GKauten Consultingv1.2

If you haven’t realized it yet, I am a bit of a WordPress fan. I am also a huge fan of open source and the amazing community that comes with it. One of the problems that comes with the open source nature of software though is that it doesn’t take long for someone to figure out how to push the right buttons to possibly exploit that software or at least drain your bandwidth trying. You do however, have the power to enhance your open source installation and harden it appropriately to ensure it is much more difficult for the maliciously minded people to disturb your site. Since there are many schools of thought on best practices and most effective methods, etc… I am simply going to offer up some suggestions that are in my opinion a good place to start.

When you install WordPress, the default administrative username is “admin” as I am sure we all know already. With this, anyone trying to get into your site already knows half of the equation and they can devote all their time to password cracking. There is a way around this though, actually a few ways around this but I am going to illustrate the method for fresh installs here. When you download the WordPress files and are ready to begin the installation we just need to alter one file before you are all set. Within the ‘wp-admin’ folder you want to locate the ‘install.php’ file. In this file we are going to change two lines of code so that the installation knows to use the administrative user name that we choose instead of the default.

In WordPress version 2.7.1 these two lines can be found here:

Line 104:  $wpdb->show_errors();
Line 105:  $result = wp_install($weblog_title, ‘admin’, $admin_email, $public);
Line 106:  extract($result, EXTR_SKIP);
……………
Line 114:  <tr>
Line 115:    <th><?php _e(’Username’); ?></th>
Line 116:    <td><code>admin</code></td>
Line 117:  </tr>

In WordPress version 2.8 these two lines can be found here:

Line 118:  $wpdb->show_errors();
Line 119:  $result = wp_install($weblog_title, ‘admin’, $admin_email, $public);
Line 120:  extract($result, EXTR_SKIP);
……………
Line 128:  <tr>
Line 129:    <th><?php _e(’Username’); ?></th>
Line 130:    <td><code>admin</code></td>
Line 131:  </tr>

In WordPress version 2.9.1 these two lines can be found here:

Line 141: $wpdb->show_errors();
Line 142: $result = wp_install($weblog_title, ‘admin’, $admin_email, $public);
Line 143: extract($result, EXTR_SKIP);
……………
Line 151: <tr>
Line 152: <th><?php _e(’Username’); ?></th>
Line 153: <td><code>admin</code></td>
Line 154: </tr>

In the respective lines above we want to change ‘admin’ found on line 105 for 2.7.1 users and line 119 for 2.8 users. It is here that we can enter whatever username we want to use in place of the default ‘admin’ value. Of course keep in mind that you want to avoid spaces and use safe special characters… you don’t want to get too crazy with it! Also make sure you preserve the apostrophes around the username value. Removing one, or both, of these will break the installation process. Line 116 for 2.7.1 users and line 130 for 2.8 users is simply what is displayed to you during the installation so you know what username is being used. It is strongly recommended that you change this to the value you entered on line 105, or line 119, just so you don’t get confused and everything remains consistent.

Once you have changed these lines in your respective version’s ‘install.php’ file you are ready to load everything to your server and begin the installation. You will now be pleasantly surprised to find that there is no such ‘admin’ user in your WordPress installation and instead the lovely custom username you created.

If you want to do this with an installation of WordPress that is already in place, I suggest you hunt around on Google for a suitable walk-through. I know one exists, I personally prefer to avoid executing SQL queries against live databases that will result in changing user accounts.

One other really neat trick I came across was to disable the WordPress ‘Generator’ Meta tag. Let me first explain a little bit about what this is exactly. When you are visiting a WordPress site, certain Meta tags are generated and placed in the ‘head’ section of the source code. These tags help identify certain information about your website such as the keywords associated with the content, or even the language it is written for country localization. The ‘Generator’ tag though actually exposes which version of WordPress you are using. Why is this bad you ask? Well, it won’t bring down your site but it does help the maliciously minded know what version you are using which may allow them to exploit certain known security flaws which may have been fixed in newer releases. Disabling this is relatively simple using a few lines of code to disable the WordPress action responsible for triggering this Generator tag output. To make things nice and simple, you can download the plugin I made for this from the Playground (or you can click here).

There are also a few other neat tricks you can use to ensure your WordPress installation remains unique from the typical folder structure found with a default installation of WordPress. I personally went through and changed the directory names associated with my administration folder (wp-admin) and my content folders (wp-content). This process does require a bit more working knowledge of WordPress and a certain comfort level with a modification of this size. Since an extremely large number of core files refer to these folders by name, after you change the directory name for either you need to update the reference in each of the core files. The easiest way to do this would be to use software such as Adobe’s Dreamweaver where you can setup the site in a local directory and issue a ‘Find & Replace’ directive across every file contained within your site directory. With this, you can change ‘wp-admin’ to something like ‘administration’ (don’t really use this, it is pretty easy to guess) making it more difficult for the malicious to locate this directory. One thing to keep in mind though is that there is a pretty good chance that any plug-ins you install will also use the default directory reference so you will need to issue a ‘Find & Replace’ on those files as well. Also note that this modification does require you to modify core files which disturbs your ability to automatically update to newer versions of WordPress and somewhat contradicts my previous post of WordPress: Hacks vs. Plug-Ins.

Alternatively you can also investigate certain ‘.htaccess’ methods which supposedly allow you to block any direct request for ‘wp-admin’ or ‘wp-content’ and instead give them virtual names which when called will in fact direct to the original default folder. I haven’t personally spent much time with this method so I am not entirely sure what effects it has on your installation nor how secure it actually is. I will leave that up to people much more creative than I with measures such as these. At any rate, hopefully this helps give you a few ideas for what you can do to protect yourself a little bit.

As an added bonus I wanted to include a link to the SEM Labs Journal so you can get an idea of some of the more advanced methods I lightly referenced above, as well as have a different perspective on some of the methods I did touch base on.

SEM Labs – How to Stop Your WordPress Blog from Getting Hacked