With more and more websites being created using WordPress, it is no wonder that WordPress has become the target of hackers. Therefore we wanted to pull together a list of steps you can take to better secure your WordPress websites.
1) Protecting against script injection
One of the more common methods for compromising a WordPress system is by trying to inject other code which could reference external scripts on other websites. Or even cause your web page to redirect to a different website.
Solution: Modify your .htaccess file to block these type of patterns by checking for specify query strings. However always backup your .htaccess file before making changes.
<pre>Options +FollowSymLinks</pre>
RewriteEngine On
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]
Source:
Protect your WordPress blog using .htaccess
2) Protect your Plugins Directory
Since WordPress has over 10,000 plugins to extend it’s functionality, and there have already been 100 Million downloads of these plugins, sometimes these popular plugins have security weaknesses of their own. Most website owners running WordPress will remember to protect WordPress as much as possible, however the plugins directory is often times overlooked.
Solution: By protecting the plugin directory itself and only allowing certain files to be requested you can prevent other people from trying to access these plugins files directly using another .htaccess method.
NOTE: Make sure you add the following inside of the Plugins directory and not in the root directory. Example: /wp-content/plugins
<Files ~ "\.(js|css)$"> order allow,deny allow from all </Files>
Source:
WordPress tip: Quickly secure plugin files
3) Create a Plugin to Protect Against Long Query Strings and Script Injection
One of the most common ways for inserting content into a page is to try and submit it through the query string at the end of they website address in the URL text field for the web browser. By checking for this scenario using the plugin you can help to prevent these types of attacks.
Solution: Create a file called “blockbadqueries.php” using the following code snippet, and then upload it to the /wp-content/plugins folder. And now activate this new plugin.
<?php
/*
Plugin Name: Block Bad Queries
Plugin URI: http://perishablepress.com/press/2009/12/22/protect-wordpress-against-malicious-url-requests/
Description: Protect WordPress Against Malicious URL Requests
Author URI: http://perishablepress.com/
Author: Perishable Press
Version: 1.0
*/
global $user_ID;
if($user_ID) {
if(!current_user_can('level_10')) {
if (strlen($_SERVER['REQUEST_URI']) > 255 ||
strpos($_SERVER['REQUEST_URI'], "eval(") ||
strpos($_SERVER['REQUEST_URI'], "CONCAT") ||
strpos($_SERVER['REQUEST_URI'], "UNION+SELECT") ||
strpos($_SERVER['REQUEST_URI'], "base64")) {
@header("HTTP/1.1 414 Request-URI Too Long");
@header("Status: 414 Request-URI Too Long");
@header("Connection: Close");
@exit;
}
}
}
?>
Source:
Protect WordPress Against Malicious URL Requests
4) Install a WordPress Security Plugin
Probably the easiest recommendation would be to install a WordPress specific security plugin to help you both scan your current installation and make recommendations.
Plugin Name: WP Security Scan
Visit the WP Security plugin website for more information.
Image Credit: CarbonNYC (via Flickr)
Possibly Related Posts:
- What does a robots.txt file do?
- WordPress plugins to check for security threats
- Reasons Customers Don’t Trust Websites
- Google Analytics Event Tracking Explained
- New Study: Small Businesses Not Updating their Websites
A recent post by Lisa Barone over on Small Business Trends caught our attention. The content is worth repeating for any web hosting customers who are either trying to sell online or establish credibility. There are a few points that are listed in the 11 Reasons Customers Don’t Trust Your Website and these are the most common reasons we have found.
- Spelling and Typos
Sometimes we rush to get new information posted on our website or publish a new blog post without re-reading or editing it first. - About Page
An about page will most likely be the first tabs that visitors will click on when they are first visting your website to learn more about you. How the about page is written will make a difference if it is boiler plate information no one will read through it. However if you start a dialogue as if you were speaking to a new customer face to face your personality will come through. First impressions make a difference in establishing trust. - Third-Party Testimonials
Although referred to in the original list as endorsements the simple step of adding testimonials from credible well known brands, or from like businesses will help. For example if I am a landscaper and you have a testimonial from another landscaper or garden center that means something to your potential buyer. It also shows everyone that you have been vetted by a trusted third party and are a legitimate business. - Recently Updated
If your content is stale, or if you have not updated the copyright footer to display the current year your website could have been abandoned. And may no longer appear trustworthy. Similarly if you are in retail your storefront experience is judged just as your merchandise or website might be too. Having a current newsletter link, blog post, or even a news reel can definitely help. If you can not find time to update your website and maintain fresh content FavorDesign (a division of FavorHosting) can help with low monthly rates. - Guarantees
We have seen great success with our own FavorHosting Guarantee since not everyone is going to be comfortable working with a new company they are not familiar with. And by offering a guarantee we show we stand behind our products and services and would rather refund a customer than leave with a customer having a bad experience. - SSL Certificates
If you are going to be taking sales online there are a few things you may be interested in displaying on your website. Including a Secure Site seal, or perhaps a Validated Identity badge. Some websites have even adopted the McAfee Secure badge that shows your website is being scanned for potential threats. - Recognized Credit Card Processing Imagery
Showing which credit cards you accept with a logo is a common practice within retail stores as well as on your website. If you accept Visa, Master Card, AMEX, Interac, or Paypal there are usually recognized buttons and imagery to show which cards you are authorized to accept. Doing so will also help customers see that you have been validated by these payment providers and further establishes trust.
More Information
You may also be interested in an earlier post about influencing purchase decisions:
Research Shows Websites Influence 97% of Clients’ Purchasing Decisions
Possibly Related Posts:
- What does a robots.txt file do?
- WordPress plugins to check for security threats
- Security Tips for Securing WordPress
- Google Analytics Event Tracking Explained
- New Study: Small Businesses Not Updating their Websites