Login Form

Main Menu

Cleaning Up WordPress

  • Print
Details
Category: Wordpress
Published on Friday, 23 September 2011 12:57
Written by Super User
Hits: 64

Here is a email I received from one of our long time members, I felt was pertinent to keep. What to do after your wordpress has been attacked or hacked or better yet, what to do before it gets hacked.


--------------------------------------------------------------------------------
2 Security tips I've not heard discussed much ...

--------------------------------------------------------------------------------

As some of you know, one of the things I do is clean up hacked websites.

As it turns out MOST of them are WordPress sites.

Here are a couple of tips for you.

Here's the first:
=================
Your website hosting company generally allows what is called "directory browsing."

So, just like your computer,  your hosting account contains directories.  Like your computer, a visitor can browse those files.

That is, unless there are certain files in those directories.  The name (and order) of these files is set by the WebServer software (eg. "Apache").

These files are typically:
index.php
index.html
index.htm
default.html
home.default

The list, and order, is configurable.

But you don't WANT people to see the files in various directories.

For many of you ... you should be able to see what I'm talking about by going to the corresponding directory in your WordPress installation:

http://clicks.aweber.com/y/ct/?l=Kf37l&m=Iqhp1u27HLHI09&b=mRQJInEJELKNfA1hBCTOiw

(unless you've deleted the akismet plugin)

(so you'll need to put your domain name where it says "yourdomain" in the above URL, to see this):

If you are like me, you can see the files that make up the akismet plugin:

   * Parent Directory
   * admin.php
   * akismet.css
   * akismet.gif
   * akismet.js
   * akismet.php
   * legacy.php
   * readme.txt
   * widget.php

In fact, you should be able to easily open the readme.txt file!

OOPS!!!

Now, for a long time you used to be able to see what plugins and themes were installed on a WordPress install

By going to the "corresponding" directories ...

But, gratefully, WordPress has plugged up those holes. There is an index.php in both of the above directories in current versions of WordPress.

If you open up the file, you'll see a comment that says "silence is golden."  That's because, by having that file there, you can't browse the plugins directory and the themes directory, respectively.

A SMART plugin (ahem, we wonder why WordPress founder Matt Mullenweg does NOT do this for his plugin akismet) would have this hole, er ... "plugged up."

You DO NOT just want to willie nillie put an index.php file, like the one in the plugins directory, into the directory of each plugin.  Unh-uh.  This could mess up
the processing of plugins.

So what do you do ?

You add a file, named ".htaccess" (there is no file extension, it's not .htaccess.txt, and note the "." at the beginning of the filename) in the directory
you want to protect.

(You can also do this sometimes in cPanel -- a little bit more easily.)

AHHHHH!  One important point.

The fix I'm describing is ONLY going to work if your WordPress installation is on a webhost that uses the Apache Web Server.  This IS the most common WebServer
software out there used by shared hosting providers. The next most common is probably MicroSoft's IIS.)

So ... here's how to fix it with .htaccess ...

If an .htaccess file exists in the directory you wish to protect, open it up and add this line:

Options -Indexes

If there isn't one, create a file named .htaccess with the above line.

Now, when you use a text editor, they will often try to add an extension to the file you've created, and save it as ".htaccess.txt."  This is not correct, and
won't work.

But, you can certainly upload the file named .htaccess.txt via ftp or via, say, the cPanel file manager, and then rename the file to .htaccess once you have it uploaded.

The .htaccess file "controls" (that is, preventing directory browsing by visitors) will affect not only the directory that you put the .htaccess file in, but all the
directories underneath it (there are some exceptions, but this is generally true.)

In addition ... you can put the same .htaccess file into your uploads directory ...

That is ...

http://clicks.aweber.com/y/ct/?l=Kf37l&m=Iqhp1u27HLHI09&b=LpGFCY_xjJNqiBojM_Lzng

Okay ... this explanation took a little bit longer than I expected, so I will continue this discussion tomorrow.

Or, if you have questions, I might answer anything that is unclear here for you...

So look forward to the next WordPress security problem I've discovered.  This was happening to one of my clients just this past week, and it had me going.  He did one thing, and his problems cleared up!

This is specially for those of you who use products like wptwin to clone your WordPress sites.

Live JoyFully!

Judy Kettenhofen

PS Need help with your WordPress site? If I can't help you, I have some very sharp colleagues who I can highly recommend ...

--------------------------------------------------------------------------------

Additional information