3D render of a bank safe

In the history wordpress was accused of many security breaches. He is not having a good background, but things changed.

The real problem was not only because he have many flaws, but when a flaw is discovered, all bots are set-up to exploit that, and even if your blog was not popular if you did not updated in the right time you were exposed.

Now the things are better you don’t have to worry that much. But even if someone can’t take over your blog, he can still get in with the right amount of work.

How he can do that ? Brute force, finding individual plugins flaws, trying and trying. I can’t say how hard it is, but he may actually find some ways to get in, if he truly wants.

Back in 2008 i did not used wordpress as a CMS. I had a separate website with good rankings in google. I wanted to have a plece where to write articles and i installed wordpress on a subdirectory. I didn’t paid attention. I forgot to update and a flaw was discovered. Some bots entered some bad hidden links into my articles. I didn’t noticed until google dropped my site.

At that point i started to investigate everything until i found the hidden links. It is hard to search for something while it is hidden. I was luck because i have good “view source” skills.

Now wordpress is paying more attention to security. More, now there are several plugins that can help us to see what we forgot to secure before launching the blog.

I use Wp security scan. You can download it from here.

The plugin will create a menu at the bottom of your admin panel menu, you have there some functionality. The most important problems are listed in the wp security admin tools initial scan.

You can see that it checks if you have the latest version. This is very important, flaws may appear anytime but they are fixed quickly. Update and don’t worry.

The table prefix: hackers may find mysql vulnerabilities but they can’t do too much. If they know how your tables are named they can actually do something, they can find a way to execute a php file that change the content of your database. If they don’t know your table prefix it can be hard for them to do something.

Turn off wordpress errors. Using errors they can find your directory structure and this is very very bad.

Admin user. They know that this user is created by default, and many administrators use it. They can try brute force to get the password of user admin. Brute force means checking every password until they find the one who match.  If they don’t know the user, the chances to do that are very very slim. It is impossible to check every possible user with every possible password.

The wp security scan will also check all your directories to see if they have appropriate permissions settings.