Is My WordPress Blog Safe?

Matt also also offered some sensible tips and information for those worried about the “increasing security threats” to WordPress. His recommendations: Update WordPress. Use common sense. Use strong passwords. Be aware.

Always keep a backup copy of the latest version of WordPress, your WordPress Theme, a full backup of your WordPress database, WordPress Plugins, and copies of all the images and files on your host server. If something does happen, you may need these backups to restore your blog.

To keep your WordPress blog safe:

1. Update WordPress.
2. Update your WordPress Theme.
3. Update WordPress Plugins.
4. Monitor WordPress news sources for alerts about security vulnerabilities and upgrades, such as WordPress Wednesday news on the Blog Herald, WordPress Planet (official WordPress aggregator), the WordPress Development Blog, and Weblog Tools Collection.

To check your blog now for unwanted links and hacking attempts:

• Install and run the WP Scanner WordPress Plugin from Blog Security.
• In FireFox, go to Tools > Page Info > Links (not available in FireFox 3 Beta) and check each link to ensure you put it there and it goes to sources you trust. Manually view the page source code of your blog (View > Page Source) and check to ensure each link is trustworthy. Is each link a link you want on your blog?
• Examine your WordPress Theme template files, especially the header.php and footer.php for unwanted content and links. If you didn’t put it there, who did? Do you want it there?
• Check random posts on your blog for unwanted content and links. Edit these through the Administration Panels to remove the unwanted content from the database.
• Search your template files, stylesheets, and database for display:none and/or height:0 as these are common styles used to hide unwanted content and links. Remove them from the posts or files accordingly. I recommend Silpstream’s WP-phpMyAdmin WordPress Plugin for searching the database directly from your WordPress blog.

If you are not using the latest version of WordPress, your blog may be at risk. Currently, WordPress 1x is no longer supported. The WordPress 2.0x branch has been upgraded to 2.1.3 and 2.0.11. See the WordPress Release Archive for past versions of WordPress.

Blog Security recently updated its popular WordPress Whitepaper which reports on security issues and problems with WordPress. It includes tips and step-by-step procedures to improve the security of your WordPress blog, beyond the scope of this article. Also, consider using the WPIDS - WordPress Intruder Detection System Plugin to help you monitor your blog for intruders and attacks.