I have been thinking to write this post for long time, although, couldn’t get time to write details about this major security issue. From my experience, I have seen a big percentage of users are using WordPress and a certain percentage always face some sort of Web Injections (Iframe for example) with any shared hosting provider. This post would go into deep to study why these web injections are occurring and how can you protect your wordpress blog from these sort of issues.
How can you protect your wordpress blog? Couple of things, one, try to make sure, scripts which don’t need write permission (Like configuration file/includes files) set with read & execute permit (555) only. You can do this using file manager or ftp with the “Change Permission” or “Chmod” option. If you see one your worpress blog is injected, then you would probably want to change your theme first to see if it gets injected again. If it does, then the issue should relate to some plugin which you have to verify one by one.
Alternatives? Yes, there are 4 pretty important wordpress security plugins you would probably want to use. Here are they:
1. WordPress Firewall Plugin: http://wordpress.org/extend/plugins/wordpress-firewall/
2. WordPress Antivirus Plugin: http://wordpress.org/extend/plugins/antivirus/
3. Secure WordPress Plugin: http://wordpress.org/extend/plugins/secure-wordpress/
4. Wp-Malwatch Plugin: http://wordpress.org/extend/plugins/wp-malwatch/
All of them are perfectly working and the easiest way for a shared hosting user to detect and protect their wordpress blog from web injections automatically. What they do, is protecting your files from being written or watching how they are being edited. They are doing the very similar thing I suggested above but in realtime. I would probably recommend the wordpress firewall plugin, as you can configure it to load first out of your all other plugin and help you to test if one of your plugin is vulnerable.
Now, my readers will definitely ask, why didn’t I just let them know about those plugins which would help their blogs from web injection in the easiest and fastest way, I would probably say, it was my intention to let you understand how this is happening and what are the basic steps you can perform to prevent this. Merely using the plugin may not solve the issue, rare but not impossible 🙂
Just a quick reminder, we at Mellowhost maintains the best protective security for your blog. But everything has a limitation. These sort of injections are a part of limitations. It is pretty hard to understand developer’s mind and apply a patch to protect his fault at the server level. This is why, it is advised to to take precautionary measures all within your range. You should have no worries about the server as long as you are hosted with Mellowhost 🙂
10 thoughts on “How to protect your WordPress blog from web injection”
Wondering if those security plugins you mention won’t kill the shared hosting. But will give a try 🙂 Great read!
They won’t! These plugins are pretty light weight!
Thanks for the post, I recently had this happen to me.
I was wondering with Web Injections like this can the hacker gain access to personal information or are they limited to replacing pages/code.
It depends on what sort of access they are getting. If it is a sql injection, then yes, it is possible to change the personal information.
thank you for your useful information.
i have a question. my blog was defaced yesterday ( index.php and header.php of theme was changed) . i found a script (Locus7s) in theme root directory. it is like a file browser. i think the hacker changed my files using this script. but permission of my files is 644 and i am using cpanel.i though with 644 only my cpanel user has write permission but i don’t know how did hacker change file content by running that php script.
I only do have Secure WordPress Plugin. I will try the other 3. But could you please fix my hacked website? The domain is http://www.dentistrynewstoday.com .
I have been using the WordPress Firewall 2 in order to protect my blog from hackers for quite some time. I installed it out of caution and forgot about it. Only when there was an update did I remember it was installed. Does it work? Last night I get an email on my phone stating that someone tried to hack into my site…the IP was blocked and my site is untouched. If you have a blog on a shared host, use Dave’s advice.
Nice information , but can you assure about the above mentioned plugins ? I am victim of java script injection , how can we assure secure plugin or theme kindly guide me as I am newbie to wordpress
Can you suggest some up to date plugins?
I explored a lot of websites and this was the best.