Wordpress blog security! WARNING! Your blog at RISK Again!


Published on

New security leakages many people don't know about. Here is how your Wordpress blog or website maybe vulnerable. In this guide, there is also exact steps on how to get these leakages covered without paying for extra plugins or expertise.

Many people don't like plugins. They impact additional weight and may constitute another source of insecurity. That's why I show you exactly how to cover these holes simply by activating options in cPanel. No plugin required

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Wordpress blog security! WARNING! Your blog at RISK Again!

  1. 1. WARNING! Your blog at RISK Again! Did you know this? enstinemuki.com /wordpress-blog-security/ Do you think your blog is secured? Wait until you read this. I got a mail from one of my readers pointing this issue out on my blog. As a matter of fact, as a webmaster and php developer, it took me just negligence to not have gotten these leakages handled. With just a few clicks in your cPanels, these security flaws can be dealt with in a matter of minutes. I tested over 5 blogs I read so often and non of them was safe. This is serious! How come almost everyone does not care about this yet we talk about safety here and there. I’m sure these flaws are responsible for the thousands of hacks we have on WordPress these days. These leakages reveal key information about your web hosting. Hackers may now use these information to develop strategies to attack and bring down your blog. NB: Read more on securing your blog f rom hackers Vulnerability 1 Copy the link below and past in your address bar. Replace the ht t p://yourdomainname.com with your real domain name: ht t p://yourdomainname.com/wp- includes/vars.php What if your blog is installed in a sub- domain like this below: http://comapanyname.com/blog/ This is what you should do: http://comapanyname.com/blog/wp- includes/vars.php Now validate this in your address bar. If you see the following screenshot, it means your server may be revealing critical information to the bad guys and if security on that server is not strong enough, getting it might just be a matter of time. You see that the direct location of your files on the server is revealed. This makes the hacker’s job a bit lighter. Proposed solution My proposed solution is to ask the server to silent all errors. In other words, don’t show any errors to the screen. Let’s see how to do this in cPanel.
  2. 2. Log on to cPanel. Locate the “Sof t ware/Services” tab and click “php.ini Quick Conf ig” On the page that follows, carefully locate “display_errors” and turn it off as shown on the image below: Click “Save Changes” button at the bottom of the page. You may now go back to check to see if this works at ht t p://yourdomainname.com/wpincludes/vars.php Vulnerability 2 In this leakage, you are openly showing the listing of your files to everyone that cares to know. Let’s see if your files are being revealed: Paste the following link in your address bar. Of course, you have to replace the portion yourdomainname.com with your real domain name ht t p://yourdomainname.com/wp- includes/ If you see a listing of your files, that means you’ve got work to do Proposed solution 1 – > Create a blank index file (name it index.php) and upload in this folder to disable directory listing. If you go by this solution, you will have to do this for every directory you want to protect. I propose you go by solution 2 below 2 – > Locate the “Advanced” tab in your cPanel home page and click the “Index Manager” command: NB: Your cPanel skin may be different from mine. So expect some differences in design.
  3. 3. On the screen that follows, select the domain or folder you you wish to protect by clicking the name (not the icon). Finally, click the “No Indexing” option on the list as shown on the image below and “Save” This will make sure people do not see the files in your directory and sub- directories. If you go back to your link to test this out, you are surely going to see “ERROR 403 – FORBIDDEN” This is not sexy at all. In one of my subsequent posts, I’ll show you how to build and load your own error pages. Be sure therefore to join my list so you don’t miss it NB: In issue 1 above where you turned error displays to OFF, be sure to revert to ON if you want to debug online. If following these steps is an issue to you, be sure to contact me so we can work a way out Let me hear from you in the comment below if this post has helped you in any way. Do also share this on social media so others may get to know about it Related posts: 1. How to install WordPress in 3 minutes! 2. How to secure a new WordPress blog from hackers! 3. WordPress Performance and speed optimiz ation tricks that work! 4. Free WordPress Ad Management Plugin ~ Manage our Ads with Ease!
  4. 4. Create Custom 403 Forbidden Error Page with no Plugin enstinemuki.com /custom-403-f orbidden-error-page/ The 403 Forbidden error page is a web page that means accessing the page or resource you were trying to reach is absolutely forbidden. In other words, this is a no- go area. For the most part, access to forbidden pages or directories on blogs or websites is done out by visitors with evil intentions. However, genuine visitors for some reasons may find themselves 403′ed. That’s why we are trying to create a more user- friendly page to take care of this category of visitors. Recommended reading: How to disable directory listing on your blog. Directory listing is a security weakness so I encourage you check out this post. Custom 403 f orbidden error page – no plugin There are literally many ways to create and host your own custom 403 error page. From editing the default error page in cPanel through the use of plugins to simply following the steps discussed in this post. Personally, I don’t like going with plugins. You know what I mean? – extra load on my blog, security issues, etc so I have a pretty simple way to get a beautiful page up. No html or php coding skills needed. The first step is to decide what to go on your custom error page. You may simply just want to tell the visitor ‘hey you are not allowed here’ or add some more stuffs to make it more engaging. I have even seen some error pages with subscription form. It’s really up to you to set anything there. Creat e a page wit h basically anyt hing you want As illustrated above, you simply should create a WordPress page, publish and grab your page url. Now you have your error page set. The next thing is to instruct the server to redirect to this page if someone tries to
  5. 5. access any ‘no- go’ area on our blog. So grab the .ht access file at the root of your blog. Generally, you will need an ftp (File Transfer Protocol) program to connect and download this file from your server. Another option is to use the cPanel’s online File Manager. Whatever the method you choose to use, paste the following code at the end of your file: ErrorDocument 403 ht t p://yourdomain.com/access- denied NB: replace yourdomain with your real domain name. You may also want to replace access-denied with any url of your choice. Here below is what it looks like Save the file and upload to the server That’s how simple it is. If you however still are not able to get this done, contact me so we can work a way out. Let me hear your thoughts in the comment box Related posts: 1. 15 ways bloggers make money blogging 2. 9 ways to leverage social proof and boost your income 3. How to identify & tweak the most sexy blog post on your blog! 4. How To Make Money With Google HelpOuts