I haven’t finished reading the whole thing but I’ve already learned many things and gained more knowledge about securing WordPress installations. When I find the time, I’ll try to apply some of the things I’ve learned. One thing I’m really interested in trying out is the WPIDS plugin that detects intrusions. This is just an initial release so some aspects and topics were missed or weren’t fully covered. Expect additional topics and improvements in the next release or versions of this whitepaper.

Here’s what you’ll find inside version 1.0:

• Table of Contents
• Introduction
• Installing WordPress
• Accessing your WordPress tables
• Changing your WordPress Table Prefix
• Before Installation
• Manually Change
• Through WP Prefix Table Changer
• Preparing the Blog
• Changing your Admin Username
• Create a new limited access user
• Hardening your WP Install
• Restricting wp-content & wp-includes
• Restricting wp-admin
• Block all except your IP
• Password Required – .htpasswd
• The .htaccess file
• The .htpasswd file
• MUSTHAVE Plugins
• WPIDS – Detect Intrusions
• WordPress Plugin Tracker – Are you updated?
• WordPress Online Security Scanner

Anyone else read the “How To Secure WordPress” whitepaper? What topics or additional information should the authors add in the next version? Share your thoughts!

Download the “Hot To Secure WordPress” PDF.

BlogSecurity an organization that deals with web blog security recently posted a list of the top 10 WordPress themes that are vulnerable to Cross-Site Scripting due to template flaws.

1. field-of-dreams
2. tarski
3. mandigo-14,1.22
4. connections
5. default
6. freshy
7. redoable
8. k2
9. vistered-little-1.6a
10. wp-multiflex-3

Some of the themes on the list are popular WordPress themes, like freshy, k2 and redoable. I hope that the theme authors would look into this and make the necessary changes and fix the template flaws.

If you want to perform the same test for your blog or WordPress themes that you’ve created, you can use the same method used by BlogSecurity team. All you need to do is follow the installation instructions:

• Download the wp-scanner activator plugin.
• Upload the plugin file to your wp-contents/plugin folder.
• Activate the plugin from the admin panel.
• Launch the wp-scanner and perform the test.
• As soon as you’re done, de-activate the plugin so other people can’t to scan your blog.

Btw, I performed the test for JaypeeOnline and I’m happy with the result:

I strongly recommend that you also perform this test so you can find out if the WordPress theme you’re using is vulnerable or not. It would only take a few minutes of your time. If you’ve also performed the test, please share your test results or your thoughts regarding this matter. Thank you!

Oh yeah, I almost forgot. Make it a habit to download WordPress themes or plugins from reliable sources or directly from the author’s site. Better safe than sorry!

Have a good weekend everyone! :)