RSS Feeds

Here's a feed for our sister site: Professors Coding Corner

July 20, 2009

Since WordPress is one of the most popular pieces of software on the internet, hackers are constantly looking for ways to exploit it. Googling “wordpress zero day exploit” returns 115,000 results, which shows a serious need for security measures.

WordPress logo

I was recently given access to a new WordPress plugin which claims to be very effective in protecting you from hackers. I discovered that the method used in this plugin was not only ridiculously simple, but actually inferior to a method I have been using for years.

The most vulnerable point of access that hackers have to your WordPress blog is through the wp-content folder. This folder contains all the scripts used by your themes and your plugins. A hacker ( or his robot ) need only enter the following into the ‘Address Bar’ in order to discover the names of all the files in the themes folder:

WordPress does not protect you against such access.

The plugin that I reviewed protects this point of entry by “fooling” hackers with a copy of the standard Apache ‘500 Internal Server Error’ page. This fake page is uploaded as ‘index.html’ to both the ‘plugins’ and ‘themes’ folders, so it is “seen” by the hacker software when it attempts access.

The Hacker Emblem

Now for my “old-school” method, which I will show you for FREE.

There is a file in the root directory of your blog called .htaccess This file contains coded instructions for your browser to follow before uploading your blog. It already contains code that tells the browser how to access your blog pages. All you have to do to protect your wp-content folder is insert the following code BEFORE the code that’s already there.

# Denies access to directories
Options All -Indexes

That’s all!

This code tells the browser not to let anyone access the index file of any directory, so a hacker will not be able to read the names of the files in your wp-content folder, and thus not be able to access them. If the hacker software attempts access, it will “see” either a real Apache ‘403 Forbidden’ error page, or just a blank page.

No Comments »

No comments yet.

RSS feed for comments on this post. TrackBack URL

Leave a comment