Comments on: Three tips to protect your WordPress installation

By: Kat Young

Kat Young — Mon, 05 Oct 2009 02:55:24 +0000

I have had my blog hacked over and over. I will try to edit my .htaccess file thanks =)

By: Russell

Russell — Tue, 01 Sep 2009 13:43:28 +0000

Hi Matt
Hope you doing great!
Our blog has been hacked. Im getting all these wierd backlinks to my blog on other blogs but they hidden. My blog developer says “What the script does, apparently, is create those URL’s on their site (that are linking back to you).”

Thought it would interest you. We are working with Godaddy to fix the problem..

Best

By: doruman

doruman — Sat, 29 Aug 2009 17:26:27 +0000

Even if this post has more than a year old, here are very useful informations for any WP blogger. Thank you very much Matt for all that you offer as free informations, not only as Google employer.

Kind regards,
Doru

By: Redbrickstock

Redbrickstock — Fri, 21 Aug 2009 00:37:49 +0000

Will the .htaccess thing work for a class B address. eg. allow from 64.233.169. ?

By: Rory Siems

Rory Siems — Fri, 24 Jul 2009 02:45:47 +0000

Hi Matt,

we just spent the day fixing my friend’s wordpress site that apparently had some passthru exploit from a site on a Chinese domain routed through a Russian IP.

We upgraded Wordpress to the latest version, we upgraded all of the plugins to the latest version. The web developer who set up the website claimed that the malicious code installed on the site was not from a Wordpress vulnerability, but rather from a brute force attack on the web host.

I still am not 100% sure that a dictionary attack or brute force attack guessed the password as it was pretty obscure. To be safe I did subscribe to the wordpress development feed. I like the idea of obscuring plugins from snoops too.

By: ByREV

ByREV — Sat, 13 Jun 2009 23:20:26 +0000

i use mysql random passwd, only localhost in mysal connect, strong admin passwd with 14+ chars/numbers, 777 perm only for cache and uploads folder

btw, for mysql injection search in your site with google this words: wellbutrin, adipex, adderall, xanax, carisoprodol … ex: site:http ://your.site.com xanax

more words here: http://www.mattcutts.com/blog/helping-hacked-sites/ after line “The following is some example hidden text we found at”

By: Richard Vanderhurst

Richard Vanderhurst — Tue, 19 May 2009 10:48:03 +0000

A big thanks to this post… I just applied this on my wordpress blogs. Thanks again!

By: Abhimanyu

Abhimanyu — Sat, 02 May 2009 17:49:23 +0000

Hi, the problem #2 is fixed now in wordpress as it do not show plugins listing. If you are on a dynamic IP, its good not to do #1 step. Although you can use Country IP range.

Abhimanyu
http://mwolk.com

By: Connie

Connie — Sat, 21 Mar 2009 11:14:24 +0000

Two Questions:
If you exclude IP addresses, how can you write to your blog when you are on the road?

What about the way that IP addresses change, as with some ISPs?

Thanks.

By: David Kierznowski

David Kierznowski — Fri, 06 Feb 2009 22:26:54 +0000

Its great to hear a few guys mentioning our tools over at http://blogsecurity.net.

Check out our free online WordPress vulnerability scanner if you get a chance… a new version has just been released, although, it still needs a lot of work.

Cheers