Protect Your WordPress Business Blog Against Hackers and Spam Link Injection

Written on March 5, 2010 by Sheryl in Inspired Blogging
0 Comments - Leave a comment!

Image of red and white "No Entry" sign in front of gate

Please, please, please: if you take nothing else away from this post, take this next statement to heart —

Having your WordPress business blog hacked is seriously, seriously bad stuff.

If you need an illustrative example to help cement that statement into your bloggy heart, check out John and Lindsey’s story in an earlier post about getting hacked.

If you want a solid, well-researched and complete strategy to protect your WordPress business blog from the kind of evil crap that befell Lindsey’s jewelry site, I recommend John’s product WordPress Defender. Sometimes tragedy is the mother of the best inventions, you know? (Full disclosure: that’s an affiliate link.)

If you just want a quick fix approach to tide you over until you can get around to shelling out the $40 for WordPress Defender, then read on.

How Hackers Get Into Your Blog’s Files

Hackers. God love ‘em.  Y’know, if they put half the energy and intelligence into a valid pursuit that they put into hacking, they’d rule the world. Or at least be able to afford really cool cars and move out of their moms’ basements.

But how do they gain access to your site in the first place? There seem to be a few points of entry — and, before I go further, let me profess up front I am not an expert on hackers or hacking. The information I’m sharing here has been born out of necessity from getting hacked myself and comes from a lot of web-based research but it’s far from being expert-level. So, take this as a starting point if you wish but don’t consider this the first or last word in hacker defense, ‘kay?

Moving on – how the hackers get in to your WordPress files:

  • They brute-force hack your password and sign in as you. How do they know your user name? Well – show of hands: how many of you have added a user named (or gone with the default option of) “admin”? Uh-huh.
  • They register as users on your site and use a worm (malicious code) to bump themselves up to admin status.
  • They take advantage of security flaws in your blog’s database, the server itself, or your computer’s firewall defenses.


Check to See If You’ve Been Hacked

If you’ve never been hacked, you might expect the site to be visibly affected. We typically think of defaced sites with changed content and obscene photos and the like as hacker’s work. But WordPress blog hacks are typically of the spam link insertion variety. These links don’t even show up on your page itself. To see them, you’ve got to go under the hood.

Two methods to do this:

  1. Load the page in your browser then View Source (in most browsers you can right click on the page and choose “View Page Source”). Scroll all the way down the page and review the code. You might see a long list of links that looks something like this in a text file (click on the image to view a larger version):
    Screenshot of text version of weird spam links in my blog
  2. Go to Appearance–> Theme Editor and view your header.php and footer.php files. The lists will show up in the code appended to the end of the genuine code.

Steps to Take to Remove Hackers’ Spam Links and Protect Your Blog in the Future

If you find those links, or any evidence you’ve been hacked, then you need to take steps immediately to rectify the situation and prevent it from happening again. Here’s what you do:

  1. Delete your “admin” user (first, make sure you add a new one with a non-guessable name and give it full admin powers).
  2. Change all your user passwords using the WP-generated password function. Then log in, and change the password to something random and unguessable, using a mix of numbers and letters – the more characters the better. Do that regularly from here on out.
  3. Make sure you’ve upgraded to the absolute latest version of WordPress. Earlier versions may have security flaws that hackers can exploit easily.
  4. Delete the bad code in Theme Editor and edit the affected file to mirror the accurate code (use your downloaded theme files to verify this – and be careful with this one! Errors here can really screw up your blog.)
  5. Delete all unused plugins and themes.
  6. Go to your cpanel File Manager (make sure you click the little box to show hidden files) and somewhere in your public_html folder you should see a file named .htaccess. Edit this file by appending the following code:


# PROTECT install.php
<files install.php>
Order Allow,Deny
Deny from all
Satisfy all
</files>
# protect wpconfig.php
<files wp-config.php>
Order deny,allow
deny from all
</files>

Save the .htaccess file.

Another option: use the AskApache PasswordProtection Plugin. This is a recommendation from the WP Codex article on “Hardening WordPress.”

Will this guarantee your blog’s safety? No, far from it. But it will help, and it’s where you should start. I would point out, though, that this is – what, one or two strategies? Maybe three, if you count the plugin suggestion. John’s WordPress Defender gives you thirty strategies to protect your WordPress blog from hackers.


Tags: , , , ,
Written by Sheryl

There are no comments yet. Be the first and leave a response!

Leave a Reply


Wanting to leave an <em>phasis on your comment?

CommentLuv Enabled
Trackback URL http://theinspiredsolo.com/inspired-blogging/protect-your-wordpress-business-blog-against-hackers-and-spam-link-injection/trackback
blog comments powered by Disqus