In Part 2 of my WordPress Security Guide I’m going to show you how to examine your site for exploits using available free WordPress plugins. I always say – you can’t fix a problem if you don’t know it exists! Even if you’re a WordPress newbie, you might be surprised how easy it is to look for common problems if you know what to look for and are armed with a few key tools.
In case you missed the first post, visit the WordPress Security Guide home.
Examine Your Site for Exploits
There are some really good plugins that can help you to find existing problems and potential exploits with your WordPress site. Here are are some WordPress security plugins that perform scanning and alerting functions:
WP Security Scan will check you blog for some essential items. Once you download and install the plugin you’re presented with the initial results, which are conveniently displayed in either green or red depending on whether they need attention:
You can see in the image above there were only 2 things that needed attention in my test blog. Here’s a list of the initial checks it performs:
1. That you have the latest version of WordPress
2. The prefix of your wordpress tables, which by default is “wp_”. You can set the default prefix of wordpress database tables to something different, and leaving it as the default leaves you open to SQL injection attacks.
3. Your WordPress version is hidden
4. That WordPress database errors are turned off
5. That the WordPress ID metatag has been removed
6. The Admin user has been removed
7. There’s an .htaccess file protecting your /wp-admin directory
It also has a scanner function which will check the permissions of key files and folders within your WordPress installation, letting you know if you are open for attack. Green means the permissions are good, red behind any listing means they should be changed ASAP.
This plugin is a good way to automatically check some of the major items on our checklist, but while it reports the issues, it doesn’t give you the ability to make the necessary changes from your WordPress admin. It does have a section for attempting to change the prefix of your wordpress tables, but even though my test site had the proper database ALTER permissions, it still wouldn’t allow the plugin to make the changes for me. Just know that your mileage may vary on that part of the plugin. All the other items you’ll need to change on your own manually (which we will cover here shortly).
Another way to check your blog for potential exploits is to install the WordPress plugin Exploit Scanner. The plugin author is Donncha O Caoimh, author of WP Super Cache. It has but one function, which is to search your wordpress files and database to see if you have wordpress plugins with known issues, or to see if you have suspicious posts or comments. This is very important because your plugins are checked against a database list of known “suspicious plugins”, and if you already have spam posts or comments your WordPress installation might be compromised already. I ran the scan on my test blog:
As you see in the image, I didn’t have any suspicious plugins installed, and I had only one post listed to check out (which turned out to be fine). This plugin is more for making sure you haven’t already somehow been hacked. If the results indicated your WordPress blog was compromised – you need to take action (which will also be covered shortly).
After that last plugin, you’re probably wondering if there is plugin out there that could monitor your site and alert you if it was compromised. Another wordpress security scan plugin to consider is WP Antivirus. Once installed it will automatically scan your wordpress theme files to make sure they haven’t been hacked or compromised by a virus. It doesn’t do anything else, but it DOES send the admin an email if a “virus” is found in your theme files. You can also run a manual check to check your theme files if you don’t want to enable email notification:
All my files were fine in my test blog theme except for one, and there was no virus – but there was a potential problem with one section of my functions file. As you can see safe files are in green, potential problems are red. It would be nice if this plugin did the same type of database scan as WordPress Exploit Scanner as well, maybe it will in a future version.
Unlike some of the previous plugins that look for problems, Secure WordPress actually takes care of some of them by setting options in plugin admin in your dashboard.
As you can see in the images above, it’s as easy as clicking a checkbox to remove the version of WordPress in all areas, remove update links for non-admins, and it can even create an index file in your plugins directory to keep people from “directory browsing”. The last thing it can do is add a comment to your html code while enable you to use the next tool we’ll talk about “WP Scanner”.
WordPress Exploit Scanner checks your blog via the web. Before they do that, they want to ensure that you’re actually the owner (and not scanning someone else’s blog!), so a simple comment has to be added to your html code. They offer a free plugin that adds it automatically if you don’t want to edit your theme files, or you can add the code by checking an option in the previously mentioned plugin “Secure WordPress”.
Once you enable the plugin, you Visit the WP Scanner web site to start a scan. The image above shows what the results look like from the WP Scanner web report. It assigns a risk factor to items it finds, but does not give much additional information. It did come up with results for me that the other plugins did not, like some readme files that could clue a hacker in to what version of WordPress or plugins I’m using.
I hope that you learned some valuable and free ways today to find exploits in your WordPress blog. Stay tuned, because in Part 3 of our WordPress Security Guide we’re going to learn how to limit access to your WP sites. In Part 5 we’re going to talk about how to stop spambots and hackers dead in their tracks from trying to break in through through exploits.