Tips & Tricks
WordPress Security Hacks
Hi guys this is my first post on wpcult the great site Austin built. Hope you guys find it usefull.
If you run a blog using the wordpress software then your blog is a target to hackers. Below I will list some hacks and just how they can help you keep your business/site safe.
The following is code to Block Bad Queries and protect your blog from malicious URL Requests.
Place the following code into a text file and name it what ever you like for example blockbadqueries.php upload it to your plugin folder and activate it in your wordpress admin just as you would any other Plugin
<?php
/*
Plugin Name: Block Bad Queries
Plugin URI: http://perishablepress.com/press/2009/12/22/protect-wordpress-against-malicious-url-requests/
Description: Protect WordPress Against Malicious URL Requests
Author URI: http://perishablepress.com/
Author: Perishable Press
Version: 1.0
*/
global $user_ID; if($user_ID) {
if(!current_user_can(‘level_10’)) {
if (strlen($_SERVER[‘REQUEST_URI’]) > 255 ||
strpos($_SERVER[‘REQUEST_URI’], “eval(“) ||
strpos($_SERVER[‘REQUEST_URI’], “CONCAT”) ||
strpos($_SERVER[‘REQUEST_URI’], “UNION+SELECT”) ||
strpos($_SERVER[‘REQUEST_URI’], “base64”)) {
@header(“HTTP/1.1 414 Request-URI Too Long”);
@header(“Status: 414 Request-URI Too Long”);
@header(“Connection: Close”);
@exit;
}
}
}
?>
This Great plugin was made by Jeff Starr of Digging into WordPress
Protecting your blog with .htaccess
.htaccess files have lots of possibilities. below is some code that will help protect your wordpress from modification of _REQUEST and/or GLOBALS and scripts injection.
This is real simple just paste the following code into your .htaccess file. Always make a backup of your .htaccess before editing, better to be safe.
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]
Thanks to Oussama for this great hack
Everything I have tried has led to nothing. And I have tried six way’s from Sunday to get my main posts to paginate.
example one:
<?php $paged = (get_query_var('paged')) ? get_query_var('paged') : 1;
query_posts('offset=1&showposts=' . get_option('woo_other_entries') . '&cat=-' . $GLOBALS['ex_asides'] . '&paged=$paged' ); ?>
example two:
<?php
global $myOffset;
global $wp_query;
$myOffset = 1;
$paged = intval(get_query_var('paged')) ? get_query_var('paged') : 1;
$temp = $wp_query;
$wp_query= null;
$wp_query = new WP_Query();
$wp_query->query(array(
'offset' => $myOffset,
'category__not_in' => array($GLOBALS['ex_asides'],7,84),
'paged' => $paged,
'showposts' => get_option('woo_other_entries'),
)); ?>
example three:
<?php
global $myOffset;
$myOffset = 1;
$wp_query = new WP_Query();
$wp_query->query(array(
'offset' => $myOffset,
'category__not_in' => array($GLOBALS['ex_asides'],7,84),
'paged' => $paged,
'showposts' => get_option('woo_other_entries'),
)); ?>
And after those tries, I just can’t get more pages beyond the option’s that I choose, and can only pull an archive via the browse more link.
Any suggestions or anything?
In the last post “Creating a custom widget” I showed you how to create a custom widget. Well in this post I will show you how I used my custom widget to display all post with a certain custom field from outside the WordPress loop.
In the last post I used this tag:
<?php include(TEMPLATEPATH . '/includes/showcase.php'); ?>
Now I will show you what the file showcase.php has:
<ul> <?php global $wpdb; $sql = "SELECT wposts.* FROM $wpdb->posts wposts, $wpdb->postmeta wpostmeta WHERE wposts.ID = wpostmeta.post_id AND wpostmeta.meta_key = 'gallery-url' AND wposts.post_status = 'publish' AND wposts.post_type = 'post' ORDER BY wposts.post_date DESC LIMIT 8"; $pageposts = $wpdb->get_results($sql, OBJECT); $output = $pre_HTML; foreach ($pageposts as $post) : setup_postdata($post); ?> <li><a href="<?php echo get_post_meta($post->ID, "gallery-url", $single = true); ?>" title="Link to <?php the_title(); ?>"> <img src="<?php echo get_post_meta($post->ID, "image", $single = true); ?>" alt="<?php the_title(); ?>" /></a></li> <?php endforeach; ?> </ul>
That’s it! The most important item you may want to change for your own custom field is the line : AND wpostmeta.meta_key = 'gallery-url'. Where you would change the text in bold to match your own custom field value.
Update:
Check out Austin from PressedWords comment below.
With his great advise I was able to figure out why all my attempts to use the query_post weren’t working. it came down to this line of code: <?php echo get_post_meta($post->ID, "gallery-url", $single = true); ?>, that was what I had in my code, and the $post->ID is the reason my code would not echo or print the custom field’s value. Solution? replace $post->ID with get_the_ID(). HA, so simple.
Today let’s learn a simple quick trick on how to create a custom widget. For my example I will show you how I created my Showcase widget located in the middle, to the right of the posts.
First under your functions.php file type in the following:
<?php // Custom Widget
function MyCustomWidget() { ?>
<li class="widget">
<h2 class="heading">Latest Showcase</h2>
<ul>
<?php include(TEMPLATEPATH . '/includes/showcase.php'); ?>
</ul>
</li>
<?php }
register_sidebar_widget('The Custom Widget for Showcase', 'MyCustomWidget'); ?>
- Always make sure your code is between the
<?phpand?>for it to work. - Once we call the function, the rest is assuming html code that you may or may not need.
- For instance, you may just put in a picture and call it a day. But my code starts with
<li<because my sidebar’s start and end with<ul<. - Any way, once your done, just set the final “
register_sidebar_widget('the widget title', 'the name of the function');“
That’s it! Now you have a custom widget with what ever you want!
Walter Mercado Net Worth: How Rich was Walter Mercado Actually?
Walter Mercado also was known by his stage name as Shanti Ananda was a Puerto Rican actor, astrologer, dancer, and writer. He is best known for his shows as an astrologer where, his predictions show aired for decades in Latin American, Puerto Rico, and the United States. Walter Mercado’s net worth before his death is […]
BlameItOnKWay Net Worth: 4 Interesting Facts You Should Know
Kwaylon Rogers professionally known as BlameItOnKWay is an American social media personality and comedian. Here are some facts about BlameItOnKWay including his net worth, career, sexuality and many more. 1. BlameItOnKWay net worth is estimated to be $500,000. As of 2019, BlameItOnKWay net worth is estimated to be $500,000. He earned most of his money […]
City Girls Net Worth: 5 Interesting Facts About The Hip hop duo
City Girls is an American hip hop duo originally from Miami which consists of the rappers Caresha Romeka Brownlee (known as Yung Miami) and Jatavia Shakara Johnson (known as JT). Here are some facts about City Girls including their net worth, career and many more. 1. City Girls has an estimated net worth of $500,000 […]
W2S net worth
W2S net worth Introduction W2S is a British sports commentator on Livestream who primarily posts FIFA sports recordings and live streams for his 15 million subscribers. Online, he is known as W2S or WroeToShaw, and he is Sidemen’s youngest leader. He is also fond of Chelsea, Everton, West Ham, and Arsenal in Liverpool. Harry Lewis […]
-
Pages5 months agoWrite For Us – Guest Post
-
Showcase3 minutes ago
StylizedWeb.com
-
News5 months ago
How to: Show/Hide any div box with jQuery in WordPress
-
Tips & Tricks4 months ago
Remove the title attribute using jQuery
-
Tips & Tricks1 month ago
How to: show/hide a widget in WordPress with jQuery
-
Plugins1 month agoTop Membership plugins
-
Tips & Tricks5 months ago
Limit the characters that display on the_title
-
Tips & Tricks3 months ago
Remove spaces when echoing the_title
Pink Magic
February 2, 2011 at 3:02 pm
Internet security in general is often overlooked, especially with WordPress. I’ve been the victim of two WordPress hacks through various security holes!
Henri Labelle
February 3, 2011 at 6:32 pm
Thanks for this tip, I’ll use it right now!!
Symptoms of Depression
February 7, 2011 at 8:43 pm
Yea, I know a number of people who have had their wp sites hacked. That is why I try to get everything set up properly from the very beginning to avoid any nasty surprises. I find that a couple of plugins work well, wp-security scan and wp malwatch. If you are running wp you should definitely install those.
Milwaukee SEO
February 10, 2011 at 10:02 pm
Great roundup of potential issues with WP security. Posts like these make it easy for us to identify loopholes and fix them up before our sites get hacked.
Wordpress Developer
February 15, 2011 at 3:56 am
nice post and it is very helpful for me and i have resolved my many problems of regarding to wordpress security.
thank you very much
pond filters and pumps
February 26, 2011 at 5:14 am
Hi miguel, thanks for you tips. Surely I’ll implement your tips. Last year I have 1 blog attacked by hacker. He delete my posts and take over my blog. lastly I have to delete everything and install everything again. I really hate hacker. – zack
Brand Developers
February 27, 2011 at 5:19 pm
Thank you for the help. It is always rather frightening to think that your blog could be compromised by a malicious hacker.
Thanks,
Katherine
Air Zimbabwe
March 5, 2011 at 3:55 am
Nice job , really appreciate your work and thanks for this vital piece of information
Keep up the good work !!!
xclmedia
March 6, 2011 at 3:38 pm
Ok, thanks for the information! I’ll secure my blog.
Kevin Rutter - Charity Auctioneer
March 6, 2011 at 5:23 pm
It seems Word Press is the most hacked blogs/website out there. I use Word Press and seem to always get hit by these lurkers.
Ross
March 7, 2011 at 12:15 am
Its sad to think that someone will go out of their way to hack into and mess up a website! I see this post if a year old, can I presume this is still a good and value way to keep people out? I guess theres no reason why the code needs to updated…. Cheers Ross
duka
March 10, 2011 at 9:52 am
Join to our newest gaming comunity and you can find or make tutorials for every game:
thextop.org Soon maybe we will be the best gaming tutorial comunity!!!
Fabrizio T.
March 15, 2011 at 9:24 am
Hello, very nice post with useful tricks.
I’d have a question: do you think that could be useful to use .htaccess to block hotlinking of images? I noticed on my blog that there is a lot of traffic on some images (car models) and I suspect that someone is linking those images… do you think it is possible using .htaccess?
HCG
March 17, 2011 at 8:45 am
I think you have done a great job stepping in and taking over where the other previous owner had left off. Good Job.
Toulouse webdesigner
March 18, 2011 at 7:54 am
Very useful tut, security is essential for WordPress !
jacob @ seo services
March 25, 2011 at 3:40 am
i really need this, good information about wordpress plug-ins.
thanks to share this article.
keep it up
cheers!
Kev
March 27, 2011 at 3:24 am
hi
Great post ,thanks for sharing
Arbetskläder
March 27, 2011 at 11:21 am
Many thanks for the .htaccess tips, I just implemented it. Thanks!
top 10 credit cards
March 28, 2011 at 7:39 am
Security, protecting our personal information is very important. It’s so accessible nowadays, We never know how and by whom it can be used. Thanks for the code.
Geodesic Dome GreenHouse
March 30, 2011 at 2:01 pm
For first time posting an article this is more then good! In fact I think this is great. Supplied me with some very useful information that I am going to use and that I never knew about until know! I’ve never had any of my WordPress blogs hacked before, thank god, but I have heard about many people who have had theirs hacked and now that Is something I don’t have to worry about anymore. I’m gonna apply this to all of my WordPress blogs from here on out!
Thank you
P.S. Will this work on other blogs or only on WordPress blogs?
Katie
April 2, 2011 at 6:55 am
I have no idea what a ‘malicious URL request’ is either, however I have had a wordpress blog hacked before and it was a real hassle getting it back up and running again (luckily I had recent backups). So I am installing the plugin and hoping it can stop anything like that happening in future!
I’m not confident about editing the .htaccess file, but I’ll use the plugin.
K.
Tigara electronica
April 4, 2011 at 7:21 am
Internet is not secure, if hackers managed to break into CIA and nasa accounts, be sure they can hack your blog, anyway you protect it!
chat
April 7, 2011 at 7:07 pm
thxadmins..
meter data
April 10, 2011 at 2:55 am
Problem is with the best hackers is they try to frame others
Steve
April 12, 2011 at 1:49 am
Thanks for the tips above. I really had no idea that a wp blog can be hacked this way. I am going to secure my blogs.
thanks 🙂
Steve
Rosana
April 14, 2011 at 2:44 pm
Thanks for sharing this post, but I’m not agree with you.
Franz V. Hurtado
April 19, 2011 at 9:45 am
Nice article! You can get more information about successful poet by reading about Franz V. Hurtado. He is a great poet. He know new technology about poetry.
Mark
April 19, 2011 at 8:58 pm
Great post and an excelent advices for every blogger in securities topics. Security is the key!
Thanks a lot from argentina
Sheila D. Miles
April 21, 2011 at 7:58 am
I was hacked twice, and had a hard time putting pieces back together, being a non-techie added on the grief. Very nice Info, I will definitely use the code you posted.
Justin King
April 27, 2011 at 7:57 am
I think this is very helpful article which shows from top to bottom of hacking for wordpress blogs. Very informative and useful to beginners.
Dan W
April 30, 2011 at 9:38 pm
I’m not sure I understand all of this but I will follow your instructions to get some protection. Thanks much.
jim
May 3, 2011 at 9:10 am
Thank you for this! recently came under attack and it was not fun, had to get my host involved over simple wordpress security flaw..
DrawBloodPoker
May 5, 2011 at 12:35 am
Guys like you are smart,how come WordPress does not listen to you?
buat situs gratis
May 6, 2011 at 5:10 pm
I found this information usefull, especially for my blog. Thanks
Ashley Morrison
May 18, 2011 at 12:11 pm
I’m having no end of problems with my wordpress blog I think it may have been something I’d done rather that a virus or hack. Will play with it and will let you know if I fix it
akash rana
May 20, 2011 at 6:27 pm
nice work, you work a lot on your posts!
akash rana
May 20, 2011 at 6:31 pm
nice work, you work a lot on your posts!. carry on
akash rana
May 20, 2011 at 6:36 pm
nice work, you work a lot on your posts! i hope want to more good in future
Mike Strong
May 23, 2011 at 12:33 pm
I see this post is old so not sure if this is ganna save. Quick question: was the first script a plugin? Should I follow that link and get a plugin there? And the 2nd, the .htaccess; is that an alternative – just choose one or the other?
And if I use the .htaccess, does it matter where it is in that file ; does it need to be first?
Thanks in advance.
portland acupuncture
May 23, 2011 at 3:56 pm
Thanks. I never thought of using the .htaccess in that way. That’s extremely helpful!
Gesund Abnehmen
May 25, 2011 at 1:45 am
Thanks for sharing. Nice job
Evenimente
May 26, 2011 at 1:25 am
Great first post! Congrats!
Kang Yahya
May 27, 2011 at 7:26 am
Nice tips and trick.
I like this blog.
Statecollege Computer Repair
May 28, 2011 at 6:44 am
Welcome to the site.And you are right about hacking.Mow a days hacking is becoming more and more common.
frank
May 31, 2011 at 9:35 am
Thanks for the wordpress tips. I will use these for sure!
Limo Steves
June 7, 2011 at 2:32 am
I was looking for such information for a long time and I am glad that I finally came here! Thanks for sharing the such information with us.
WordPress
June 10, 2011 at 7:57 am
It seems that I’ve already installed that plugin. By the way thanks for the info. Looking for more related posts.
Ganar Dinero
June 10, 2011 at 1:36 pm
I’ve ever commented here, but have been reading and following your posts for almost one year.
Thanks for all the valuable information you spread through your posts and hope you continue to do the great job.
Peter
June 14, 2011 at 11:31 am
Hi,
Excellent blog, congratulations.
Regards
Peter
Ralph T. Burlingame
June 19, 2011 at 11:36 am
I was hacked twice, and had a hard time putting pieces back together, being a non-techie added on the grief. Very nice Info, I will definitely use the code you posted.