Internet Business & Marketing Strategy - Andy Beard » WordPress Security

WordPress Hacked? Total Security Lockdown

Andy Beard — Tue, 08 Dec 2009 10:34:11 +0000

It is no huge secret that I have had this WordPress blog hacked twice this year but some consolation is that I am not alone.

Helpful resources

Alex recently launched a DVD course on WordPress security that is available for FREE + shipping
Stop – I know what you are thinking – FREE + Shipping these days normally comes with lots of strings attached, forced continuity often hidden etc. Whilst Alex does cross-sell a few related products, the main offer is genuinely free.

Michael VanDeMar has a useful plugin to lock down your login process

SEO Egg Head offers a WordPress firewall

Donna has a useful script for monitoring your files

Of course you should also keep backups which you have total control over – this includes both database and files and you shouldn’t rely on claims that your webhost has a backup. With a VPS I find being able to “roll back” to a previous version useful, but backup with shared hosting plans supposedly made by admins isn’t a solution when you need to fix things in minutes.

Keep WordPress up to date, plugins up to date etc

Part of security is controlling what bots can crawl and index on your site, so some pamphlets would be useful as well

Getting URLs outta Google – the good, the popular, and the definitive way
Handling Google’s neat X-Robots-Tag – Sending REP header tags with PHP

Nasty Bots & Users

A lot of security relies on identifying nasty bots, detecting rogue activity such as failed logins or preventing access to all but approved users using an additional layer of password protection, or only allowing access to a server from a specific IP or range of IP addresses.

Also it is important to realise that different WordPress implementations require different levels of access control. With WordPress frequently being used for membership sites, you need to allow access to members. This reduces the number of security options available.

SEO Benefits

Lots of the pages you want to block from being crawled for security purposes also need to somehow be blocked or removed from indexation for SEO purposes, so tightening up security using the right methods will have natural SEO benefits.

Robots.txt isn’t the best option because you end up with lots of blocked pages appearing in search results and potentially indexed instead of pages you want in the index. As Sebastian explained, you have to let the bots in to crawl a URL before you can redirect them.
Not all bots can be identified, and not all bots obey robots.txt, though you can trap the naughty ones. If you are serious about your bot control you might also consider Fantomasters Searchbot Database.

User Agent Access Control For Total Lockdown

Lots of security and SEO methods rely on identifying various bots and kicking them somewhere else with 301 redirects, or denying them access to areas they are not wanted.

Far better would be to only allow access to one specific user agent, and globally kick out anything that doesn’t match – this is the user agent equivalent to restricting access to only a single IP address.

But how could this be achieved?

Many SEOs would already be familiar with User Agent Switcher for Firefox. This allows you to wander around the web pretending to be someone else, or something else such as Googlebot.

Unfortunately User Agent Switcher has a nasty problem – you often forget you have it switched to something different and then suddenly realise when a website starts misbehaving, refusing you entry, redirecting you to funny places etc.

If you created a custom user agent for security purposes, it wouldn’t be very secure if there was a chance you could broadcast it to lots of other webmasters by mistake. It is bad enough that user agent is broadcast “in the clear” unless you use SSL connections.

Then I came across an article discussing how to fake your user agent specifically for itunes but not other sites.

The Header Control Firefox plugin allows you to set your User Agent specific to a domain.

This would allow you to set a specific unique or relatively obscure user agent, and for it to only be used when accessing your own websites.

Even more useful this can be set up in multiple locations, work with variable IPs etc.

Experimental

This is something I am still experimenting with – I haven’t decided whether it is best to use .htaccess, php or a combination of both, and I am convinced the best option is to 301 redirect everything rather than deny access.
The best option might be to use a combination htaccess > php so you can do some enhanced logging.

The user agent doesn’t have to be unique, it could just be an obscure out of date version of Firefox or Chrome.

Example .htaccess to deny access

RewriteEngine on
#
RewriteCond %{HTTP_user_agent} !^RareUserAgent
RewriteRule .* - [F,L]
#

Example .htaccess to 301 redirect

RewriteEngine on
#
RewriteCond %{HTTP_user_agent} !^RareUserAgent
RewriteRule ^ http://WhereIWantPagerank.com/MyMoneyPage/ [R=301,L]
#

What I haven’t included are rewrite conditions based on specific paths as I haven’t worked out exactly what paths I need to block whilst using specific WordPress Membership Plugins.

Warning 1 – always have backups
Warning 2 – you can majorly mess up access to your website with htaccess it you get it wrong and can’t restore a working version

Disclaimer/License: GNU FDL – run with it, make it useful

Tags: 301 redirect, htaccess, http user agent, wordpress, WordPress Hacked, WordPress Security

Letting Other People Write The LinkBait

Andy Beard — Sun, 27 May 2007 01:42:34 +0000

A lot of the things I write go completely over the head of many of my readers, and in some ways that is actually a concious decision which certainly costs me a much higher readership.

I know that an article covering the importance of good anchor text or choosing a niche would help a lot of people, but I would much prefer to just link through to other people I respect who have written about the subject as well, or in many cases better than I would do myself.

I have discussed in the past that I don’t write speed linking articles, and for some reason, despite how many hundreds or even 1000s of bloggers use speedlinking in their titles, or even have whole categories for such roundup link posts, I still rank highly for the term in Google.

Scott Jangro seems to be going through a similar dilemma to what I go through on an almost daily basis – stick to your self defined niche, or respond to the signals given to you by your traffic stats.

Vanessa Fox has saved me a whole load of time testing out lots of ways to aggregate profiles on social networks.

Whilst Diggers tend to bury security warnings as spam, they are never-the-less extremely important, well unless you want Aaron to break into your WordPress account in under 5 minutes. Upgrade Now

If you have a couple of hours to spend on your education, John Reese really knows a lot about increasing your income online, so I can’t think of anyone better to interview Shoemoney. There is a lot to be learnt, think of what it would be like to eavesdrop on a conversation between 2 top earners at a bar during a large convention.

That blog post I think is a landmark for affiliate marketing in more ways than one, as John Reese included a disclosure at the bottom for the affiliate links.

Who knows, maybe he wrote it after coming back from lunch with Ted Murphy of PayPerPost.

It is true, in John’s email newsletters he always declares affiliate links, in fact he highlights them, often asks you to clear your cookies before clicking through, and offers massive bonuses for using his links, but this is something different, and because John is so influential in affiliate marketing, I think this might might cause a lots of changes.

I even grabbed a screenshot

As it is memorial Weekend in the US, here are some charity links.

First of all Mark at Bloglyne is raising money to fight premature birth, what is on offer is a great deal.

Secondly Stephen Pierce has set a goal to feed over 1,000,000 million children
within 72 HOURS. Lots of free useful stuff on the site even if you don’t make a donation

“When You Download This Free Success Report We Will Donate A Plate Of Food To A Starving Child On Your Behalf. Itâ€™s That Simple. No Strings Attached.”
Tags: charity, disclosure, linking, niche marketing, payperpost, SEO Blog, social networking, WordPress Security

WordPress 2.07 2.1 | BBPress 0.75

Andy Beard — Tue, 16 Jan 2007 01:07:39 +0000

WordPress 2.07 was just released. We get to update our WordPress blogs for a week as WordPress 2.1 is due on January 22nd.
Is it worth it? Yes both for the security and Feedburner fixes.

A link to the BBPress announcement as well. It is one of the forum platforms I am looking into here. I have played around with one forum plugin, that built the forum in the WordPress Database, but an a little worried about security etc.

I do intend one day to have a forum running either here, or on a closed membership site.

Tags: feedburner, wordpress, WordPress 2.07, WordPress Security, WordPress Update

WordPress 2.06 Security Update

Andy Beard — Sat, 06 Jan 2007 11:25:43 +0000

The latest stable release of WordPress, version 2.06 was released quietly yesterday.

Most of the changes are under the hood in the way of security fixes, plus there shouldn’t be a need with Mark Jaquith’s plugin for those that were having server 500 problems with WordPress 2.05.

Mark Jaquith has also provided WordPress 2.06 patch files for those that don’t want to do a complete installation. These are unofficial.

Here is a note he also posted on the wp-hackers mailing list

Whatever you do, don’t discourage
people from upgrading. 2.0.5 has multiple XSS issues and a potential
SQL injection issue.

As Mark points out, you should always make a full backup of files and database before upgrading.

I will be upgrading all of my sites over the weekend, and hopefully this will be the last upgrade before WordPress 2.1 is launched, which I suspect will be in approx 1 month.

Feedburner Patch: – If you use feedburner with 2.06, you will also need to add a small patch as detailed at Neosmart

Tags: blogging, blogging tips, feedburner, security, wordpress, WordPress Security, WordPress Upgrade