save each section from this text file as different .htaccess files into the proper directories as indicated).(update v1.1)

 

##############################################
			  # .htaccess_public_html
			##############################################

			#provided by htpp://milehighcentral.com

			# STRONG HTACCESS PROTECTION</code>
			  <Files ~ "^.*.([Hh][Tt][Aa])">
			  order allow,deny
			  deny from all
			  satisfy all
			  </Files>

			# DEFAULT SETTINGS
			  ##############################################
			  Options +ExecCGI -Indexes
			  Options +FollowSymLinks
			  Options -Indexes
			  DirectoryIndex index.html index.php /index.php default.htm

			### DEFAULTS ###
			  ServerSignature Off
			  AddType video/x-flv .flv
			  AddType application/x-shockwave-flash .swf
			  AddType image/x-icon .ico
			  AddDefaultCharset UTF-8
			  DefaultLanguage en-US
			  SetEnv TZ America/Denver
			  SetEnv SERVER_ADMIN webmaster@MileHighMarketingGroup.com

			# HEADERS and CACHING
			  ##############################################
			  #### CACHING ####
			  # YEAR
			  <FilesMatch ".(flv|gif|jpg|jpeg|png|ico)$">
			  Header set Cache-Control "max-age=2592000"
			  </FilesMatch>
			  # WEEK
			  <FilesMatch ".(js|css|pdf|swf)$">
			  Header set Cache-Control "max-age=604800"
			  </FilesMatch>
			  # 10 minutes
			  <FilesMatch ".(html|htm|txt)$">
			  Header set Cache-Control "max-age=600"
			  </FilesMatch>
			  # DONT CACHE
			  <FilesMatch ".(pl|php|cgi|spl|scgi|fcgi)$">
			  Header unset Cache-Control
			  </FilesMatch>

			### REWRITES ###
			  RewriteEngine On
			  RewriteBase /

			### SEO REDIRECTS ###
			  ##Redirect 301 /2006/uncategorized/milehighcentral.html http://www.^^SITE^^.^^TLD^^

			##############################################
			  #the following 2 blocks were borrowed from a Joomla install
			  ########## Begin - Rewrite rules to block out some common exploits
			  ## If you experience problems on your site block out the operations listed below
			  ## This attempts to block the most common type of exploit `attempts` to Joomla!
			  #
			  # Block out any script trying to set a mosConfig value through the URL
			  RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [OR]
			  # Block out any script trying to base64_encode crap to send via URL
			  RewriteCond %{QUERY_STRING} base64_encode.*(.*) [OR]
			  # Block out any script that includes a <script> tag in URL
			  RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
			  # Block out any script trying to set a PHP GLOBALS variable via URL
			  RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
			  # Block out any script trying to modify a _REQUEST variable via URL
			  RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
			  # Send all blocked request to homepage with 403 Forbidden error!
			  RewriteRule ^(.*)$ index.php [F,L]
			  #
			  ########## End - Rewrite rules to block out some common exploits

			########## Begin - Joomla! core SEF Section
			  #
			  RewriteCond %{REQUEST_FILENAME} !-f
			  RewriteCond %{REQUEST_FILENAME} !-d
			  RewriteCond %{REQUEST_URI} !^/index.php
			  RewriteCond %{REQUEST_URI} (/|.php|.html|.htm|.feed|.pdf|.raw|/[^.]*)$  [NC]
			  RewriteRule (.*) index.php
			  RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]
			  #
			  ########## End - Joomla! core SEF Section
			  ##############################################

			##############################################
			  # http://perishablepress.com/press/2009/03/16/the-perishable-press-4g-blacklist/
			  ### PERISHABLE PRESS 4G BLACKLIST ###

			# FILTER REQUEST METHODS
			  <IfModule mod_rewrite.c>
			  RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK) [NC]
			  RewriteRule ^(.*)$ - [F,L]
			  </IfModule>

			# BLACKLIST CANDIDATES
			  # block individual IPs
			  <IfModule mod_rewrite.c>
			  RewriteEngine On
			  RewriteCond %{REMOTE_ADDR} ^64.246.178.34$ [OR] # MHTG added 6-4-09
			  RewriteCond %{REMOTE_ADDR} ^207.218.247.135$ [OR] # MHTG added 6-4-09 theplanet.com
			  RewriteCond %{REMOTE_ADDR} ^174.132.190.125$ [OR] # MHTG added 6-4-09 theplanet.com
			  RewriteRule ^(.*)$ - [F,L]
			  RewriteRule ^(.*)$ http://milehighcentral.com/blocked.html [F,L]
			  </IfModule>

			# BLACKLIST CANDIDATES
			  <Files *>
			  #<Limit GET POST PUT>
			  # Order Allow,Deny
			  Allow from all
			  Deny from 128.111.48.138  "# blacklist candidate 2008-02-10 = cryptic character strings "
			  Deny from 203.55.231.100  "# 1048 hits in 60 minutes"
			  Deny from 210.210.119.145 "# blacklist candidate 2008-05-31 = block _vpi.xml attacks "
			  Deny from 220.181.61.231  "# relentless spammer"
			  Deny from 24.19.202.10	  "# 1629 attacks in 90 minutes"
			  Deny from 64.15.69.17     "# 31 charcode hits"
			  Deny from 66.74.199.125   "# blacklist candidate 2008-10-19 = block mindless spider running "
			  Deny from 75.126.85.215   "# blacklist candidate 2008-01-02 = admin-ajax.php attack "
			  Deny from 77.103.132.126  "# 124 bg image hits"
			  Deny from 77.229.156.72   "# 166 hits in 45 minutes"
			  Deny from 80.13.62.213    "# 57 spam attempts"
			  Deny from 80.206.129.3    "# relentless spammer"
			  Deny from 84.122.143.99   "# blacklist candidate 2008-04-27 = block clam store loser "
			  Deny from 87.248.163.54   "# blacklist candidate 2008-03-09 = block administrative attacks "
			  Deny from 88.170.42.61    "# relentless spammer"
			  Deny from 89.122.29.127   "# 75 hits in 30 minutes"
			  Deny from 91.148.84.119   "# relentless spammer"

			#milehighcentral blacklist
			  Deny from 91.212.41.249   "# mhtg added 6-4-09 pwgegrsdfs.ru"
			  deny from 194.8			  "# deny IP range"
			  deny from 200.106.145.82
			  deny from 67.215.238.186
			  deny from 91.212.41.249

			#milehighcentral blacklist by domain
			  #deny from .*domain.com.*
			  deny from .*zctk.ru.*
			  deny from .*pwgegrsdfs.ru.*
			  #</Limit>
			  </Files>

			# USER AGENTS
			  SetEnvIfNoCase User-Agent "libwww" keep_out
			  SetEnvIfNoCase User-Agent "DotBot" keep_out
			  SetEnvIfNoCase User-Agent "Nutch"  keep_out
			  SetEnvIfNoCase User-Agent "cr4nk"  keep_out
			  <Limit GET POST PUT>
			  Order Allow,Deny
			  Allow from all
			  Deny from env=keep_out
			  </Limit>

			# QUERY STRING EXPLOITS
			  <IfModule mod_rewrite.c>
			  RewriteCond %{QUERY_STRING} ../[NC,OR]
			  RewriteCond %{QUERY_STRING} boot.ini [NC,OR]
			  RewriteCond %{QUERY_STRING} tag= [NC,OR]
			  RewriteCond %{QUERY_STRING} ftp: [NC,OR]
			  RewriteCond %{QUERY_STRING} http:[NC,OR]
			  RewriteCond %{QUERY_STRING} https:   [NC,OR]
			  RewriteCond %{QUERY_STRING} mosConfig [NC,OR]
			  RewriteCond %{QUERY_STRING} ^.*([|]|(|)|<|>|'|"|;|?|*).* [NC,OR]
			  RewriteCond %{QUERY_STRING} ^.*(%22|%27|%3C|%3E|%5C|%7B|%7C).* [NC,OR]
			  RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127.0).* [NC,OR]
			  RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
			  RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare|drop).* [NC]
			  RewriteRule ^(.*)$ - [F,L]
			  </IfModule>

			# CHARACTER STRINGS
			  <IfModule mod_alias.c>

			# BASIC CHARACTERS
			  RedirectMatch 403 ,
			  RedirectMatch 403 :
			  RedirectMatch 403 ;
			  RedirectMatch 403 =
			  RedirectMatch 403 @
			  RedirectMatch 403 [
			  RedirectMatch 403 ]
			  RedirectMatch 403 ^
			  RedirectMatch 403 `
			  RedirectMatch 403 {
			  RedirectMatch 403 }
			  RedirectMatch 403 ~
			  RedirectMatch 403 "
			  RedirectMatch 403 $
			  RedirectMatch 403 <
			  RedirectMatch 403 >
			  RedirectMatch 403 |
			  RedirectMatch 403 ..
			  RedirectMatch 403 //
			  RedirectMatch 403 %0
			  RedirectMatch 403 %A
			  RedirectMatch 403 %B
			  RedirectMatch 403 %C
			  RedirectMatch 403 %D
			  RedirectMatch 403 %E
			  RedirectMatch 403 %F
			  RedirectMatch 403 %22
			  RedirectMatch 403 %27
			  RedirectMatch 403 %28
			  RedirectMatch 403 %29
			  RedirectMatch 403 %3C
			  RedirectMatch 403 %3E
			  RedirectMatch 403 %3F
			  RedirectMatch 403 %5B
			  RedirectMatch 403 %5C
			  RedirectMatch 403 %5D
			  RedirectMatch 403 %7B
			  RedirectMatch 403 %7C
			  RedirectMatch 403 %7D

			# COMMON PATTERNS
			  Redirectmatch 403 _vpi
			  RedirectMatch 403 .inc
			  Redirectmatch 403 xAou6
			  Redirectmatch 403 db_name
			  Redirectmatch 403 select(
			  Redirectmatch 403 convert(
			  Redirectmatch 403 /query/
			  RedirectMatch 403 ImpEvData
			  Redirectmatch 403 .XMLHTTP
			  Redirectmatch 403 proxydeny
			  RedirectMatch 403 function.
			  Redirectmatch 403 remoteFile
			  Redirectmatch 403 servername
			  Redirectmatch 403 &rptmode=
			  Redirectmatch 403 sys_cpanel
			  RedirectMatch 403 db_connect
			  RedirectMatch 403 doeditconfig
			  RedirectMatch 403 check_proxy
			  Redirectmatch 403 system_user
			  Redirectmatch 403 /(null)/
			  Redirectmatch 403 clientrequest
			  Redirectmatch 403 option_value
			  RedirectMatch 403 ref.outcontrol

			# SPECIFIC EXPLOITS
			  RedirectMatch 403 errors.
			  #RedirectMatch 403 config. #this line conflicts with Deans FCK Editor WP plugin
			  RedirectMatch 403 include.
			  RedirectMatch 403 display.
			  RedirectMatch 403 register.
			  Redirectmatch 403 password.
			  RedirectMatch 403 maincore.
			  RedirectMatch 403 authorize.
			  Redirectmatch 403 macromates.
			  RedirectMatch 403 head_auth.
			  RedirectMatch 403 submit_links.
			  RedirectMatch 403 change_action.
			  Redirectmatch 403 com_facileforms/
			  RedirectMatch 403 admin_db_utilities.
			  RedirectMatch 403 admin.webring.docs.
			  Redirectmatch 403 Table/Latest/index.

			</IfModule>

			#http://perishablepress.com/press/2007/10/15/ultimate-htaccess-blacklist-2-compressed-version/
			  # Ultimate htaccess Blacklist 2 from Perishable Press
			  # Deny domain access to spammers and other scumbags
			  RewriteEngine on
			  RewriteBase /
			  RewriteCond %{HTTP_USER_AGENT} ADSARobot|ah-ha|almaden|aktuelles|Anarchie|amzn_assoc|ASPSeek|ASSORT|ATHENS|Atomz|attach|attache|autoemailspider|BackWeb|Bandit|BatchFTP|bdfetch|big.brother|BlackWidow|bmclient|Boston Project|BravoBrian SpiderEngine MarcoPolo|Bot mailto:craftbot@yahoo.com|Buddy|Bullseye|bumblebee|capture|CherryPicker|ChinaClaw|CICC|clipping|Collector|Copier|Crescent|Crescent Internet ToolPak|Custo|cyberalert|DA$|Deweb|diagem|Digger|Digimarc|DIIbot|DISCo|DISCo Pump|DISCoFinder|Download Demon|Download Wonder|Downloader|Drip|DSurf15a|DTS.Agent|EasyDL|eCatch|ecollector|efp@gmx.net|Email Extractor|EirGrabber|email|EmailCollector|EmailSiphon|EmailWolf|Express WebPictures|ExtractorPro|EyeNetIE|FavOrg|fastlwspider|Favorites Sweeper|Fetch|FEZhead|FileHound|FlashGet WebWasher|FlickBot|fluffy|FrontPage|GalaxyBot|Generic|Getleft|GetRight|GetSmart|GetWeb!|GetWebPage|gigabaz|Girafabot|Go!Zilla|Go!Zilla|Go-Ahead-Got-It|GornKer|gotit|Grabber|GrabNet|Grafula|Green Research|grub-client|Harvest|hhjhj@yahoo|hloader|HMView|HomePageSearch|http generic|HTTrack|httpdown|httrack|ia_archiver|IBM_Planetwide|Image Stripper|Image Sucker|imagefetch|IncyWincy|Indy*Library|Indy Library|informant|Ingelin|InterGET|Internet Ninja|InternetLinkagent|Internet Ninja|InternetSeer.com|Iria|Irvine|JBH*agent|JetCar|JOC|JOC Web Spider|JustView|KWebGet|Lachesis|larbin|LeechFTP|LexiBot|lftp|libwww|likse|Link|Link*Sleuth|LINKS ARoMATIZED|LinkWalker|LWP|lwp-trivial|Mag-Net|Magnet|Mac Finder|Mag-Net|Mass Downloader|MCspider|Memo|Microsoft.URL|MIDown tool|Mirror|Missigua Locator|Mister PiX|MMMtoCrawl/UrlDispatcherLLL|^Mozilla$|Mozilla.*Indy|Mozilla.*NEWT|Mozilla*MSIECrawler|MS FrontPage*|MSFrontPage|MSIECrawler|MSProxy|multithreaddb|nationaldirectory|Navroad|NearSite|NetAnts|NetCarta|NetMechanic|netprospector|NetResearchServer|NetSpider|Net Vampire|NetZIP|NetZip Downloader|NetZippy|NEWT|NICErsPRO|Ninja|NPBot|Octopus|Offline Explorer|Offline Navigator|OpaL|Openfind|OpenTextSiteCrawler|OrangeBot|PageGrabber|Papa Foto|PackRat|pavuk|pcBrowser|PersonaPilot|Ping|PingALink|Pockey|Proxy|psbot|PSurf|puf|Pump|PushSite|QRVA|RealDownload|Reaper|Recorder|ReGet|replacer|RepoMonkey|Robozilla|Rover|RPT-HTTPClient|Rsync|Scooter|SearchExpress|searchhippo|searchterms.it|Second Street Research|Seeker|Shai|Siphon|sitecheck|sitecheck.internetseer.com|SiteSnagger|SlySearch|SmartDownload|snagger|Snake|SpaceBison|Spegla|SpiderBot|sproose|SqWorm|Stripper|Sucker|SuperBot|SuperHTTP|Surfbot|SurfWalker|Szukacz|tAkeOut|tarspider|Teleport Pro|Templeton|TrueRobot|TV33_Mercator|UIowaCrawler|UtilMind|URLSpiderPro|URL_Spider_Pro|Vacuum|vagabondo|vayala|visibilitygap|VoidEYE|vspider|Web Downloader|w3mir|Web Data Extractor|Web Image Collector|Web Sucker|Wweb|WebAuto|WebBandit|web.by.mail|Webclipping|webcollage|webcollector|WebCopier|webcraft@bea|webdevil|webdownloader|Webdup|WebEMailExtrac|WebFetch|WebGo IS|WebHook|Webinator|WebLeacher|WEBMASTERS|WebMiner|WebMirror|webmole|WebReaper|WebSauger|Website|Website eXtractor|Website Quester|WebSnake|Webster|WebStripper|websucker|webvac|webwalk|webweasel|WebWhacker|WebZIP|Wget|Whacker|whizbang|WhosTalking|Widow|WISEbot|WWWOFFLE|x-Tractor|^Xaldon WebSpider|WUMPUS|Xenu|XGET|Zeus.*Webster|Zeus [NC]
			  RewriteRule ^.* - [F,L]

			# prevent proxy access
			  RewriteEngine on
			  RewriteCond %{HTTP:VIA} !^$ [OR]
			  RewriteCond %{HTTP:FORWARDED} !^$ [OR]
			  RewriteCond %{HTTP:USERAGENT_VIA} !^$ [OR]
			  RewriteCond %{HTTP:X_FORWARDED_FOR} !^$ [OR]
			  RewriteCond %{HTTP:PROXY_CONNECTION} !^$ [OR]
			  RewriteCond %{HTTP:XPROXY_CONNECTION} !^$ [OR]
			  RewriteCond %{HTTP:HTTP_PC_REMOTE_ADDR} !^$ [OR]
			  RewriteCond %{HTTP:HTTP_CLIENT_IP} !^$
			  RewriteRule .* - [F]

			# end: http://perishablepress.com/press/2009/03/16/the-perishable-press-4g-blacklist/
			  #####################################################

			#disable hotlinking (for low traffic sites maybe not worth using due to performance trade-off)
			  RewriteEngine on
			  #RewriteCond %{HTTP_REFERER} !^http://yourdomain.com/.*$  [NC]
			  RewriteCond %{HTTP_REFERER} !^http://milehighcentral.com/.*$  [NC]
			  RewriteCond %{HTTP_REFERER} !^http://milehighmarketing.com/.*$  [NC]

			#redirect robots
			  #RedirectMatch 301 ^/(.*)/robots.txt http://yourdomain.com/robots.txt
			  RedirectMatch 301 ^/(.*)/robots.txt http://milehighcentral.com/robots.txt

			# END .htaccess_public_html
			  #####################################################

			#####################################################
			  # htaccess_WordPress_root_directory
			#####################################################

			### WORDPRESS ###
			  # BEGIN WordPress
			  # protect index.html
			  <files index.html>
			  order allow,deny
			  deny from all
			  </files>

			# protect wpconfig.php
			  <files wp-config.php>
			  order allow,deny
			  deny from all
			  </files>

			<IfModule mod_rewrite.c>
			  RewriteEngine On
			  RewriteBase /
			  RewriteCond %{REQUEST_FILENAME} !-f
			  RewriteCond %{REQUEST_FILENAME} !-d
			  RewriteRule . /index.php [L]
			  </IfModule>

			### SEO REDIRECTS ###
			  ##Redirect 301 /2006/uncategorized/htaccesselitecom-aboutus.html http://www.^^SITE^^.^^TLD^^
			  Redirect 301 /2009/06/how-to-guide-for-securing-wordpress-and-protecting-websites/ /how-to-guide-for-securing-wordpress-and-protecting-websites/

			# END WordPress

			# END htaccess_WordPress_root_directory
			  #####################################################

			#####################################################
			  # .htaccess_wp-admin
			#####################################################

			#IP authentication method
			  <IfModule mod_rewrite.c>
			  RewriteEngine On
			  #RewriteCond %{REMOTE_ADDR} !^71.33.162.98 # edit to account for your static IP
			  RewriteCond %{REMOTE_ADDR} !^65.102.224.100

			#RewriteRule ^(.*)$ http://yourdomain.com/blocked.html [F,L] # redirect unauthorized access to 'blocked' page
			  RewriteRule .* http://www.milehighcentral.com/blocked.html [R,L]
			  </IfModule>

			#alternate IP authentication
			  #This works if you have a static IP or a dynamic IP range that you can use:
			  #order deny,allow
			  #allow from 71.33.162.98 # This is your static IP
			  #for dynamic IP range use: 71.33 #(Unfortunately the IP ranges that are allocated to me from my ISP are all over the place so I haven't been able to use this consistently.)
			  #deny from all

			#password authentication method
			  #<Files ~ ".(php)$">
			  #AuthUserFile /etc/httpd/htpasswd # reference not working for me
			  #AuthType Basic
			  #AuthName "restricted"
			  #Order Deny,Allow
			  #Deny from all
			  #Require valid-user
			  #Satisfy any
			  #</Files>

			# END .htaccess_wp-admin
			  #####################################################

			#####################################################
			  # .htaccess_wp-content
			#####################################################

			### WORDPRESS ###
			  # BEGIN WordPress
			  # protect index.html
			  <files index.html>
			  order allow,deny
			  deny from all
			  </files>
			  # END WordPress

			#deny from all
			  #allow specific plugins if you use 'deny from all' by un-remarking
			  #<Files "/plugins/featured-content-gallery/content-gallery.php">
			  # Allow from all
			  #</Files>

			#<Files "/plugins/featured-content-gallery/gallery.php">
			  # Allow from all
			  #</Files>

			#<Files "/plugins/featured-content-gallery/options.php">
			  # Allow from all
			  #</Files>

			#this didn't work for me
			  #Order Allow,Deny
			  #Deny from all
			  #<Files ~ ".(css|jpe?g|png|gif|js)$">
			  # Allow from all
			  #</Files>

			# END .htaccess_wp-content
			#####################################################

			#####################################################
			  # .htaccess_wp-content/plugins
			#####################################################

			### WORDPRESS ###
			  # BEGIN WordPress

			<Files "/featured-content-gallery/content-gallery.php">
			  Allow from all
			  </Files>

			<Files "/featured-content-gallery/gallery.php">
			  Allow from all
			  </Files>

			<Files "/featured-content-gallery/options.php">
			  Allow from all
			  </Files>

			<Files "/intensedebate/class.json.php">
			  Allow from all
			  </Files>

			<Files "/intensedebate/intensedebate-comment-template.php">
			  Allow from all
			  </Files>

			<Files "/intensedebate/intensedebate.php">
			  Allow from all
			  </Files>

			# END .htaccess_wp-content/plugins
			  #####################################################

			#####################################################
			  # .htaccess_backup-db
			#####################################################

			<Files ~ ".*..*">
			  order allow,deny
			  deny from all
			  </Files>

			# END .htaccess_backup-db
			  #####################################################

			#####################################################
			  # .htaccess_wp-includes
			#####################################################

			### WORDPRESS ###
			  # BEGIN WordPress
			  # protect index.html
			  <files index.html>
			  order allow,deny
			  deny from all
			  </files>

			#this disables my WSIWIG editor so it is not working
			  #Order Allow,Deny
			  #Deny from all
			  #(Files ~ “js/tinymce/*.$”)
			  #Allow from all
			  #(/Files)
			  # END WordPress

			#this is not working either
			  #Order Allow,Deny
			  #Deny from all
			  #<Files ~ ".(css|jpe?g|png|gif|js)$">
			  # Allow from all
			  #</Files>

			# END .htaccess_wp-includes
			  #####################################################

 

Having trouble reading the code? Download the text file here (.htaccess file download as .txt file). (You’ll need to save each section from this text file as different .htaccess files into the proper directories as indicated).(update v1.1) So as you can see I’m still working on a useful solution for protecting wp-admin and wp-includes that will add some protection but not disable functionality…so (to a lesser degree) the research continues. Explaining all of this .htaccess code is outside of the scope of this article, nor am I the best person suited to explain it, so please reference the resources listed below for further explanation of .htaccess commands.

Advanced users can read here for more information about .htaccess files.

RECOMMENDED RESOURCES FOR SECURING WORDPRESS AND PROTECTING YOUR WEBSITES:

If you are not an advanced user you can just implement the suggestions within this post (implementing a few of the suggested WordPress security related plugins as a minimum security measure) and bypass reading any of this other stuff…your choice.

The following are recommended resources for learning more about how to best secure your WordPress installation, a.k.a. ‘locking down WordPress‘ or ‘hardening WordPress‘, along with best practices for general website protection:

The above resource list is my best attempt to give credit where credit is due…so thank you to all of those who have shared this valuable security related information freely on the internet!

PLEASE SHARE YOUR KNOWLEDGE AND CONSTRUCTIVE COMMENTS:

Please feel free to comment on or correct anything within this post since I don’t claim to be a WordPress, .htaccess, or website security guru!

Actually I’m pretty sure my site isn’t as secure as it needs to be…so please lend your advice. I’m certain that there are many other ways to lock down WordPress and to further secure websites beyond what I have put into place or noted. This is not by any means an all inclusive or exhaustive list for how to secure your websites, and there are certainly many other extremely qualified folks out there who have something to offer regarding ‘hardening WordPress‘ and website security. So I invite others to post constructive comments that provide additional resources and helpful advice on:

How to prevent website hacking to protect your websites in the first place (WordPress and general websites).

How to detect malware and malicious code to know that it is present in order to respond as quickly as possible in the event of a website hack.

How to eradicate malware once it is discovered including the best steps to take to deal with malware infections.

If you are a blog security or web security expert, here’s your chance to post a link back to your website!

PROBABLY NOT THE END OF THE STORY:

Even though my websites seem safe for now, one thing I’ve always known, but am taking to heart especially now, is that the bad guys (like their evil master) are always coming up with new ways to exploit websites and computers and any vulnerabilities they can find. So this saga will likely continue as technology evolves and new exploits arise. WordPress has recently (Wednesday June 10th, 2009) upgraded from version 2.7.1 to 2.8, so I am hoping that with this upgrade that the folks at WordPress have incorporated more built-in security measures in addition to some promising new features. Yet with every upgrade of any software there are inevitably new vulnerabilities that arise, particularly with 3rd party plugins. I’m certainly not an expert after a 3-4 week crash course on web security, but at least I think that because of this struggle I’ve learned something about blog security and web security (and implemented it), so I feel I am actually in a better place for the struggle that I’ve had to fight (kind of like life in general). And I hope that by taking the time to write this post that some folks out there will also be better off. Let me know if this helps you! Please link back to this site, and Stumble it!, Tweet it, Facebook share it, and the like. As always, I’d like to hear your comments.

Has your website been hacked yet? It is only a matter of time…

(update v1.2) Website security is a common problem for many website owners and webmasters, so if you need help I now offer as part of my overall web services a Web Security Service that will get rid of any viruses infecting your website and secure your website from future attacks.

The cost for this Web Security Service is typically a one time charge of $250 for most websites, with an option starting at $50/month for continued monitoring and updated protection. With my Web Security Service implemented you can go about your business with peace of mind and not have to deal with the time consuming problem of security, which for me took a full month out of my busy schedule and also took my site down for a while. I think you will find it is well worth the cost of having someone else (like myself as a consultant) deal with any security problems you are facing and to ensure that your website is protected from hacks so that you can focus on your core business and not wake up each day wondering if your site has been hacked.

Let me know if you’d be interested in having me manage your website security, and generally let me know how it goes for you. I also offer Managed WordPress Hosting as a great option for overall security and WordPress/plugin updates.

If you don’t hire me or have me host and manage your website, I encourage you to be proactive in securing your website at least in some way.

Annotated updates:
v1.1 Updates made 6/16/2009
v1.2 Updates made 6/19/2009
v1.3 added resource link 1/11/2010
v1.4 minor content updates 12/27/2011

This post was originally posted June 2009 and has subsequently been updated through December 2011 since after almost 3 years there is more that I’ve learned. (update v1.4)

It’s now March 2014 and not much has changed…this article still applies, and most of the techniques and plugins are the same ones recommended today!   

How To Fix WordPress Plugin Problems

Fix Broken WordPress

Recommended WordPress Plugins, Themes, & Web Hosts, PLUS Tools & Services

Recommended WordPress Plugins

Priority WordPress Support by the Hour

WordPress Support

Live WordPress Training – One-On-One or Group

Hands-on WordPress Training
Author MileHigh (303 Posts)

Jeff Kemp is a Denver based Home Inspector and ‘General Technologist’ with over 15 years of product management, project management, web design, graphic design, high-tech marketing, internet, and technical writing experience with insight into several industries including aerospace/avionics, consumer electronics, SaaS, and printing/publishing.


Comments

  1. Hi Jeff, I stumbled onto your blog today while Googling for ideas
    to improve WordPress security. My website, <a href="http://www.truthalyzer.com,” target=”_blank”>www.truthalyzer.com, has been
    repeatedly hacked in recent months, and I've been hardening it as I
    have found tips about plugins, modifications to .htaccess, and
    other protective measures. Like you, I still feel vulnerable, even
    though my site is now bristling with armor. You mention some ways
    to tell if your site's been hacked, all of which I will use in the
    future. I never would have thought of the RSS Feed Evaluator. The
    clue I always see first is that I can't login. Is that common or
    unique to my site and hacker(s)? Oh, and the second clue is that my
    host has taken my site down and quarantined it. That's only
    happened once, because I've gotten adept at restoring my site soon
    after it's been hacked. I back up often, so it's easy for me to go
    into phpMyAdmin and import a backup to replace the infected files.
    But your post has me worried about what still might be lurking in
    other files and even directories of my former or temporarily
    "parked" sites. I've added the IP addresses you (and Perishable
    Press) provided to the ones already in my blacklist (because they
    attacked my site). In addition to the .htaccess blacklist, should I
    be reporting offending IP addresses to somebody? I've added several
    routines you and Perishable Press suggest to .htaccess (e.g. to
    protect the htaccess and config files), but I'm reluctant to add
    other routines until I understand more about what they do. That
    will take more research on the internet. I've updated to WordPress
    2.8 and experienced no problems with it, but I am not aware of any
    security enhancements it provides over 2.7.1. Are you? I'm going to
    bookmark your site, because it's well-written and full of
    interesting and useful information. I'll probably make some
    comments on other posts, too, such as the one about your recent
    transition from years of Windows on PCs to OS X on an iMac, an
    experience that we share. Beyond that, if you'll indulge me, I'd
    like to make two more comments. For starters, there's a spelling
    error in the very first sentence of your above post that needs to
    be "eradicated." But more importantly, your site theme doesn't
    match your site content. You're high tech. It's earthy. You're
    contemporary. It's retro. I suggest a makeover. Earlier this year I
    realized my site didn't match my content, so I changed my theme to
    a magazine format, and it's made a huge difference. I don't have
    any particular themes to suggest for your site, but almost anything
    brighter and more 21st century would be an improvement.
    Congratulations on winning the most recent battle against the
    hackers, and best of luck in future clashes. Gib

    • Hi Gib: Thanks for the great feedback. There are lots of things
      here to reply to… -I found when I was hacked that sometimes I
      couldn't log in, or my site wouldn't load. But for the really
      tricky code it was harder to tell. I had to dig deeper. My host
      provider (HostGator) never quarantined any of my pages. -I did do a
      full re-install the first time I noticed I was hacked, but it did
      no good since I was hacked again almost immediately. So now I just
      look for fixing things rather than re-installing or re-importing.
      -I think .htaccess files will be a work in progress, so if you have
      any suggestions for updating them (or other good plugins) let me
      know. One thing I am using that isn't really security related is
      redirecting pages when I change the permalink like so: ### SEO
      REDIRECTS ### ##Redirect 301
      /2006/uncategorized/htaccesselitecom-aboutus.html
      http://www.^^SITE^^.^^TLD^^ Redirect 301
      /2009/06/how-to-guide-for-securing-wordpress-and-protecting-websites/
      /how-to-guide-for-securing-wordpress-and-protecting-websites/ -I
      would send any new IP's for blacklisting to me and also to Jeff at
      PerishablePress. I'll be collecting and updating my own list, but
      may re-include a new PerishablePress list if they do an update. So
      this way I'll be sure to have your 'bad guys' included in my list
      for the short term. -For .htaccess routines you don't fully
      understand you can always try them out and then remark out or
      delete new things that aren't working. -I'm hoping to update to WP
      2.8 this weekend. I haven't heard of any security specific upgrades
      over 2.7.1. -Thanks for bookmarking me. You might also want to
      follow on Twitter and RSS. Feel free to comment on other posts.
      -I'll check out your site a bit later when I get a chance (probably
      over the weekend). -I thought the theme was 'cool' and a bit
      'edgy'. The term 'retro' never entered my mind. However, I will
      take your suggestion for a new theme under consideration. Maybe if
      I hear your sentiment again from another reader I'll make a change.
      BTW, you said you changed your theme…how many hits were you
      getting vs. now? Thanks again for the feedback! ~MileHighTechGuy
      (Jeff)

  2. I noticed your site was down earlier today for maintenance. Hope
    you weren't under attack by evil web bots. Meanwhile, on http://www.truthalyzer.com I've been modifying htaccess as you suggested,
    one module at a time to make sure there's no problem with my
    plugins or other functioning. Now I've got the htaccess and
    wp-config files protected, I've prevented directory listing, added
    lots of blacklisted IP addresses, prevented string exploits and
    robots, redirected problem character strings, and protected against
    hotlinks and user agents. After that, I returned to WordPress,
    feeling safe and secure, only to find a PHANTOM USER with
    administrative privileges!!! "Administrator (3)" the User page
    said, but that's one more than was listed below and than I had
    created. I used phpMyAdmin to identify the phantom user, who was
    named "Google" and who's been able to come and go as he pleased
    while I've been restoring WordPress after his hacks and supposedly
    hardening my site by adding plugins and all that htaccess code. I
    deleted Mr. Google, whose name probably indicates his objective, to
    hijack visitors to my site and boost his own ratings and sales. Do
    you think all my hardening will keep him out, or might he have left
    some code and files behind to make it easy to return?

    • I wouldn't take anything for granted. We know how tricky/sneaky
      these guys are. Especially since you know someone got into your
      site I would check around for anything suspicious. Sorry to hear
      you had another hacker visit. I hope it has nothing to do with
      upgrading to WP 2.8. I'm in process of upgrading WordPress, backing
      up, etc. So I am in and out of maintenanc mode this weekend. I'm
      also hoping that while I'm 'in-between' that I don't get hacked
      again myself. Hope everything works out for you. I'll probably be
      offline a bit after this.

  3. Yesterday I found the reason why none of the security measures I've
    taken to harden my website over the last few months — not the
    passwords, the plugins, the changes to htaccess, none of it — has
    prevented <a href="http://www.truthalyzer.com” target=”_blank”>www.truthalyzer.com from being
    hacked. I found an INVISIBLE ADMINISTRATOR!!! I was finally getting
    around to replacing my default "admin" user name with something
    less predictable. I had previously strengthened the password and
    eliminated multiple unsuccessful attempts with Login Lockdown, so I
    didn't really think it was crucial to change the name. But just to
    make sure that wasn't how someone was getting in, I changed it. In
    so doing, I finally noticed something that must have been right
    there in front of me for months: "Administrators (3)" was right
    there at the top of the user page, but there were only two users
    listed below with administrator privileges. It was like noticing
    the shoes of someone hiding behind my bedroom curtains. I logged
    into the host site and used phpMyAdmin to track the hacker
    administrator down. "Google" is the username he chose. That's
    probably a clue about what he was up to, somehow referring visitors
    to his site to boost his Google rating and his advertising revenue.
    I deleted him, but now what? How did he get in? How did he make his
    username invisible on my user page? Will my recent security changes
    keep him out? What changes did he make to my files before I found
    him? Gib

    • Hey Gib, I don't know if I ever replied to your question of how someone got into your WordPress site with Administrator role. I would say that the most likely scenario for that is he either got a hold of your WordPress password or your FTP password. Try changing those passwords on a regular basis and make them hard to crack. ~Jeff

  4. hello, Thank you for the great quality of your blog, every time i
    come here, i'm amazed.
    [url Reply

  5. In searching for sites related to web hosting and specifically
    comparison hosting linux plan web, your site came up.

  6. Keep working ,great job!

  7. You have done really very good site. Great work, great site! Thank you!

  8. thank for the information, it really help me to protected my blog.

  9. Shox Turbo says:

    Your good blog with extraordinary opinions has attracted me so much.It will be no doubt a excellent blog.

  10. nba Jerseys says:

    Thanks for good news!

  11. Great job man! All the best! Thank you!

  12. Thanks for this information. My sister has been wondering about this topic for a while.

  13. I've also been wondering about the very same point personally recently.

  14. ED Hardee Clothing says:

    Very frequently I visit this internet site. It very greatly is satisfying to me. Thanks the author

  15. I am really impressed by this blog. I have always found it informative and updated

  16. Hello There. I discovered your weblog using msn. This
    is a vedy smartly written article. I’ll make sure to bookmark it and come back
    to read more of your useful information. Thank you for the post.
    I’ll definitely comeback.

  17. My partner and I stumbled over here by a different web
    page annd thought I might as well check things out. I like what I
    see so now i am following you. Look forward to looking into your web page yet again.

  18. We’re a bunch of volunteers and opening a brand new scheme in
    our community. Your site offered us with valuable information to work on.
    You’ve performed an impressive task and our whole community
    will likely be thankful to you.

  19. farewell quotes says:

    What’s up to every body, it’s my first go to see of
    this blog; this website contains awesome and actually fine information designed for readers.

  20. http://www.slideshare.net/ says:

    Using an internet marketing plan is an ongoing process,
    and identifying website goals, developing a plan, optimizing a site
    appropriately, measuring the results, and reacting accordingly
    all help in developing more effective internet marketing strategies for small
    businesses like yours. Search Engine Optimization is an online marketing strategy
    used to help with making your website appear as high and achievable in the search results of the big search
    engines like Google, Bing and Yahoo.

  21. Multi Level Marketing says:

    I got this website from my buddy who shared with me
    on the topic of this site and at the moment this
    time I am browsing this web site and reading very informative articles
    or reviews here.

  22. You need to be a part of a contest for one of the best blogs on the web.

    I most certainly will recommend this blog!

  23. Commoonly purchased from vendors that provide data based
    on a set of customer profiles or demographics, compiled lists generally include people test
    marketing design who may or may not be realizing that you are offering.
    We used to put adss right in the first time. Since
    we started, I used a private mailing service.

  24. binary options Daily news says:

    Wow,this piece of writing is good, my sister is analyzing these things, therefore
    I am going too tell her.

  25. Have you ever considered writing an e-book or guest authoring on other blogs?
    I have a blog centered on the same topics you discuss and
    would love to have you share some stories/information.
    I know my subscribers would value your work. If you are even remotely interested, feel free to send me an e
    mail.

  26. toabaita-authority.blogspot.co.nz says:

    Do you have any video of that? I’d like to find out some additional information.

Speak Your Mind

*

  • Featured Posts From Our Blog

    Great FREE Online Tools for Nonprofits & Businesses

    Great FREE Online Tools for Nonprofits & Businesses

    Work with a Nonprofit? Run a business? See this post about “FREE Online Tools You Should Be Using as a Nonprofit or Business”.

    LanderApp's surprise announcement today

    Lander Pages now charging…no more freemium

    We just received an announcement today that we “are upgraded for free” for 60 days to the paid LanderApp plan, after which we’ll have to start paying. To make it sound like they’re doing us a favor by starting to charge us in 60 days for what has been free for the past several months is kind of bothersome.

    smugmug coupon code

    Save Some Money With This SmugMug Coupon Code

    March 2014 Use this SmugMug coupon code to save 20% off any plan, plus you can save an additional $5.

    google-fonts

    Free Google Fonts for Your Desktop

    Early this month (May 2013) Google announced they are partnering with fonts.com by offering their complete collection of open source Google Fonts available for free for download to your desktop.

    tld-com.png

    See our list of Domains For Sale

    Please see our list of Domains For Sale, then contact us with your offer if you are interested in any of the available premium domains.

    all-in-one

    What is Responsive Design / Adaptive Websites?

    What is Responsive Design? (a.k.a. Responsive Website Design [RWD], Adaptive Design or Adaptive Websites or Progressive Enhancement) Responsive Design is a relatively new (~2011) and advanced set of web design techniques that attempts to accommodate various screen sizes and browsers. Responsive Design is particularly targeted at making browsing websites on tablets and mobile devices more user friendly, […]

    image from Bloomberg article

    In-Flight iPads Help Save Fuel by Shedding Tons

    New trend in Inflight Entertainment… Airlines are shedding heavy and expensive IFE (Inflight Entertainment) equipment for iPads loaded with media, with inflight wifi connected iPads coming soon. This could make IFE companies like Panasonic Avionics, Thales, and Rockwell Collins all feel the pinch to move their heavy IFE equipment to a more light iPad centric […]

    LinkedIn-show-recommendations

    Moving a LinkedIn Recommendation from one company to another

    How to move a LinkedIn Recommendation from one company/position listing to another within your online LinkedIn profile.


Genesis Framework for WordPress


Gravity Forms Contact Form Plugin for WordPress


Dynamik Website Builder


SiteSubscribe | Managed WordPress Services

VISIBILITY POWERED BY

MileHighMarketing.com

Higher Visibility℠ for More Market Presence

SITE DESIGNED & POWERED BY

SiteSubscribe.com | Subscription Business Websites

SiteSubscribe.com

Managed WordPress Services