Comprehensive protection for your WordPress blog

(No ratings yet)
Загрузка ... Loading ...

I have a habit to check the many sites on the possibility of hacking. More precisely - for its protection. I do not mean that I Cerf Internet in search of vulnerable sites, rather analyze Popeye "arm."

I noticed that many of my readers are strongly neglected the safety of their blogs without making some steps in self defense after WordPress installation or upgrade. This is just massive!

Firstly

Most crackers (especially students and school children, after watching movies like "Hacker") for breaking a blog on WordPress using the data on its version. Version of the blog you can find a variety of ways.

For example, using the readme.html file and license.txt located in the root of the site.
See for yourself:
SeoBlondinka.ru ,
Krutikoff.com.ua ,
TiamatInc.ru ,
Online-delo.ru ,
Trakhtenberg.info ,
Dimoning.ru
etc.
I will not give anything away. The most surprising is that many of these webmasters are not the first on the Internet, but can be such a serious error. Guys! Let's Eliminate your vulnerability!

For this you just need to delete the files license.txt readme.html and via FTP to kornevike blog. Most likely it will be a folder sitename / public_html /

To check the availability of your blog on this kind of vulnerabilities enter into your browser address: http://imya_sayta/readme.html

In addition, he wrote his own version WorPress directly in the page code. In the title HEAD.
To clean it out, put this in theme functions functions.php line

  'wp_head' , 'wp_generator' ) ; ?> <? Php remove_action ('wp_head', 'wp_generator');?> 

Secondly

Utilities folder of the engine can also be of some danger. An attacker can see which (for example) the plugins you are using and find the "key" to your blog.

For example: Spryt.ru , Online-delo.ru etc.

Eliminate too easily. Place an empty index.html or index.php file in the folder Site name / wp-admin /, sitename / wp-content /, sitename / wp-includes /. Or do as I do. Put this here is an interesting file . Cool, huh? Download it and use it.

Also recommend you to add to your file. Htaccess, which also lies at the root of the site lines

  - Indexes Options All - Indexes
 RewriteEngine On 

This will protect others from viewing your folders strangers.

To check your (or someone else's) blog to enter a vulnerability in the browser address bar etc.

By reading this post, I hope that the authors of the above blogs as an example, has eliminated its vulnerability. The rest I can advise to fix your own.

Last modified: 10/08/2013 at 08:03
Published: Saturday, March 14, 2009 at 17:41
Choose the language:

Comments: 11

Average bar: 4.96 out of 5
  1. GPS
    March 21, 2009 at 22:02

    Eliminate too easily. Place an empty index.html or index.php file in the folder

    1. htaccess

      - Indexes Options All - Indexes 

    As you mentioned below, it is enough.

      RewriteEngine On 

    a listing of directories does not apply.

    2. A good practice is to rename the administrative folder or cover it with a password - less temptation arises.

    3. Chop the typical exploits, as is done in Jumla. In the. Htaccess

      RewriteEngine on
     # Block out any script trying to base64_encode crap to send
     via URL
     RewriteCond% {QUERY_STRING} base64_encode. * \ (. * \) [OR]
     # Block out any script that includes a <script> tag in URL
     .*(\>|%3E) [NC,OR] RewriteCond% {QUERY_STRING} (\ <|% 3C). * Script. * (\> |% 3E) [NC, OR]
     # Block out any script trying to set a PHP GLOBALS variable
     via URL
     -9A-Z]{ 0 , 2 }) [OR] RewriteCond% {QUERY_STRING} GLOBALS (= | \ [| \% [0-9A-Z] {0, 2}) [OR]
     # Block out any script trying to modify a _REQUEST variable
     via URL
     -9A-Z]{ 0 , 2 }) RewriteCond% {QUERY_STRING} _REQUEST (= | \ [| \% [0-9A-Z] {0, 2})
     # Send all blocked request to homepage with
     403 Forbidden error!
     RewriteRule ^ (. *) $ Index.php [F, L] 

    4. Do not allow direct access to the folders containing libraries of the engine and other files that are not requested by the browser directly (by methods GET / POST). The same. Htaccess in your root / include:

      <Files *. Php>
     Order Deny, Allow
     Deny from all
     </ Files> 

    The root folder (if there is a local php.ini):

      <Files php.ini> # 

    or even all - *. ini

      Order Deny, Allow
     Deny from all
     </ Files> 

    The list of banned masks expand as needed.

    5. In php disable error output. Demonstration of "stumbled» sql query can be a boon hacker - if the engine is not a typical or modified:
    in the local php.ini

      display_errors = Off 

    At the same time, not disdaining ravine errors. You never know ...

      error_log = / path_to_your_home / php_errors.log 

    6. From the category of "maybe useful" Apache allows you to restrict the permissible methods of protocol http. For example, to disable the CONNECT method. Htaccess

      <Limit CONNECT>
     Order Deny, Allow
     Deny from all
     </ Limit> 

    Reply

  2. Kursak
    October 9, 2009 at 15:30

    Yeah, I did:

      - Indexes Options All - Indexes 

    And the site covered himself!
    Good tips, wow!

    Reply

  3. Kursak
    October 9, 2009 at 15:45
      RewriteCond% {QUERY_STRING} base64_encode. * \ (. * \) [OR]
     # Block out any script that includes a tag in URL
     RewriteCond% {QUERY_STRING} (\ |% 3E) [NC, OR]
     # Block out any script trying to set a PHP GLOBALS variable
     via URL
     -9A-Z]{ 0 , 2 }) [OR] RewriteCond% {QUERY_STRING} GLOBALS (= | \ [| \% [0-9A-Z] {0, 2}) [OR]
     # Block out any script trying to modify a _REQUEST variable
     via URL
     -9A-Z]{ 0 , 2 }) RewriteCond% {QUERY_STRING} _REQUEST (= | \ [| \% [0-9A-Z] {0, 2})
     # Send all blocked request to homepage with
     403 Forbidden error!
     RewriteRule ^ (. *) $ Index.php [F, L] 

    Did it - and again hovered site. :)
    It is ridiculous. :)

    Reply

  4. Kursakov
    October 9, 2009 at 15:47
      Order Deny, Allow
     Deny from all 

    With this same story. :)

    Reply

  5. Catherine
    January 14, 2010 at 15:32

    Insert code in a function and still shows the version ...

    Reply

  6. Ai Pi Mani
    January 14, 2010 at 18:36

    Apparently, you do not look back. WP version is removed from the HTML code of the page. In the Admin version will remain visible.

    If you did everything right, but it is in the page code version of WordPress persists, then most likely you have a page cache enabled. In such a case, wait for the cache refresh or clean it yourself.

    Reply

  7. dd
    January 26, 2010 at 13:28

    GPS literate comment written, but you need to get experience Kursak can not hang because of site Options All-Indexes

    Reply

  8. Dima
    February 28, 2010 at 08:23

    If you fill in the wp-admin blank index.html, then how to get to the admin panel? What is the solution?

    Reply

  9. Ai Pi Mani
    March 1, 2010 at 20:34

    To get to the admin panel is not a problem:
    http://imya_sayta/wp-admin/index.php

    Reply

  10. oldvovk
    August 26, 2010 at 13:03

    Yes that's not all. For example, dumped the version information - feed blog saytmet from Google and Dagon, at the same time places a Java plug-ins. Yes, you never know places where it lights up.

    Reply

  11. Paul
    December 23, 2010 at 13:32

    Thank you! Just relevant.
    It is true. Chop the typical exploits, as is done in Jumla in. Htaccess. This I also have tumbled down. I had to roll back.

    Reply

Have something to say? Do not be silent!


Your comment will appear after being moderated.
Spam and off-topic posts are deleted.

To insert php-code, use the tag:
<pre lang="php"> php-code </ pre>


I'm not a spammer!