Secure your WordPress, mine was attacked

Adobe AIR and Security

Photo by Rob

Web SecurityA must for anyone who have a web presence.

I woke up today morning to find that my site feed wasn’t validating and the XMLRPC was not responding when I tried to update MarsEdit. Upon doing a quick “View Source” I found a foreign code lodged on top of my site’s header. I knew instantly that it shouldn’t be there and that something is wrong. The code was <iframe src="http://xxxxxyyyyyzzzz.com/3332.htm" style="display:none">. Here is a list of malware sites.

The sane action was to look if it is infecting the whole site or just the WordPress Install (I’m on WordPress 2.5.1). After finding it in just the WordPress powered section of the site, I went ahead and did the following action to remove the code and to prevent further complications to my WordPress Installation.

PREPARE

  • Jot down the list of plugins I need
  • Back-up Theme
  • Back-up “config.php”
  • Back-up and downloaded the Database with WordPress Database Backup
  • You should back-up /wp-content/uploads/ if you use WordPress to upload your files. (see below how I manage my files)

REFRESH

Then, I re-did the whole WordPress Installation. However, I wasn’t worried because my “uploads” are elsewhere, Database was not infected and is back-up everyday by mailing it to myself and archived instantly with Gmail. Here is what I did

  1. Delete the whole “wp” folder. Yes, I always make it a point that the whole WordPress Install files are inside a separate folder.
  2. Upload a fresh set of WordPress files onto “w” (you can have any folder you like)
  3. Upload Plugins
  4. Upload Theme
  5. Upload “wp-config.php”

That’s it. With a fresh WordPress Install, the script/code injection is gone and my WordPress Installation is back to normal.

EXTRA PRECAUTION

I decided to take some extra precaution and secure my WordPress Installation henceforth. Here are few things I did in addition to installation a fresh new WordPress Installation.

Take care that none of your folders are public-writa-able

Make sure that none of your folders are Public-Write allowed (CHMOD 777). There are instances when you need to set your folders to Write mode with CHMOD 777 (everybody writes) but remember to set it back to 755 (only owner writes) when not needed or at least CHMOD 775 (owner and group writes).

Restrict access to “wp-admin” with .htaccess

It is pretty easy to drop a .htaccess to your “wp-admin” folder so only you or few of your editors/authors can access that folder. This way, you’ll need to use 2 passwords to login to your WordPress Admin. Anyway, I use Keychain to remember them, so I need to type just once. This is what I have in my .htaccess file;

AuthUserFile /path-to-file/outside-of-your-site-folder/.htpasswd
AuthName "You need to have an access credential!"
AuthType Basic
require user Brajeshwar

You’ll need a file .htpasswd which should contain a Username:Password pair. Remember, the password is hashed here and is not what you see. There are lots of .htpasswd password generators. Use one of them;

Note: You can have multiple Username:Password pairs by having as many as you want in separate lines.

Now, drop this .htpasswd file in your “/path-to-file/outside-of-your-site-folder/”. See to it that this is not in your site folder (e.g. www, public_html) but outside of that which only you have access and not from the website.

Many WordPress advocates and experts alike have talked about securing your WordPress Installation and so I won’t go deeper than what I’ve already written above. It’s is your choice, how paranoid you can get. Nonetheless, as we’re already here, let me give you another bonus tip.

Prevent comment spam by denying access to no-referrer requests

Add this in your .htaccess Redirect section.

RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.*brajeshwar.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule ^(.*)$ ^http://wordpress.org/$ [R=301,L]

Note: Change that brajeshwar.com to your domain.

HOW I MANAGE MY FILES (MEDIA, IMAGES, DOWNLOADS)

As mentioned above, I have my own way of managing files which I felt is effective and easy to move around if I need to change host or any other eventuality may arise.

Separate sub-domain for media files (images, audio, video)

Having these files on a separate sub-domain allows me to move this anywhere I like and just do a DNS-IP Redirect or a CNAME change to have this located anywhere. So, my articles will always point to the sub-domain and thus always works wherever I move the media files (different location or servers). Currently, they are hosted on Amazon S3. Btw, I’m likely to write an article for Digital Inspiration, for non-geeks and common-users on how to use Amazon S3 the easy way.

What if you’ve used /wp-content/uploads/ throughout and you want to change it now?

Easy! In your .htaccess file, add a perma-redirect by adding this code

RewriteRule ^wp-content/uploads(.*)$ http://media.brajeshwar.com.s3.amazonaws.com$1 [L,R=301]

This should now perma-redirect all reference to /uploads/ to the corresponding new location.

Backup DB daily or Weekly

If your site is busy and you blog regularly, have a daily backup of your Database mailed to you or use weekly if your site is not that prolific. WordPress Database Backup can email you a back-up daily, weekly or monthly. I’ve it mailed to my Gmail Account and set a filter in Gmail to Archive it as it arrives.

WordPress Theme

Of course, as I always use my own theme, I’ve my local copy and another on my SVN server. So, always have a local copy of your theme.

WordPress Plugins

Don’t even worry about them unless you’ve written one yourself or have modified one. They’re all everywhere or at-least well preserved at WordPress Plugins.

Keepass

While on the topic of security, let me tell you that I’m a die-hard fan of Keepass and now KeepassX on the Mac. There is even a Linux version and the encrypted file which contains your passwords will work on all the Platforms. This makes it easy to have access to the plethora of passwords even when you’re away from your Mac and in the wild where Windows is pretty common. At the time of writing this article, I’ve harvested over 2000+ passwords used on various sites and applications and all have a different password. You can either use a Master Password or even a Key Disc to unlock KeepassX, making it rather secure.

That’s pretty much it. Feel free to comment, ask questions and I might be able to discuss further.