With WordPress popularity ever increasing, security issues have never been more relevant – but other than simply keeping updated, how can a beginner or average level user stay on top of things? Would you even know if your blog has been hacked? A helpful new service from WebsiteDefender aims to solve this problem.
Is it worth the effort though? I mean, it would never happen to me, would it? Well, a vulnerability was recently discovered in timthumb.php, a thumbnail making utility that’s used in a considerably large percentage of old themes and plugins (before WordPress built thumbnailing and featured images into the core system). Given that this file can be detected using automated scanners, the chances of your blog being hacked over the coming months is rather high – and you won’t even know if it has been. I’ve seen it happen a few times in the last week alone and now they’re dealing with the fall-out.
How Do You Know If Your Site Has Been Hacked?
Normally, you don’t. The most common hack I’ve seen is where the regular site and admin panels work as normal – however, any visitors from Google are hijacked and sent to a site in Russia. Of course, since you’re unlikely to Google your own site, the hack remains undetected until either your users give you feedback, your website hosts shuts you down as a threat, or you get the dreaded warning from Google themselves saying your website is now officially hosting malware. Bye-bye traffic!
The hacker usually also installs a complete GUI backend on your server, giving anyone with the URL access to all your files and free reign to do as they wish. It’s quite scary stuff, and because of the way they can adjust core files, recovering from such an attack takes a lot of work, and certainly isn’t something a regular user can do.
So… How Can I Protect My Blog?
Luckily, this free WebsiteDefender service can scan your site. Head on over there to sign up. However, this service is only available to WordPress bloggers running self-hosted installs. If you’re using WordPress.com, Blogger.com or another similar free hosted blog, you can’t use it. Free hosting plans also don’t work. You need to be able to upload a verification file to your server before the scan will commence, and free accounts are limited to one website.
Registration & Verification
Once you’ve verified your email address entered during registration, you’ll be sent to a page where you can download a small verification file. This needs to be uploaded to the root of your website. When you’ve done that, head back to the site and click the TEST button.
If you get an error similar to what I received, just download the zip file as instructed, then also upload the compat directory to the root of your site.
Presumably, it needs some additional PHP libraries to help the scan which your server doesn’t have. After uploading the folder to the same root directory as the verification file you did a moment again, hit TEST again and you should get a confirmation that the scan will run soon.
In my testing, an email came after about 2 hours detailing any problems, so don’t be alarmed if it takes a while.
The warnings you receive will be ranked from Critical to Low, but it turned up a few unexpected security errors in my report which I’ll need to deal with. It also deems WordPress and plugin updates as medium security, so if you shamefully haven’t updated something yet perhaps this will serve as a helpful reminder.
Each issue will also link to a more detailed explanation and instructions on how to solve it, which is incredibly useful for those of us who are less technical about websites and servers. Don’t worry if you’ve deleted the email – you can access a complete breakdown on the report at any time from the dashboard.
The Website Defender team also have a few plugins you can use to secure WordPress, though curiously it makes no mention of them when you perform the scan via the website method outlined above.
This performs a basic security audit for you on things such as directory permissions, database prefix, .htaccess permissions, default usernames and WordPress version hiding.
This will lock down and perform a number of security measures to protect your wordpress. This essentially amounts to removing all references to your WordPress version, removing some lines from your header for Windows Live Writer, and preventing listing of your themes and plugins directory – amongst others.
Both plugins include signup forms for the Website Defender online service and appear to let you link to an existing account. However during testing I was unable to link them as my free quota of one website was already used up (despite the fact that I was trying to link the same URL anyway, it seemed to think it was a different site).
The fact that there are two plugins available as well as being able to run the scan without a plugin via the website is quite confusing to be honest – nor does the website initiated scan even mention the plugins, and I can’t see the logic behind that. While each plugin is unique, it’s difficult to see why they haven’t just made a single ultimate security plugin instead that both hardens your WordPress and checks for issues. I also found that the method of scanning via the website showed more security issues that using the WP-Security-Scan plugin, presumably because of restrictions placed upon what WordPress plugins can actually do.
That’s not to say I don’t thoroughly recommend the free service – because I do think you should go sign up now and make damn sure you aren’t vulnerable to the growing number of WordPress-based exploits. In fact, I’d recommend a combination of the Secure WordPress plugin to lock it down, whilst performing the actual scan through the website method. Let me know how it turns out in the comments.