Today a client came to me and stated she could no longer log into her WordPress site, which I designed several months ago. Apparently the login page had been taken over by “the3gayskeeters Mailer.” I opened the wp-login.php file on the server, and sure enough, the code had been compromised by “Yogyacarderlink Indonesian Black Hat Team.” Yikes!
I knew that previously the client’s email had been locked due to exceeding the hourly email limit. When contacted, the hosting company stated there was an issue with open directories on the server, on which they changed the permissions, then removed script forms that had been placed on the site. Figuring that the open directories were now properly protected, I re-installed WordPress to replace any compromised files and hopefully fix the issue for good.
This little dilemma led me to a fantastic article from Smashing Magazine: 10 Useful WordPress Security Tweaks. Most tips include very simple additions to your .htaccess and functions.php files. The summary is as follows:
- Prevent Unnecessary Info From Being Displayed
- Force SSL Usage
- Use .htaccess To Protect The wp-config File
- Blacklist Undesired Users And Bots
- Protect Your WordPress Blog From Script Injections
- Fight Back Against Content Scrapers
- Create A Plug-In To Protect Your Blog From Malicious URL Requests
- Remove Your WordPress Version Number
- Change The Default “Admin” Username
- Prevent Directory Browsing
I intend on implementing these features in all WordPress sites moving forward. If anyone has more suggestions for protecting a WordPress site, please feel free to share!