Comments on: Three tips to protect your WordPress installation http://www.mattcutts.com/blog/three-tips-to-protect-your-wordpress-installation/ neat fun stuff Thu, 18 Mar 2010 06:22:18 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: Jon http://www.mattcutts.com/blog/three-tips-to-protect-your-wordpress-installation/#comment-483611 Jon Tue, 02 Mar 2010 00:55:29 +0000 http://www.mattcutts.com/blog/three-tips-to-protect-your-wordpress-installation/#comment-483611 Hi, me again. I use Wordpress a lot, but am not a techy at all. I am very paranoid about things going wrong. I see that you keep the "meta" widget on your sidebar. Now, I try to remove every sign that my site is running on Wordpress for fear of those pesky hackers doing naughty things, like killing my site and business! I am guess that as wordpress blogs go, yours must be one of the most popular in terms of traffic, and also get a lot of unwanted attention. Do you ever have any problems with people trying to hack it? Is it much more secure than it used to be? Do you have any other little security tips that you have not had time to publish yet? Hi, me again. I use Wordpress a lot, but am not a techy at all. I am very paranoid about things going wrong. I see that you keep the “meta” widget on your sidebar. Now, I try to remove every sign that my site is running on Wordpress for fear of those pesky hackers doing naughty things, like killing my site and business! I am guess that as wordpress blogs go, yours must be one of the most popular in terms of traffic, and also get a lot of unwanted attention. Do you ever have any problems with people trying to hack it? Is it much more secure than it used to be? Do you have any other little security tips that you have not had time to publish yet?

]]> By: Jon http://www.mattcutts.com/blog/three-tips-to-protect-your-wordpress-installation/#comment-468769 Jon Sun, 14 Feb 2010 02:24:17 +0000 http://www.mattcutts.com/blog/three-tips-to-protect-your-wordpress-installation/#comment-468769 There's a couple of pretty handy plugins that help protect WP: Secure Wordpress - http://wordpress.org/extend/plugins/secure-wordpress/ Wordpress firewall - http://www.seoegghead.com/software/wordpress-firewall.seo I use them both. The firewall throws out some "false positives" sometimes (I had problems with Google Ad Manager, but you can whitelist stuff). There’s a couple of pretty handy plugins that help protect WP:
Secure Wordpress – http://wordpress.org/extend/plugins/secure-wordpress/
Wordpress firewall – http://www.seoegghead.com/software/wordpress-firewall.seo

I use them both. The firewall throws out some “false positives” sometimes (I had problems with Google Ad Manager, but you can whitelist stuff).

]]> By: iglow http://www.mattcutts.com/blog/three-tips-to-protect-your-wordpress-installation/#comment-455261 iglow Tue, 19 Jan 2010 13:22:51 +0000 http://www.mattcutts.com/blog/three-tips-to-protect-your-wordpress-installation/#comment-455261 yeah this days a lot of blogs gets hacked, using chmod properly can help much also yeah this days a lot of blogs gets hacked, using chmod properly can help much also

]]> By: RAY http://www.mattcutts.com/blog/three-tips-to-protect-your-wordpress-installation/#comment-430587 RAY Wed, 02 Dec 2009 08:27:57 +0000 http://www.mattcutts.com/blog/three-tips-to-protect-your-wordpress-installation/#comment-430587 Q about feedburner feeds that do not validate? hmmm. wondering why feedburner shows the wp version in its coding if it's such a security risk and now considered a no-no? from the feedburner feed code --> http://wordpress.org/?v=abc but also mainly wondering why feedburner feeds don't validate (using http://feedvalidator.org/check.cgi?url=hxxp://domain-name.com ) .... it shows lots of yellow highlighted errors such as: language must be an ISO-639 language code: ... Ensure description precedes content:encoded Unregistered link relationship: hub Non-html tag: hs .... <img src="http://feeds.feedburner.com/~r .... Column 0: Invalid HTML: malformed start tag, column 0: style attribute contains potentially dangerous content: word-wrap ..... As a newbie i would have thought feedburner had all the formatting protocols taken care of for validation since it refers one to validate a feed there at that site if FB cannot find the feed? I'm confused about this. Really appreciate any clarification and feedback or solutions on how to fix / validate feedburner feeds properly since I am working on setting up a WP-based site w/ a friend and it's really like a new language -- on alot of this but trying to learn for sure. thank.s Q about feedburner feeds that do not validate?

hmmm. wondering why feedburner shows the wp version in its coding if it’s such a security risk and now considered a no-no?

from the feedburner feed code –> http://wordpress.org/?v=abc

but also mainly wondering why feedburner feeds don’t validate (using http://feedvalidator.org/check.cgi?url=hxxp://domain-name.com ) …. it shows lots of yellow highlighted errors such as:

language must be an ISO-639 language code: …
Ensure description precedes content:encoded
Unregistered link relationship: hub
Non-html tag: hs …. <img src="http://feeds.feedburner.com/~r ….
Column 0: Invalid HTML: malformed start tag,
column 0: style attribute contains potentially dangerous content: word-wrap …..

As a newbie i would have thought feedburner had all the formatting protocols taken care of for validation since it refers one to validate a feed there at that site if FB cannot find the feed?

I’m confused about this. Really appreciate any clarification and feedback or solutions on how to fix / validate feedburner feeds properly since I am working on setting up a WP-based site w/ a friend and it’s really like a new language — on alot of this but trying to learn for sure.
thank.s

]]> By: Robert Bury http://www.mattcutts.com/blog/three-tips-to-protect-your-wordpress-installation/#comment-425377 Robert Bury Tue, 24 Nov 2009 04:41:36 +0000 http://www.mattcutts.com/blog/three-tips-to-protect-your-wordpress-installation/#comment-425377 Thanks for the great resource!!! To possibly help others... Step 1) I could only use: order deny,allow deny from all # whitelist home IP address allow from 64.233.169.99 (anything else crashed and I couldn't access anything) Step 2) I already had a file (maybe an update) and it said: Bonus Step) I really had to search for it and ultimately found it in the wp-includes\general-template.php file. Thanks so much Matt!!! ~ Robert Bury Thanks for the great resource!!!
To possibly help others…

Step 1) I could only use:
order deny,allow
deny from all
# whitelist home IP address
allow from 64.233.169.99
(anything else crashed and I couldn’t access anything)

Step 2)
I already had a file (maybe an update) and it said:

Bonus Step)
I really had to search for it and ultimately found it in the wp-includes\general-template.php
file.

Thanks so much Matt!!!
~ Robert Bury

]]> By: Kat Young http://www.mattcutts.com/blog/three-tips-to-protect-your-wordpress-installation/#comment-399885 Kat Young Mon, 05 Oct 2009 02:55:24 +0000 http://www.mattcutts.com/blog/three-tips-to-protect-your-wordpress-installation/#comment-399885 I have had my blog hacked over and over. I will try to edit my .htaccess file thanks =) I have had my blog hacked over and over. I will try to edit my .htaccess file thanks =)

]]> By: Russell http://www.mattcutts.com/blog/three-tips-to-protect-your-wordpress-installation/#comment-385971 Russell Tue, 01 Sep 2009 13:43:28 +0000 http://www.mattcutts.com/blog/three-tips-to-protect-your-wordpress-installation/#comment-385971 Hi Matt Hope you doing great! Our blog has been hacked. Im getting all these wierd backlinks to my blog on other blogs but they hidden. My blog developer says "What the script does, apparently, is create those URL's on their site (that are linking back to you)." Thought it would interest you. We are working with Godaddy to fix the problem.. Best Hi Matt
Hope you doing great!
Our blog has been hacked. Im getting all these wierd backlinks to my blog on other blogs but they hidden. My blog developer says “What the script does, apparently, is create those URL’s on their site (that are linking back to you).”

Thought it would interest you. We are working with Godaddy to fix the problem..

Best

]]> By: doruman http://www.mattcutts.com/blog/three-tips-to-protect-your-wordpress-installation/#comment-384361 doruman Sat, 29 Aug 2009 17:26:27 +0000 http://www.mattcutts.com/blog/three-tips-to-protect-your-wordpress-installation/#comment-384361 Even if this post has more than a year old, here are very useful informations for any WP blogger. Thank you very much Matt for all that you offer as free informations, not only as Google employer. Kind regards, Doru Even if this post has more than a year old, here are very useful informations for any WP blogger. Thank you very much Matt for all that you offer as free informations, not only as Google employer.

Kind regards,
Doru

]]> By: Redbrickstock http://www.mattcutts.com/blog/three-tips-to-protect-your-wordpress-installation/#comment-379343 Redbrickstock Fri, 21 Aug 2009 00:37:49 +0000 http://www.mattcutts.com/blog/three-tips-to-protect-your-wordpress-installation/#comment-379343 Will the .htaccess thing work for a class B address. eg. allow from 64.233.169. ? Will the .htaccess thing work for a class B address. eg. allow from 64.233.169. ?

]]> By: Rory Siems http://www.mattcutts.com/blog/three-tips-to-protect-your-wordpress-installation/#comment-364971 Rory Siems Fri, 24 Jul 2009 02:45:47 +0000 http://www.mattcutts.com/blog/three-tips-to-protect-your-wordpress-installation/#comment-364971 Hi Matt, we just spent the day fixing my friend's wordpress site that apparently had some passthru exploit from a site on a Chinese domain routed through a Russian IP. We upgraded Wordpress to the latest version, we upgraded all of the plugins to the latest version. The web developer who set up the website claimed that the malicious code installed on the site was not from a Wordpress vulnerability, but rather from a brute force attack on the web host. I still am not 100% sure that a dictionary attack or brute force attack guessed the password as it was pretty obscure. To be safe I did subscribe to the wordpress development feed. I like the idea of obscuring plugins from snoops too. Hi Matt,

we just spent the day fixing my friend’s wordpress site that apparently had some passthru exploit from a site on a Chinese domain routed through a Russian IP.

We upgraded Wordpress to the latest version, we upgraded all of the plugins to the latest version. The web developer who set up the website claimed that the malicious code installed on the site was not from a Wordpress vulnerability, but rather from a brute force attack on the web host.

I still am not 100% sure that a dictionary attack or brute force attack guessed the password as it was pretty obscure. To be safe I did subscribe to the wordpress development feed. I like the idea of obscuring plugins from snoops too.

]]>