WordPress does an excellent job at providing incredible content management features, while also keeping its CMS as secure as possible. However, there are still some things you can do to make it even more secure, even from Google (I’ll explain that in a minute.)
After you install WordPress, there’s still information that crude hackers can gain access to and exploit. The main items include:
- Error-Messages via the Login form
- WordPress version provided by the header and Readme file
- Plugins folder returning public information
- Really Simple Discovery designated in the header
- Windows Live Writer enabled
- Core Update messages enabled for non admins
- Plugin Update messages enabled for non admins
- Theme Update messages enabled for non admins
Many of these items may seem benign, but they aren’t. If an exploit was found by unethical hackers that affected a particular version of WordPress, they could easily set up bots to discover WordPress blogs with that version and execute the exploit. If you think that couldn’t happen, you’re wrong. In fact, a wide-scale security hole happened last year that affected versions of WordPress that came before 2.3.3. The hackers inserted tons of hidden spammy links into the sites, and many site owners had their blogs penalized by Google in the SERPs because of it.
So you might be thinking, “oh, that’s what you meant by securing from Google.” Nope! I have one more example to give you as to why you should plug these holes. The plugins folder, if not properly secured, can provide information not only to hackers, but to Google. Google of course isn’t in the business of hacking WordPress blogs, but they are in the business of sniffing out paid links.
There are now services like InLinks that provide WordPress plugins that manage automated link brokerage. While InLinks has tweaked their plugin to be undetectable (they require the user to give the plugin file a custom name), there are many plugins that assist in link brokerage, cloaking and affiliate marketing that can be detected if a folder and/or file name is not changed by the user.
If you don’t think this is a vulnerability, then try out this link on your WordPress blog: http://yourdomain.com/wp-content/plugins/akismet/akismet.gif (obviously, change to your domain and enter the correct path to your WordPress installation.) If you’re like most people with a typical installation, you’ll see an image. Doh! Now wasn’t that easy?! I now know that you have the Akismet plugin.
How to Fix WordPress Vulnerabilities
Fixing these vulnerabilities is actually quite easy. Frank Bültge has created a plugin called Secure WordPress. When you activate and setup the plugin, it will take care of most of the security vulnerabilities. In order to really lock it down, you can then visit BlogSecurity’s WPSCAN. It’s a free WordPress scanner that works in conjunction with the Secure WordPress plugin. Finally, if you install plugins that might be considered risky to search engines, be diligent on renaming the folders and files related to those plugins.