Tips & Tricks
WordPress Security Hacks
Hi guys this is my first post on wpcult the great site Austin built. Hope you guys find it usefull.
If you run a blog using the wordpress software then your blog is a target to hackers. Below I will list some hacks and just how they can help you keep your business/site safe.
The following is code to Block Bad Queries and protect your blog from malicious URL Requests.
Place the following code into a text file and name it what ever you like for example blockbadqueries.php upload it to your plugin folder and activate it in your wordpress admin just as you would any other Plugin
<?php
/*
Plugin Name: Block Bad Queries
Plugin URI: http://perishablepress.com/press/2009/12/22/protect-wordpress-against-malicious-url-requests/
Description: Protect WordPress Against Malicious URL Requests
Author URI: http://perishablepress.com/
Author: Perishable Press
Version: 1.0
*/
global $user_ID; if($user_ID) {
if(!current_user_can(‘level_10’)) {
if (strlen($_SERVER[‘REQUEST_URI’]) > 255 ||
strpos($_SERVER[‘REQUEST_URI’], “eval(“) ||
strpos($_SERVER[‘REQUEST_URI’], “CONCAT”) ||
strpos($_SERVER[‘REQUEST_URI’], “UNION+SELECT”) ||
strpos($_SERVER[‘REQUEST_URI’], “base64”)) {
@header(“HTTP/1.1 414 Request-URI Too Long”);
@header(“Status: 414 Request-URI Too Long”);
@header(“Connection: Close”);
@exit;
}
}
}
?>
This Great plugin was made by Jeff Starr of Digging into WordPress
Protecting your blog with .htaccess
.htaccess files have lots of possibilities. below is some code that will help protect your wordpress from modification of _REQUEST and/or GLOBALS and scripts injection.
This is real simple just paste the following code into your .htaccess file. Always make a backup of your .htaccess before editing, better to be safe.
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]
Thanks to Oussama for this great hack
Tips & Tricks
How to: Create a fbshare.me shortcode
Social networks are everywhere. I am sure you’re on facebook. Well why not at a facebook share script to your site?
Don’t know PHP that well?
Well here is a simple way to add a share script like fbshare.me to your site, via shortcodes.
Paste the following code in your functions.php file in order to create your shortcode:
function fbshare_script() {
return '<div class="fbshare"><script src="http://widgets.fbshare.me/files/fbshare.js"></script></div>';
}
add_shortcode( 'fbshare', 'fbshare_script' );
Once done, you can display the facebook share button anywhere on your posts. In WordPress editor, make sure you are in HTML mode and insert the following: [fbshare].
When your post will be published, the shortcode will be replaced by the fbshare.me button.
Last week I wrote how to “Use WordPress to print a RSS feed for Eventbrite attendees“. It was pretty popular, but then I found myself in a place that was more annoying. Trying to incorporate that into a blog post or page.
Without having to download a plugin that will allow PHP to be executed inside a post, I would have to create a template file and use that. Which is what I did, and it works just fine. But for some reason I forgot all about shortcodes! With a shortcode, I could generate all the PHP in the functions file and then just call the shortcode when/where I want.
Okay, so lets show the completed PHP code:
function attendee_feed_print_2009() {
global $wpdb;
include_once( ABSPATH . WPINC . '/rss.php' );
$rss = fetch_rss( 'http://www.eventbrite.com/rss/event_list_attendees/384870157' );
$items = array_slice( $rss->items, 0 );
if ( empty( $items ) ) echo '<ul style="list-style-type: none; list-style-image: none; list-style-position: outside;"><li>No items</li></ul>';
else
foreach ( $items as $item ) : ?>
<ul style="list-style-type:none; list-style-image:none; list-style-position:outside; margin-bottom: 0px">
<li><!--<strong><?php echo $item[ 'title' ]; //User name ?></strong><br />-->
<?php echo $item[ 'content' ][ 'encoded' ]; ?>
<hr style="border: 1px solid #ddd; margin-bottom: 8px" />
</li>
</ul>
<?php endforeach;
}
Now, this code has to be changed for it to work as a shortcode. We’ll have to return the function and not print/echo it.
I also wanted to be able to use multiple instances of the code with different feeds. To do so I had to create a argument to extract from the completed short code. I found a demo at: Alex Mansfield’s post.
Remember this:
function attendee_feed_print_2009() {
global $wpdb;
include_once( ABSPATH . WPINC . '/rss.php' );
$rss = fetch_rss( 'http://www.eventbrite.com/rss/event_list_attendees/384870157' );
We are going to update it to read as follows ( changes in bold ) :
function attendee_feed_print_2009( $rss_nbr ) {
global $wpdb;
extract( shortcode_atts( array( 'rss' => ''), $rss_nbr ) );
include_once( ABSPATH . WPINC . '/rss.php' );
$rss = fetch_rss( $rss );
And the final code with the fields updated to return the arguments ( put into your functions.php file ( in between <?php ?> ) ) :
function attendee_feed_print_2009( $rss_nbr ) {
global $wpdb;
extract( shortcode_atts( array( 'rss' => ''), $rss_nbr ) );
include_once( ABSPATH . WPINC . '/rss.php' );
$rss = fetch_rss( $rss );
$items = array_slice( $rss->items, 0 );
$rss_html = '<div id="eventbrite-attendee-list" style="clear:both;">';
if ( empty( $items ) ) $rss_html .= '<ul style="list-style:none;"><li>No attendees, yet.</li></ul>';
else
foreach ( $items as $item ) :
$rss_html .= '<ul style="background:none; list-style:none; margin:0px">';
$rss_html .= '<li style="background:none; list-style:none;">';
$rss_html .= $item[ 'content' ][ 'encoded' ];
$rss_html .= '<hr style="border: 1px solid #ddd; margin-bottom: 10px" />';
$rss_html .= '</li>';
$rss_html .= '</ul>';
endforeach;
$rss_html .= '</div>';
return $rss_html;
}
And lets not forget to add the shortcode function!
add_shortcode( 'eventbrite-attendees', 'attendee_feed_print_2009' );
Final outcome with look like this `[eventbrite-attendees rss="http://your-rss-feed.com/"]`
I’ve created this into a plugin!
Download the plugin: http://wordpress.org/extend/plugins/eventbrite-attendees-shortcode/
Today I was working on the WordCamp.LA site. I was trying to show the “attendee list” on the attendees page with out having to update the page every day.
Since I am using EventBrite to promote and sell ticket to the event I can collect info from there list. Evey one who purchases a ticket gets put into the ticketed database which you can view with either RSS or OPML.
I chose to use RSS and the WordPress core file rss.php.
In the functions.php file I’ve added this function:
function attendee_feed_print_2009() {
global $wpdb;
include_once( ABSPATH . WPINC . '/rss.php' );
$rss = fetch_rss( 'http://www.eventbrite.com/rss/event_list_attendees/384870157' );
$items = array_slice( $rss->items, 0 );
Where I’ve named my function, and included the core RSS file from WordPress. I also told it to fetch the feed from the address (alternatively you can use any feed link you like).
if ( empty( $items ) ) echo '<ul style="list-style-type: none; list-style-image: none; list-style-position: outside;"><li>No items</li></ul>'; else foreach ( $items as $item ) : ?> <ul style="list-style-type:none; list-style-image:none; list-style-position:outside; margin-bottom: 0px"> <li><!--<strong><?php echo $item[ 'title' ]; //User name ?></strong><br />--> <?php echo $item[ 'content' ][ 'encoded' ]; ?> <hr style="border: 1px solid #ddd; margin-bottom: 8px" /> </li> </ul> <?php endforeach;
I then added the core style to fit this current feed.
And the final out come looks like this:
function attendee_feed_print_2009() {
global $wpdb;
include_once( ABSPATH . WPINC . '/rss.php' );
$rss = fetch_rss( 'http://www.eventbrite.com/rss/event_list_attendees/384870157' );
$items = array_slice( $rss->items, 0 );
if ( empty( $items ) ) echo '<ul style="list-style-type: none; list-style-image: none; list-style-position: outside;"><li>No items</li></ul>';
else
foreach ( $items as $item ) : ?>
<ul style="list-style-type:none; list-style-image:none; list-style-position:outside; margin-bottom: 0px">
<li><!--<strong><?php echo $item[ 'title' ]; //User name ?></strong><br />-->
<?php echo $item[ 'content' ][ 'encoded' ]; ?>
<hr style="border: 1px solid #ddd; margin-bottom: 8px" />
</li>
</ul>
<?php endforeach;
}
Don’t forget to wrap the code in <?php ?>
I want to thank John Kolbert for helping me with printing the content:encoded portion. http://pastebin.com/m1588fb30
See it in action: http://wordcamp.la/attendees/
Lost? Since You Can’t Trust Apple Maps, Check Out These 3 Apps Instead
Maybe you have the new software on your Apple device that has made headlines as not being reliable, or perhaps...
An Overview Of Business Models
Knowing Where To Start There are a number of conceptual business models that are used throughout the professional world in...
Google’s New Tool For Bad Links
Google recently announced it has launched its Disavow Tool which allows webmasters to alert Google of any backlinks they think...
5 Reasons Why You Should Or Should Not Use WordPress Plugins
Depending on your needs, WordPress plugins are the best and worst aspects of WordPress. The whole purpose of plugins should...
Cynthia Frelund Net Worth: How Rich is Cynthia Frelund Actually?
Cynthia Frelund is Data Analyst Expert for the NFL Media Network where she focuses on breaking down all the numbers on the show Numbers Game. Moreover, from the perspective of the fans, she is a key influencer in their fantasy football predictions. As of 2019, Cynthia Frelund net worth is estimated to be $1 million. […]
Ron Rivera Net Worth: How Rich is the former Panthers Coach?
Ron Rivera is a retired football player and a former coach who managed Carolina Panthers in the National Football League. As of 2019, Ron Rivera net worth is estimated to be $5 million. Rivera was born on January 7, 1962, in Fort Ord, California. His father Eugenio Rivera was a military man. Due to his […]
Bianca Del Rio Net Worth: How Rich is the Drag Queen Actually?
Roy Haylock professionally known by the stage name Bianca Del Rio, is an American drag queen, comedian, actor, and costume designer. She is best known for winning the 6th season of RuPaul’s Drag Race. As of 2019, Bianca Del Rio net worth is estimated to be $2 million. Haylock was born on June 27, 1975, in Gretna, Louisiana. He […]
Tucker Roberts Net Worth: How Rich is Olivia Munn’s Boyfriend?
Tucker Roberts is an American businessman who recently came in the spotlight after his relationship with Hollywood actress Olivia Munn. As of 2019, Tucker Roberts net worth is estimated to be $10 million. Tucker was born in Philadelphia, Pennsylvania to parents Brian Roberts and Aileen Kennedy Roberts. His father is the CEO of Comcast, an […]
-
Pages3 months agoWrite For Us – Guest Post
-
Showcase3 months ago
StylizedWeb.com
-
News3 months ago
How to: Show/Hide any div box with jQuery in WordPress
-
Tips & Tricks2 months ago
Remove the title attribute using jQuery
-
Tips & Tricks5 months ago
How to: show/hide a widget in WordPress with jQuery
-
Plugins4 months agoTop Membership plugins
-
Tips & Tricks3 months ago
Limit the characters that display on the_title
-
Tips & Tricks1 month ago
Remove spaces when echoing the_title
Pingback: Wordpress Belarus » Blog Archive » WordPress Security Hacks
Pingback: WordPress Security Hacks | WordPressPlanet.com
Andrew@BloggingGuide
March 10, 2010 at 2:18 am
Congratulations on your first post. It’s a really useful article. I run my blogs on wordpress and I know that it really means a lot for it to be protected. Will be trying your suggestions here. I am looking forward to your future posts. More Power!
Markus Thies
May 5, 2010 at 4:48 pm
Indeed, can just say the same as andrew. Very good start. Every active user of wp will like this article. I look forward for your ideas at wp 3 if its out 🙂
greez Markus
Pingback: Getting Your Wordpress Blog Optimized for the Search Engines … | Search Result Secrets
Steve
March 11, 2010 at 1:03 am
Thanks for this nice information Miguel. I have just started a new wordpress blog and I was looking for such tips to protect my blog from hackers.
Heru Kurniawan
March 11, 2010 at 8:40 pm
Yes, I think protecting our blog is very important..It can help keep my business/site safe.
miguel
March 11, 2010 at 11:59 pm
Thanks for the comments guys by the way Andrew got a interesting site there
Timmy
March 16, 2010 at 5:31 am
The best defense WordPress it’s protecting with .htaccess. Also, use the IP security.
dannydamnboy
March 27, 2010 at 7:37 am
this is a good start!
Gino @ Bioenergiser
March 28, 2010 at 11:52 pm
As the WordPress blog installation and maintenance is pretty easy people are widely using the WordPress. If it is easy to hack any WordPress it will affect many people badly so I found your post is very useful and could give warning to blog owners. Thanks for the excellent post.
AngelPixel25
March 29, 2010 at 12:10 am
A hacker does for love what others would not do for money
getjobfor
March 30, 2010 at 9:28 am
thanks for this tips!
THis help me much to get remove some annoying spam control and injection for some of my blogs 🙁
Car Loan 4u
March 31, 2010 at 8:13 am
So is it safe using wordpress anymore. We have already 2 website are currently with wordpress templates.
discount golf clubs for sale
March 31, 2010 at 8:37 pm
This is real simple just paste the following code into your .htaccess file. Always make a backup of your .htaccess before editing, better to be safe.
Read more: http://wpcult.com/wordpress-security-hacks/comment-page-1/#comment-4617#ixzz0jofgCq97
güzel oyunlar
April 3, 2010 at 3:30 am
I really liked. I wish you good work
Parissportifs
April 4, 2010 at 5:39 am
Thank you for this article.
Nice informations 😉
lodging sonoma
April 4, 2010 at 11:17 am
With the ever increasing popularity of blogging and wordpress in particular, it is to be expected that this will attract hackers on a large scale. The continual upgrades to the wp is a real but necessary pain. Thanks for publishing some of your solutions to these problems.
Wordpress
December 8, 2010 at 1:07 am
So is it safe using wordpress anymore. We have already 4 website are currently with wordpress templates. All it work good. That tips is good.
Bogdan
April 6, 2010 at 1:01 pm
a nice security plugin is WP Security Scan – http://wordpress.org/extend/plugins/wp-security-scan/ – it will help you finding some open doors
Pat
April 7, 2010 at 3:10 pm
Thanks for the tips, we just recently started our WordPress blog in January and I have been overwhelmed with the number of spam comments and have numerous security concerns. Looking forward to future posts!
Joe
April 8, 2010 at 7:49 pm
Thanks for that.
Wanted to say, people nowadays who are using scripts that are bought or available for free, completely ignore the fact that these scripts might actually be vulnerable, and think they are not because some company makes them.
A successful webmaster should always put security on the top of his priorities, update his software and check it for vulnerabilities regularly.
Artist Website
April 9, 2010 at 12:50 am
Thanks for that! I always appreciate not having to upload another plugin : )
Lead Solutions
April 10, 2010 at 2:54 pm
Thanks been looking for some more protection for our blog – always hard to keep up with this sort of thing. Will it work for V3?
Praveen
April 12, 2010 at 6:55 am
Wow!!! Nice Stuff buddy…..
Recently there is a attack over WordPress Blogs by Hackers.The saddest part is exploited security Hole not yet Identified,
Dirty Attack Over Hundreds Of WordPress Blogs
http://www.techpraveen.com/2010/04/dirty-attack-over-hundreds-of-wordpress.html
ip adresim
April 14, 2010 at 1:52 am
is it really works?
on hold messages
April 14, 2010 at 9:51 pm
Great article with some very useful information. I will be implementing much of it as soon as I am done commenting.
Guy
April 14, 2010 at 11:22 pm
Thanks for the post~ keep posting…
Bud
April 15, 2010 at 11:05 pm
How to install stats counters, widgets, customisation of blog theme etc.
Jon
April 16, 2010 at 8:20 am
I never had any problems until I started using WP. Don’t get me wrong I still really like it as a platform for blogging, but so far no hacking issues, just some other stuff.
Marco
April 16, 2010 at 6:04 pm
thanks! his article is very useful. I’ve seen pages where hackers have hacked in and promote other sites or business, your tips should help people stay secure with wordpress
providenz
April 18, 2010 at 6:00 am
Thanks, I didn’t know this trick
Malibu Rum
April 19, 2010 at 6:42 am
Thanks for the information, some quite awesome words in this post.
chat
April 19, 2010 at 8:33 am
Yes, I think protecting our blog is very important..
Read more: http://wpcult.com/wordpress-security-hacks/#ixzz0lYplN0o5
janice
April 21, 2010 at 5:55 am
This is a nice post 🙂
I could not believe that this hacking thing is really happenning…
Great job!
-janice @ small business SEO
Haftpflichversicherung Pferd
April 21, 2010 at 10:43 am
Didn’t know about the security issues with WordPress. Will upload your code right now. Cool that I can just upload some php script and activate it like a plugin.
Yeah congratz on your first post here I am sure you will do a great job too.
Meditation Ebooks
April 26, 2010 at 1:13 am
These are pretty good hack for the security of wordpress blogs. I will try it in my blog. Thanks for sharing
Matt
April 28, 2010 at 8:49 am
Congratulations on your first post, what a great article to start with, most useful for wannbe bloggers so thanks for sharing.
Rich
April 28, 2010 at 3:07 pm
I’ve been using WordPress for my blogs and knowing that there are possibilities that it could be hack by someone. Then, your post is such a big help for me to do some security with my blogs. I should be thankful for your useful information. 😉
Vehicle Transport
April 29, 2010 at 1:56 pm
Great advice, Miguel. I recently transferred from Blogger to WordPress because of the hacker and spamming problems that I was having.
Jason Acidre
May 6, 2010 at 12:52 am
Hey there Miguel, just want to ask if these codes will also work on joomla 1.5 platform, since it’s in php? Congratulations on your first post here by the way.
PHP programmer
May 6, 2010 at 3:52 am
i always appreciate it….
very good…..
delensof
May 6, 2010 at 5:58 am
totally agree with you.
mixed martial arts equipment
May 9, 2010 at 11:50 pm
hi
Excellent one.
Very useful information.
Thanks for sharing.
Towing New York
May 10, 2010 at 5:09 pm
the hack is fixed,
I even got an email from Godaddy telling me to upgrade my WP.
Net Age | Web Design
May 11, 2010 at 1:07 am
Welcome Miguel! Your first post is a goodie, and what better subject to look at than security. If you leave the back door open you may turn around to find the pantry empty! Nobody deserves that, and paying attention to your security at home as well as on your website is a must to prevent unauthorized access and subsequent damages or losses.
I’ll keep my eyes open for future posts from you. Enjoy, and good luck with your blogging. Writing is inspiring and sharing your knowledge with others is very gratifying.
Thomas
May 12, 2010 at 6:23 am
Hi!
My Blog was hacked a few months ago. This deleted my footer.php and instead I got a footer.php with only invisible Spamlinks in it.
I don’t know how long this file has been on my blog because it didn’t attract any attention from me. Who takes daily care about his page footer?
So my question: are the above mentioned queries the only one which can cause problems?
porno
May 14, 2010 at 10:05 am
Thank you for this information was good
Werbeagentur
May 17, 2010 at 2:17 pm
Thanks been looking for some more protection for our blog – always hard to keep up with this sort of thing. Will it work for V3?
Trailers for Sale
May 18, 2010 at 3:37 am
Place the following code into a text file and name it what ever you like for example blockbadqueries.php upload it to your plugin folder and activate it in your wordpress admin just as you would any other Plugin
Karen
May 18, 2010 at 11:36 pm
Great post and I found it very useful. I also run my blog on wordpress and I’ll take your suggestions to use.
Atish
May 21, 2010 at 1:59 am
Wow!!!
It’s a good lesson about hackings.great!!!
how to hackers have hacked other business sites and other…….