Securing your WordPress Blog from Intruders…

22 Jul

I use StatPress on my Blog for statistics management. According to the Plugin’s page on WordPress Statpress is “The real-time plugin dedicated to the management of statistics about blog visits. It collects information about visitors, spiders, search keywords, feeds, browsers etc.”

It also has a nifty view called Spy which lets you view who visited your website from which country and the link they hit. A couple of days back I was quite surprised that someone had tried to SQL Inject my Blog, the following URL String showed up as a request :

?cat=999+UNION+SELECT+null, CONCAT(666,CHAR(58),user_pass,
CHAR(58),666,CHAR(58)),null,null,null+FROM+wp_users+where+id=1/*

Quite frankly I was paranoid. Though I had taken the necessary precautions such as replacing the default wp_ prefixes of the tables of the WordPress Database Table with something random, this was something that was new to me. I was desperately looking for a plugin that would secure my WordPress Blog from such attempts in the future and after a lot of trial and error i settled on WPIDS. It is based on the PHPIDS (PHP Intrusion Detection) Library and works on a set of regularly updated filter rules to check for potential intrusion attempts.

From the PHPIDS page :

“PHPIDS (PHP-Intrusion Detection System) is a simple to use, well structured, fast and state-of-the-art security layer for your PHP based web application. The IDS neither strips, sanitizes nor filters any malicious input, it simply recognizes when an attacker tries to break your site and reacts in exactly the way you want it to. Based on a set of approved and heavily tested filter rules any attack is given a numerical impact rating which makes it easy to decide what kind of action should follow the hacking attempt. This could range from simple logging to sending out an emergency mail to the development team, displaying a warning message for the attacker or even ending the user’s session.”

I tried to test it out with the same query string as the attack attempt and it successfully blocked it. (Click on it to enlarge it).

Blocked Request

I did a couple of other tests as well and it blocked it with ease with it’s robust set of filter rules 🙂 I strongly suggest that you use it in case you are as paranoid about your blog as I am.

Matt Cutts of Google gives 3 simple tips to secure WordPress in his blog which is quite a good read.

A couple of other security plugins that I also use are :

  • http:BL WordPress Plugin : Provides great security against Comment Spammers, Email Harvesters. I recommend setting up a HoneyPot.
  • Login Lockdown : Locks out a system after a configurable number of tries to login to your blog for a configurable amount of time.
  • WP Security Scan : Scans a WordPress install for vulnerabilities.

I am not a security expert, just a paranoid blogger, therefore look around, evaluate what is good for you and then choose your poison… err… plugin.