I run some wordpress sites for myself, but I also help some of my friends hosting theirs. Like everybody I care that the sites I manage don’t get hacked or defaced. For a long time my experiences with wordpress in this regard have been very good, it is a mature and secure CMS. But a few things can still be done to improve its security to make it less likely that you lose control of your site.
Last autumn I had one of my sites defaced, it was a site I didn’t really keep track of so it was probably not updated with the latest version which of course is a must. Luckily my hosting provider Gigahost.dk quickly shut down the site. At the time I didn’t really bother to investigate what had happened, I didn’t use the site so I just deleted it and changed my passwords.
Today when I was going over some website statistics for my wordpress sites where I discovered that there is quite a bit of hits on some of the internal wordpress files, especially wp-cron.php seems popular. On this specific site I have 25 % of my traffic coming for South Arabia, I doubt that my articles are that interesting to people in South Arabia, so I suspect that something fishy is going on. As it is most common today it is probably just drive by hacking, simple scripts that just traverse the internet for out-of-date site that can be defaced by known vulnerabilities.
Of course I would like to avoid that to happen, so I have updated by robots.txt to exclude pages that should not be interesting for the public. (The robots.txt simply tells search engines not to index certain content, and it is just placed in the root of your site). So my new updated robots.txt looks like this.
User-agent: *
Disallow: /wp-admin
Disallow: /wp-includes
Disallow: /wp-content/plugins
Disallow: /wp-content/themes
Disallow: wp-app.php
Disallow: wp-atom.php
Disallow: wp-blog-header.php
Disallow: wp-comments-post.php
Disallow: wp-config-sample.php
Disallow: wp-config.php
Disallow: wp-cron.php
Disallow: wp-feed.php
Disallow: wp-login.php
Disallow: wp-links-opml.php
Disallow: wp-mail.php
Disallow: wp-pass.php
Disallow: wp-rdf.php
Disallow: wp-register.php
Disallow: wp-rss.php
Disallow: wp-rss2.php
Disallow: wp-settings.php
Disallow: wp-trackback.php
Disallow: xmlrpc.php
My old site that got defaced probably did so due to a bug in the xmlrpc.php file, because on that specific site I had that functionality enabled, another advise don’t enable functionality or install plugins that you don’t need it is just increasing your risk of getting hacked.
A even better way of avoid unused functionality to be exploited is to prevent access to it all together. This can be done by a simple .htaccess rule, read more about that here. What I have done is prevent any access to wp-cron.php and xmlrpc.php, by adding the following to my .htaccess file.
order allow,deny
deny from all
order allow,deny
deny from all