GoFuckYourself.com - Adult Webmaster Forum - View Single Post - Tech Our weblog network got hacked. Tips please!

TROLLENSTEIN · 10-27-2014, 07:52 AM

7. Hide your WordPress version.

This is an important one, very important actually. Simply by using Google a naughty person can search for sites using an out of date WordPress installation and target it using one of the exploits available for the out of date version. If you take a look at the source code of your WordPress site you can see this between the <head></head> HTML tags:

<meta name="generator" content="WordPress 3.x.x" /> (the x.x is the specific WordPress Version)

So all they have to do is ask Google to search for the out of date WordPress string and up pops sites galore for them to attempt to plunder. So it's obviously best to stop WordPress inserting the generator meta tag into your site. You can do this by opening up the functions.php of the theme you are using and adding this to the top or bottom of it:

add_filter('the_generator', 'xbiz_complete_version_removal');
function xbiz_complete_version_removal() {
return '';
}

Now when WordPress generates the HTML for your site the generator tag will not appear. You should also delete the readme.html file in the WordPress root folder of your site as it contains the version number right at the top, which is ridiculous.

8. Directory Indexing. Stop that.

To check for directory indexing you can browse to folder locations on your site and see if you get a response that includes 'Index Of' and a list of folders / files. Common locations to check would be:

/wp-content/
/wp-content/plugins/
/wp-content/themes/

If any of these show a list of the files they contain you need lock these down asap. You can disable Directory Indexing a number of ways, the quickest is to simply add:

<IfModule mod_autoindex.c>
Options -Indexes
</IfModule>

to your .htaccess file in the root folder of your site. You can also simply create a blank index.php file and upload it to the folders that are showing their contents in your browser if you prefer not to mess with your .htaccess file.

9. Disable file editing via the dashboard.

Everyday there are new bugs and exploits found for WordPress, it's just one of those things. Now if a an exploit is found that gives one of the naughty boys and girls access to your WordPress admin panel, or they do guess your login details, on default WordPress installation they can simply navigate to Appearance > Editor and edit and execute any code they wish right from your WordPress dashboard. To prevent this simply add:

define( ?DISALLOW_FILE_EDIT?, true );

to your wp-config.php file and that will prevent them going bananas via your own dashboard in the event they actually do get in.

10. If you're doing this seriously, spend a little money. And backups.

Everything I've said so far can be bypassed by the one hack tool that never, ever, fails: Human stupidity. If you are on $5 a month shared hosting you not only have to worry about protecting your own stuff you also have the constant worry that some idiot on the same server as you will do something dumb and open up the entire server for the naughty boys and girls to plunder. If you're in this for more than a hobby and beer tokens get yourself your own server, go with a managed option if you know nothing about servers, but spend a little bit of money to protect your work.

Now, I'm not advocating that all shared hosts are useless, far from it. But what I am saying is you ARE taking a chance on months and months and months of you hard work, tweaking, updates, etc, being wiped out in seconds due to something YOU did not do. Remember, all it takes is for 1 person on the shared host to install a hacked script, themes, plugin, whatever and your efforts of building traffic, updating your site with content everyday, spending all that time, etc can vanish in seconds. So if you are on shared hosting backup your site every single day. I mean that. Every single day.

There are a myriad of backup tools you can use so I'll talk about those and more ways to secure your WordPress site in Part 2...

There ya go.

10-27-2014, 07:52 AM
TROLLENSTEIN Server Monkey Industry Role: Join Date: May 2013 Location: Europe. Posts: 164	7. Hide your WordPress version. This is an important one, very important actually. Simply by using Google a naughty person can search for sites using an out of date WordPress installation and target it using one of the exploits available for the out of date version. If you take a look at the source code of your WordPress site you can see this between the <head></head> HTML tags: <meta name="generator" content="WordPress 3.x.x" /> (the x.x is the specific WordPress Version) So all they have to do is ask Google to search for the out of date WordPress string and up pops sites galore for them to attempt to plunder. So it's obviously best to stop WordPress inserting the generator meta tag into your site. You can do this by opening up the functions.php of the theme you are using and adding this to the top or bottom of it: add_filter('the_generator', 'xbiz_complete_version_removal'); function xbiz_complete_version_removal() { return ''; } Now when WordPress generates the HTML for your site the generator tag will not appear. You should also delete the readme.html file in the WordPress root folder of your site as it contains the version number right at the top, which is ridiculous. 8. Directory Indexing. Stop that. To check for directory indexing you can browse to folder locations on your site and see if you get a response that includes 'Index Of' and a list of folders / files. Common locations to check would be: /wp-content/ /wp-content/plugins/ /wp-content/themes/ If any of these show a list of the files they contain you need lock these down asap. You can disable Directory Indexing a number of ways, the quickest is to simply add: <IfModule mod_autoindex.c> Options -Indexes </IfModule> to your .htaccess file in the root folder of your site. You can also simply create a blank index.php file and upload it to the folders that are showing their contents in your browser if you prefer not to mess with your .htaccess file. 9. Disable file editing via the dashboard. Everyday there are new bugs and exploits found for WordPress, it's just one of those things. Now if a an exploit is found that gives one of the naughty boys and girls access to your WordPress admin panel, or they do guess your login details, on default WordPress installation they can simply navigate to Appearance > Editor and edit and execute any code they wish right from your WordPress dashboard. To prevent this simply add: define( ?DISALLOW_FILE_EDIT?, true ); to your wp-config.php file and that will prevent them going bananas via your own dashboard in the event they actually do get in. 10. If you're doing this seriously, spend a little money. And backups. Everything I've said so far can be bypassed by the one hack tool that never, ever, fails: Human stupidity. If you are on $5 a month shared hosting you not only have to worry about protecting your own stuff you also have the constant worry that some idiot on the same server as you will do something dumb and open up the entire server for the naughty boys and girls to plunder. If you're in this for more than a hobby and beer tokens get yourself your own server, go with a managed option if you know nothing about servers, but spend a little bit of money to protect your work. Now, I'm not advocating that all shared hosts are useless, far from it. But what I am saying is you ARE taking a chance on months and months and months of you hard work, tweaking, updates, etc, being wiped out in seconds due to something YOU did not do. Remember, all it takes is for 1 person on the shared host to install a hacked script, themes, plugin, whatever and your efforts of building traffic, updating your site with content everyday, spending all that time, etc can vanish in seconds. So if you are on shared hosting backup your site every single day. I mean that. Every single day. There are a myriad of backup tools you can use so I'll talk about those and more ways to secure your WordPress site in Part 2... There ya go.