Skip to content

How To Stop An Ethical Hacker Breaking Into Your WordPress Site

In this month’s .net magazine (known as Practical Web Design in the US) there was an interesting article where an ethical hacker showed how he would break into your site — and what you can do to stop him. In this post we’ll look past “X Plugins To Save Your Blog” and see what effective steps you can take to stop a real life hacker.

Hiding WordPress

One of the first things our “ethical hacker” did was to find out what software the site was running on. That means in order to stop him you’ll have to hide any indication that you’re using WordPress. Which is slightly harder than it appears at first.

If I look at a site to me it’s pretty obvious if it’s running WordPress. Let’s take a look at DesignInformer’s head tag:

We’ll come to wp-content in a sec, but first to RSS feeds. I don’t know how other CMSes do feeds, but to me when I see /feed/ and /comments/feed/ immediately I think WordPress. You can get around this by using something like Feedburner for your RSS feeds.

Yay! 🎉 You made it to the end of the article!
Alex Denning
Share:

13 Comments
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Umer
November 7, 2011 4:56 pm

what the hell. you didnt tell that where to put thiese codes?

Mr Honeyfoot
November 8, 2010 11:27 am

This no longer works in new versions wordpress.

Yields the following

Fatal Error: Call to undefined function remove_action()

Thoughts?

jazzsequence :: arcane palette :: Keeping your website safe
May 6, 2010 5:26 am

[…] You may also want to consider hiding your site as a WordPress site.  While obfuscation is not necessarily a means of securing your site — especially if that’s the only thing you’re doing — it might not hurt.  A hacker who knows how to get into WordPress could be diverted if, for example, your wp-login.php page was moved to a different address.  Alex Denning of WPShout has some great suggestions of ways to confound potential hackers. […]

Arcane Palette Creative Design » Blog Archive » Keeping your website safe :: creative web design
May 4, 2010 10:46 pm

[…] You may also want to consider hiding your site as a WordPress site.  While obfuscation is not necessarily a means of securing your site — especially if that’s the only thing you’re doing — it might not hurt.  A hacker who knows how to get into WordPress could be diverted if, for example, your wp-login.php page was moved to a different address.  Alex Denning of WPShout has some great suggestions of ways to confound potential hackers. […]

TuniLame
April 8, 2010 9:25 pm

Hi!
Thanks for your valuable infos…

But you forget to specify to remove the file “readme.html” from the root of WordPress.

BadCat
April 8, 2010 4:26 pm

Also might be worth noting, even if one had invested the time and masked all the above directories etc. – it appears fairly obvious that by peeking into a site’s CSS and finding something like:

/*
Template name: template
*/

could also be a giveaway.

Kevin Muldoon
April 9, 2010 1:15 am
Reply to  BadCat

Yes I agree. Image locations can give it away too.

BadCat
April 8, 2010 4:12 pm

All good points – however, how does a WP upgrade via the Admin fair after you’ve rerouted all the folders? Which directories , if any, does WP, or possibly a plugin or even a theme, assume to be in a specific location even after you’ve made functions mods etc.

Or start the conversation in our Facebook group for WordPress professionals. Find answers, share tips, and get help from other WordPress experts. Join now (it’s free)!