A couple of weeks ago my other site, the Bible Archive, was flagged by google for containing badware. I think its still listed as flagged: I’m just waiting for them to review it again to show that there’s no badware on it. I had a cache on my site that allowed quicker rendering of the site but what wound up happening was that a hacker injected an SQL code so that my site would render a 1 x 1 iframe with a certain w*p*s*t*a*t-s dot i*n*f*0. As it was I had to spend several hours (up till 3 AM) finding this code then removing it. Well, its gone now but here are a few steps for people to learn from my experience and take precautions up front.

1. Update your wordpress. Each time a new version comes out, security holes are patched. Each time you don’t upgrade, everybody knows about your security holes.
2. Get rid of plugins you don’t use. If you have a plugin you haven’t used, get rid of it. Each plugin has the potential of being an open window into the internet inviting every nefarious hacker inside your virtual home.
3. Change your admin username. Don’t simply use the default username for wordpress. Sure you create your own password but that’s not enough. That’s like simply changing the keys for your house while everyone knows what model lock.
4. Change your admin password to something devilish. That means words, letters, numbers and symbols people. Instead of using mcfspassword use MC3Fzp@$sw0(r)D. Now that is tight.
5. Use a different password for your database. People, being forgetful, like to use the same password for everything. Don’t.
6. Protect your admin directory. That means adding an .htaccess file linking to an .htpasswd file or a protect directory command through your web servers control panel. With that put a different username and password.
7. Protect your ftp account. Personally, I create multiple FTP accounts. My main FTP account is the one given to me by my hosting company. The sub-account is the one I create that only accesses the one folder. That’s the one I’ll use. Always.
8. Protect your content and plugin directory.This ones a bit more convoluted but you can set up the.htaccess so that it blocks any weird viewing and limits it only to calling pictures and what not. This isn’t a detailed post but others do have the necessary steps.
9. Rename your wordpress database prefixes. You don’t want people attacking your site just because they know you have the default info installed. This site here has the best instructions yet if you can’t get it to be changed automatically.
10. Install a plugin to block information call. You don’t want people to know your version number or what plugins you have installed: so block it to the public. Blogsecurity has some great helps.
11. Install a plugin that stops certain attacks. The three that you need are here.
12. Backup. Backup your blog. Backup your database. Save them by Date. Back them up again.
13. Go through the white papers. There is a checklist to make sure you’re hitting what needs to be done and that’s right over here.
14. In fact, subscribe to Blogsecurity’s Feed. They constantly have updates on plugins with security holes.