WordPress Security Ain’t No Joke!

I started the day out in a good mood with plenty of things to accomplish. I was running through my daily tasks like a well oiled machine until Sunday around lunch time I noticed my CommentLuv wasn’t working again. This time it turned out to be a problem with my feed. It was showing line 23 had an invalid code: <u style=display:none> A quick ‘view source‘ made me cringe. I’d been hacked! Below the footer of every page was hundreds of hidden spam links.

Let me point out the obvious – why this is so dangerous. These links are hidden to us that view the page in a browser but Google and other bots can see it clearly. If Google indexes your site with these links there they are going to remove your site from their search results. You then will have to correct the problem and request inclusion again. Who knows how long that might take?

Once I removed the links it was time to change today’s plans and secure my blog. I spent the better part of the day researching, testing and implementing what I could to make it a little harder to be hacked. I’m a blogger and marketer not a programmer. Many of the online articles are way above my head. Here’s the steps I took and only time will tell if they will do the job:

I changed my C-panel/FTP password to one with over twenty (20) characters, numbers and symbols.
I changed the user name and password in my MySQL database. Again, over twenty characters.
I added a new user for my WordPress blog assigning them (me) administrative authority. I then logged out, signed in with the new user name and changed ‘admin’ to a subscriber. It wouldn’t let me delete the account. User name and password are both, you guessed it, over twenty characters.
I added an empty index.html file to my plugin’s directory and used C-panel to protect the other directories.
I installed and activated Angsuman’s WordPress Guard Plugin giving me a second layer of protection around the blog’s admin area. Now I have two sets of passwords to gain access the the admin area.
I installed and activated the WordPress plugin WP Security Scan.
I installed and activated the WordPress plugin Login LockDown that will lock out anyone that fails to enter the correct password after three attempts.

I wasn’t able to do every task I wanted to do but I hope my site is more secure now. Now that one of my blogs is a little safer I guess I better get started on the other six.

Learn from my mistake and secure your WordPress blog now before it becomes an all day ordeal. Start with upgrading to the most recent version and backup everything. Below are a few of the resources that helped me out today:

Keith

Keith is a passionate blogger and writes Blog Tips. Feel free to contact him with any questions. Follow Keith on Twitter, subscribe his YouTube channel and don't forget to download the free e-book: Hot Blog Tips 101.

4 Responses to “WordPress Security Ain’t No Joke!”

Liane YoungBlogger says:
July 20, 2009 at 5:15 am
Looks like you really got your site all-guarded. Couldn’t blame you. I for one would freak out if some tiny little thing ever got wrong.
.-= Liane YoungBlogger´s last blog ..Blogging Odds: Seize Success by Conquering Them All Right This Very Moment =-.
Reply
- Brian Hawkins says:
  July 20, 2009 at 5:22 am
  Hi Liane, I think it’s time I start learning a little coding so it will be easier to see these things and get them corrected faster.
  Reply
mark@buy flavored coffee says:
August 11, 2009 at 4:52 pm
Oooh, it’s good that you caught that problem before your site was removed from search results! Who knows how many people that happens to who do not have the understanding that you do? Until they read this …
Reply
- Brian Hawkins says:
  August 11, 2009 at 7:49 pm
  It’s true mark, I was sweating bullets trying to get those links out of there before Google bot came on it’s round again. I was very fortunate.
  Reply