I will post this article in English because it is of international interest, and everyone should be aware of the following security issues.

Starting last week, several Romanian blogs were hacked and infected with trojans or scripts. As a web design company, the security of our websites is critical, so at first sign of a virus we close down all our projects and solve first the vulnerabilities and security flaws.

Last week one of our computers was infected with Trojan-Dropper.Win32.HDrop.aa after browsing some blog posts. Since we use a feed daemon, we couldn’t tell that time, which one of more than 400 blogs we are following was the culprit.

Until today we could identify two blogs with different infections, none of them with the virus who infected our computer. We are still looking. So, what we discovered so far:

1. http://skykery.info – infected with Trojan.JS.Agent.awm
2. http://www.grimcris.com – malicious script that tries to execute something from http://bluejakin.ru

[View with PicLens]

Both infections were blocked by Kaspersky Antivirus. We cannot access the first blog, while on the second one only the script is blocked. Both links to these blogs were removed from this post to prevent accidental infection.

To prevent hackers from gaining access to your blog and infect it with malicious scripts, follow the next guidelines.

1. Configure your username
Create a new administrator with a complex username and delete the default administrator. Leaving the administrator’s username as “admin” makes cracking your login details 100% faster. Go to Users -> Your profile and make sure your username, nickname and Display name publicly fields are different. DON’T let others to guess your username from your public name.

2. Create a really strong password
Use a password made of lower and capital leters, numbers and signs. The password should be at least 8 letters long. It’s not necessary to use a password generator. If you put your actual password in quotes, use one capital leter and add some numbers at the end, you will have a really strong password. That’s not just a story about crackers and brute forcing…we are testing our websites and we can crack weak passwords really fast.

3. Update WordPress and all your plugins
Updates are released because vulnerabilities are fixed. If you are using an obsolete version of software, this means hackers have more back-doors to use when trying to gain access to your control panel. Stay up-to-date and informed.

4. Back-up often
Even if you think you are hack-proof, you cannot be. So it is better to back-up weekly your blog.

5. Know your plug-ins
Third party plugins have significant access to your blog, making it imperative that you trust the author of any plugin you install or upgrade. It is recommended not to use too many plugins, and to uninstall those plugins you are not using anymore. Don’t just disable them because the security flaw will still be present.

6. Install the following plugins:

1. Secure WordPress – does a lot of things that secure your blog.
2. Login LockDown – block login after a number of failed attempts.
3. WordPress Antivirus – scans for malicious scripts and exploits.
4. WordPress Firewall
5. AskApache Password Protect – writes .htaccess from WP control panel. CAREFUL with this one, because some commands are not supported by all servers, and you may need to manually edit or reset the file from cpanel or through FTP account.
6. WordPress Backup
7. WP DB Backup

7. Rename the prefix of MySQL tables from wp_ to smthgelse_
Same as configuring AskApache PP this step is advanced and should not be tried by un-experienced users. Mainly you should go to phpMyAdmin, export database, save to computer, open with a text editor, change prefix, save and import.

There are several other things you can do if you are really paranoic (like me), but if you already did the above steps, you are already 99% hack-proof.

What other means of security do you use or heard about? Share it with us, especially if they are easy to use (for non-geeks).

Recomanda articolul pe: