78

WARNING! Your blog at RISK Again! Did you know this?

Do you think your blog is secured? Wait until you read this.

I got a mail from one of my readers pointing this issue out on my blog. As a matter of fact, as a webmaster and php developer, it took me just negligence to not have gotten these leakages handled. With just a few clicks in your cPanels, these security flaws can be dealt with in a matter of minutes.

I tested over 5 blogs I read so often and non of them was safe. This is serious! How come almost everyone does not care about this yet we talk about safety here and there.

I’m sure these flaws are responsible for the thousands of hacks we have on WordPress these days.  These leakages reveal key information about your web hosting. Hackers may now use these information to develop strategies to attack and bring down your blog.

NB: Read more on securing your blog from hackers

Vulnerability 1

Copy the link below and past in your address bar. Replace the http://yourdomainname.com  with your real domain name:

http://yourdomainname.com/wp-includes/vars.php

What if your blog is installed in a sub-domain like this below:

http://comapanyname.com/blog/

This is what you should do:

http://comapanyname.com/blog/wp-includes/vars.php

Now validate this in your address bar. If you see the following screenshot, it means your server may be revealing critical information to the bad guys and if security on that server is not strong enough, getting it might just be a matter of time.

wordpress securityYou see that the direct location of your files on the server is revealed. This makes the hacker’s job a bit lighter.

Proposed solution

My proposed solution is to ask the server to silent all errors. In other words, don’t show any errors to the screen. Let’s see how to do this in cPanel.

Log on to cPanel. Locate the “Software/Services” tab and click “php.ini Quick Config”

On the page that follows, carefully locate “display_errors” and turn it off as shown on the image below:

Click “Save Changes” button at the bottom of the page.

You may now go back to check to see if this works at http://yourdomainname.com/wp-includes/vars.php

Vulnerability 2

In this leakage, you are openly showing the listing of your files to everyone that cares to know.  Let’s see if your files are being revealed:

Paste the following link in your address bar. Of course, you have to replace the portion yourdomainname.com with your real domain name

http://yourdomainname.com/wp-includes/

If you see a listing of your files, that means you’ve got work to do

directory listing

Proposed solution

1 – > Create a blank index file (name it index.php) and upload in this folder to disable directory listing. If you go by this solution, you will have to do this for every directory you want to protect.  I propose you go by solution 2 below

2 – > Locate the “Advanced” tab in your cPanel home page and click the “Index Manager” command:

wordpress safty

NB: Your cPanel skin may be different from mine. So expect some differences in design.

On the screen that follows, select the domain or folder you you wish to protect by clicking the name (not the icon).

Finally, click the “No Indexing” option on the list as shown on the image below  and “Save” This will make sure people do not see the files in your directory and sub-directories.

no index

If you go back to your link to test this out, you are surely going to see “ERROR 403 – FORBIDDEN” This is not sexy at all. In one of my subsequent posts, I’ll show you how to build and load your own error pages. Be sure therefore to join my list so you don’t miss it

NB: In issue 1 above where you turned error displays to OFF, be sure to revert to ON if you want to debug online.

If following these steps is an issue to you, be sure to contact me so we can work a way out

Let me hear from you in the comment below if this post has helped you in any way. Do also share this on social media so others may get to know about it 😉

Empower your blog with ThriveThemes Products!

forcusblog theme reviewThrive Themes is the Wordpress Revolution. All Themes Come With All the Features You'd Expect From a Top-Notch Premium Theme.

NB: This blog runs on Thrive Theme's FocusBlog Theme.


See Thrive Themes details here!
Click Here to Leave a Comment Below 78 comments
Mark - April 22, 2014

Bravo Enstine!

Thank goodness there are coaches and mentors out here (such as yourself!) that care enough to share this truly eye opening type of content so freely!

And alerting the unsuspecting such as myself, why you definitely have to remain a full time student! Or else your business and livelihood could most certainly be harmed! Thank you so much for sharing this extremely valuable content! And will most certainly pass it on!
Mark recently posted…Blogging For Money: Three Things You’d Better Consider First!My Profile

Reply
tony greene - February 14, 2014

I checked my own site with both vulnerabilities active and inactive. nothing seemed to happen. So, I think the htaccess and other steps I’ve taken from my host have helped me quite a bit.

Thanks for making me aware of this.

Reply
11 ways to secure a website from hackers - Blog and SEO Consultant - February 4, 2014

[…] to Ensine Muki for sharing this important website security tips; According to Enstine on how to secure a website, he shared two important factors that your server […]

Reply
Kharim Tomlinson - February 4, 2014

Hey Enstine,

Thanks for the fix pal. Did those 2 steps on my blog.
Kharim Tomlinson recently posted…Should You Through Guest Blogging Out The Door?My Profile

Reply
Kingsley - February 1, 2014

Thanks for this great post, however I can’t find the php.ini file in my cpanel, and for the second one i am been redirected to a 404 error page
Kingsley recently posted…10 Tips For Finding Instant Chronic Back Pain ReliefMy Profile

Reply
Steve West - January 31, 2014

Wow, I’m so glad I read this, didn’t realise I was so exposed!

Thanks for sharing Enstine, this post will no doubt be saving many bloggers a lot of hassle with hackers!

Yep will defo be sharing this post on social media, all bloggers need to read this!

Have a great weekend Enstine!

Reply
    Enstine Muki - January 31, 2014

    Wow steve I’m so excited and thankful to you and so many others that have helped in spreading the word. Thanks and thanks for sharing 😉
    Enstine Muki recently posted…How To Make Money With Google HelpOutsMy Profile

    Reply
      Steve West - January 31, 2014

      Well the thanks is really to you, a post like this really helps everyone out!

      You’re doing so well with your blog too, so many people commenting and interacting here… You are an inspiration Enstine!

      Best, Steve

      Reply
Steven J Wilson - January 31, 2014

Wow Enstine,

These are new to me. I will do these myself sooner than later. It’s unfortunate that with all the software etc that we use that a simple addition to our URL can show potential weaknesses.

I have to share this and have a post on a similar subject coming up and will have to mention this on it.

Awesome post! Extremely helpful and clear to understand! Take care Enstine

Reply
Efoghor Joseph Ezie - January 30, 2014

Enstine, thanks for posting this at a time when several wordpress blogs are been hacked daily.

I took time to go through my sites and discovered that almost all of them were actually vulnerable in this regard. I have fixed the problems following your guide and hope I won’t be facing much security threats for now.

Our duty is to remain alert and whenever there are new threats, we get them fixed immediately to keep our sites healthy and safe for us and our visitors.

Thanks once again for this post. Do have a pleasant day.
Efoghor Joseph Ezie recently posted…Blog Commenting – Misconception About Driving Massive TrafficMy Profile

Reply
Larry Rivera - January 29, 2014

This post hits close to home. I recently had my server hacked and all my wordpress installations were compromised.

We recently did a post showing step – by – step how we secured our wordpress installations. thanks for sharing, this post was very helpful.

Reply
Jeevan John - January 29, 2014

Awesome tips, Enstine 🙂

I can’t perform the first solution since I don’t have PHP.ini quick config option (there is a configuration page, but that’s only for reference. They are saying that only server admin can change the options).

As for the second option, well I am working on that (I see that you latest post is about customizing the 403 page – I can do both of these right now :D).

Thank you for these tips, Enstine! I do appreciate the help 🙂

Reply
James - January 29, 2014

Hi Enstine,

Thanks for this info. You are a great asset to the community.

I’m hosting with synthesis, though expensive at close to 30usd per month; but their security features are tight, I don’t have such issues.

Do have a pleasant day.
James recently posted…7 tips and free tools on how to check for duplicate contentMy Profile

Reply
Stuart Davidson - January 28, 2014

Wow thanks – I had no idea about these leaks. After checking my hosting, I fixed #1 but #2 was already set to forbidden.

Thanks for the tips!

Reply
Manivannan - January 28, 2014

Hi Enstine,

Thanks for the tips, It really helped me. Great Post 🙂

Reply
Kharim Tomlinson - January 28, 2014

Hey enstine
The Good news is that my blog is not showing any critical information. I checked it by following the link which you mentioned above by changing the link to my blog domain.
Thanks for sharing this info with us. 😀

Reply
Dk Patel - January 28, 2014

Nice post Muki and I have also applied on my website but it showing ERROR 403 – Forbidden. How to deal With it. Will it affect my site anyway ?

Reply
Dk Patrl - January 28, 2014

Thanks for this nice post. Simce My site has been tried to hack too many times. and your article is best described but don’t know how to do it in godaddy server.

Reply
Tchouken - January 27, 2014

nice!
I checked it and I was surprised to have been so vulnerable and not to be aware of it. furthermore I checked it on popular blog on the web, and didn notice the vulnerability, I sometime wonder why they are leaving all these set to make web pages more vulnerable, when they can make it a bit more safe at no cost.
thanks for the post.

Reply
Sunday - January 27, 2014

Hi Enstine,
Thanks for sharing these tips. I discovered that my blog is risk to vunerability 2. I have followed your guide and obtained expected results. However, one needs to take time to study these PHP indexing well so as to make increase safety measure on a post.

I have shared the above comment in the content syndication, aggregation, and social bookmarking website – kingged.com – where this post found.

Sunday – kingged.com contributor

http://kingged.com/warning-your-blog-at-risk-again-did-you-know-this/

Reply
The Funster - January 27, 2014

Enstine,
Thanks so much. I implemented your suggestions and everything worked as you said it would. If I encounter any issues with my website, I will let you know. Thanks again for the great security tip.
On a separate note, is there a way to lock down the wp-admin login dialog box? this would be helpful as well.
Thanks again
The Funster recently posted…Angry Birds Air Swimmers Review!My Profile

Reply
Adrienne - January 27, 2014

These are great tips Enstine but wouldn’t it just be best to change the names of the table and then they wouldn’t be able access them at all? I know that might be a little more confusing to do but hackers will assume everything starts with wp_ which is does so just change that name and you’re good to go.

I would love to learn how to great a nicer looking 403 error page because you’re right, that one is just ugly.

Thanks for this great information, I learned something new today. Didn’t know you could do that.

~Adrienne
Adrienne recently posted…How Bloggers Help Bloggers Increase Their IncomesMy Profile

Reply
    Enstine Muki - January 27, 2014

    Hey Adrienne,
    I think real security has to go with securing the files and the database. I use Better WP Security which is quite strong and helps me change the table prefix and even rename some key directories

    However, we have to be careful not to let hackers know exactly where which files are found and what the root directory of out blog is. They may use this to re-orientate their attacks.

    Yes, I’m working on another post to clearly show us how to customize those errors pages. You surely will be informed as soon as that one is published

    Do have a wonderful week and thanks for making it a date with us today here at EnstineMuki.com
    Enstine Muki recently posted…How to use Facebook Post Boost for dead cheap targeted trafficMy Profile

    Reply
Maricel Rivera - January 27, 2014

My second attempt to comment today, Enstine. Hope this pushes through now. 🙂

I was trying to say that if it were not for the likes of you alerting people on the possible vulnerabilities of their sites, a lot of us wouldn’t have probably known. So thanks for this wonderful post.

Cheers,
Maricel
Maricel Rivera recently posted…Mentoring Session with Sophie Lizard, the Force behind BAFBMy Profile

Reply
    Enstine Muki - January 27, 2014

    Hey Maricel,
    Yess it went through this time! Some weird issues at times 😉

    Thanks for making an encouraging point in this comment. BTW, I have been seeing you around facebook these days
    Hope all is well
    Enstine Muki recently posted…Make money commenting on Kingged.comMy Profile

    Reply
      Maricel Rivera - January 27, 2014

      Hello, Enstine,

      Haven’t had the time to do FB much these days, but I visit for a few minutes or so every now and then. There aren’t any issues whatsoever, just that some things have to be done.

      By the way, I was on incognito when I first tried commenting. I realized that when you told me to clear my cache. 😉

      Reply
Qasim - January 27, 2014

Hi Enstine,

I just check, I found my web host not allowing access to those files so they already taken care of this. Thank you so much for sharing about it and creating awareness. Appreciate it.
Qasim recently posted…The Ultimate Guide to get more blog traffic (29 Tips inside)My Profile

Reply
Vernessa Taylor - January 27, 2014

Hi Enstine! There are so many things to do to keep a WordPress install safe. Happy to say on your #1, my site returns a blank page, not exposing server info. I don’t use cPanel but did this at the server level when I set up my VPS.

On #2, for many directories I have an index.php file, but not for this particular one you pointed out. Thank you! I thought WP shipped with blank index files for the directories that needed it. Time to audit the installs and correct this. Good looking out!

[Arrived at this post from Kingged.com, the blog sharing community.]

Reply
    Enstine Muki - January 27, 2014

    Hey Vernessa,
    Good to see you here and thanks for linking up from kingged 😉

    Good to know you are safe at point #1

    For point #2, you may not be able to have that blank index page in all the directories on your blog. Applying no indexing on the root directory will auto protect the subs. I’m sure you can figure that out 😉

    Do have a wonderful week and hope to see you again here, on kingged or on your blog for more engagement 😉
    Enstine Muki recently posted…How to use Facebook Post Boost for dead cheap targeted trafficMy Profile

    Reply
Phillip Dews - January 27, 2014

That was brilliant Enstine thanks for the heads up buddy!
although not for the feint hearted this is a quick and easy fix! Took me 2 mins so thanks dude I have closed all my open doors now!

Keep up the great work dude!
-Phillip

Reply
    Enstine Muki - January 27, 2014

    Hey Phillip,
    Thanks for the engagement on BlogEngage and for the comment here. It’s really encouraging to see that you are helping others grow. What a great thing to have you as a friend.

    I’m sure to come up with many more helpful tips. Be sure to be on my list so you don’t miss a thing
    Enstine Muki recently posted…How To Make Money With Google HelpOutsMy Profile

    Reply
Ankit Kumar Singla - January 27, 2014

Hello Sir,

Your post title force me to read this post.
When I checked, I found Vulnerability 1 in my blog and now I have fixed that.

Thank you so much for providing the solution.
Ankit Kumar Singla recently posted…Appendipity Themes Review: Premium WordPress Genesis Child ThemesMy Profile

Reply
latarani - January 27, 2014

really awasome article sir, in one of my blogs one is not opened Google chrome told it has contain malware, some of the worst and well know hacker put malware in your blog so it is harm u r computer, then i shocked, in a short period Google take an even on hacking, it gives 17 crore rupees to hackers who hack Chrome OS, right now it is right article

Reply
Sunil Pandey - January 27, 2014

Hi ,

Thanks for the great share !. But I have hosted my site on Blogger.com. Is there any suggestion for security for blogger.com hosted site??

Let me suggest please.

Thanks !!!

Reply
    Enstine Muki - January 27, 2014

    Hi Sunil,

    While I have never blogged on that platform before, I think security is less of an issue there. However, it will be good thing to Google out for known security points and be sure to get them sorted out at your level

    Do have a nice week and thanks for stopping by
    Enstine Muki recently posted…January $150 Paypal Cash Giveaway!My Profile

    Reply
Robert Singh - January 27, 2014

Wonderful post,

I really don’t know about this. I think I’m gonna need to check this out for my blog. Hope to follow the instructions as mentioned.

Thanks

Reply
Cararta - January 27, 2014

Hi Ernstine,

Thanks for the warning and the useful checker!

My blog was O.K., but another site I have was not.

The difference? On the good one I have Bullet Proof security installed…a free
WordPress plugin that I think even works with Godaddy…and I also combine it with a paid plugin I use.

To me Bullet Proof has a learning curve and you could end up with some great articles explaining its ins and outs! They do have a tutorial and instructions for setting up, but you must do the set up or it won’t work. They have a paid version, but I still use the free…which they support.

If anyone wants a link to the paid plugin I use, they can contact me on Facebook at my InternetMoneyStore…will post the link there so I don’t spam anyone here! Since I also use WP Super Cache it is sometimes hard to find plugins that will live in harmony with it.
Saved your “testers” which are very handy indeed. Thank you for the share.
C.
Cararta recently posted…Copy Writing SkillsMy Profile

Reply
shiwangi shrivastava - January 27, 2014

Hi Einstine,

Before your knowledge provider post I was unaware of this vunerabilities. I awe the solution of this vulnerable attacks of the sites. Soon try to rectify.

Thanks for your valuable sharing.
shiwangi shrivastava recently posted…5 Tips of income your self-esteem through writingMy Profile

Reply
Aahna - January 27, 2014

Hi Enstine,

I’m sure not many bloggers would be aware of these security issues, I have few WordPress blogs and certainly going to look out these issues there and will correct them quickly. Thanks a lot for revealing these security holes.

Reply
Akaahan Terungwa - January 27, 2014

Hello Enstine,

Thanks a million for these two tips. While I have secured my site via other several means, I feel that there is nothing like ‘too much security’. I shall implement the changes and get back to leave a feedback.

Always,
Terungwa

Reply
David - January 27, 2014

Hi Enstine Muki,
I would like to thank you for sharing this information. I am a new blogger and I have hear this kind of news, so I was pretty much worried about my blogs. This information helps me.

Reply
Erik Emanuelli - January 27, 2014

Hi Enstine,
really really useful!
Thank you so much!

I had both security issues on my sites, so I have followed your instructions and it worked.
Now I guess I made one step forward to better secure my blogs.

I have subscribed to not miss next posts! 😉
Also, shared on Twitter.

Thanks for the tips, Enstine.
Have a fantastic week. 🙂
Erik Emanuelli recently posted…Dofollow Forums List To Increase Backlinks And TrafficMy Profile

Reply
suklambar - January 27, 2014

Hi Enstine, thanks for giving knowledge of these security . i can make by blog more safer using that. keep sharing . . .
suklambar recently posted…Benefits of using Social media for BusinessMy Profile

Reply
Adithya Shetty - January 27, 2014

Hi Enstine,
Very informative post on WordPress security!
many people think having strong password is enough to secure their blog, but not!
I checked for both Vulnerabilities; luckily it’s protected!
I think Bulletproof Security plugin is best to protect our blog from these types of Vulnerabilities!
Thanks for sharing!

Reply
Nwosu Desmond - January 27, 2014

I am glad to find out i have secured my blog from these vulnerabilities even before i read this article. There are so many ways a blog can be vulnerable to hackers and the one that seems most dangerous is directory browsing because an outsider can take advantage of this to hacking your site. I actually protected directory browsing from my .htaccess file placed on every directory level.
Nwosu Desmond recently posted…Private Search Engines that respect your PrivacyMy Profile

Reply
metz - January 27, 2014

The other day, I have read on one blog that your blog will be at risk if you are sharing a post created by others without asking their permission. They have the power to report you to Google and pretty sure no one wants to be in that situation.

Anyway, nice post Enstine!

I found this post shared on Kingged.com, the Internet marketing social networking site, and I “kingged” it and left this comment.

Reply
Naveen - January 27, 2014

Most of us don’t care about the back end of the blogging, you’ve explain the vulnerabilities and how to solve it by step-by-step post. Thanks, will check and rectify it.
Naveen recently posted…Top 20 Bootstrap Responsive WordPress Themes 2014My Profile

Reply
Harleena Singh - January 27, 2014

Hi Enstine,

Thanks so much for the heads up and for providing the solutions that made my blog more safer! I’d have never known this if you hadn’t had this post.

I had both the vulnerabilities that you mentioned, and I followed the steps that you suggested. It was easy and I guess my blog is more secure now. These might appear to be little or insignificant problems, but I understand that those who’re bent on evil doing can leverage such information and create ruckus.

However, I do have a question about the “no indexing” option for the vulnerability 2. I had read somewhere that you can put a code in the .htaccess file that can automatically create a blank index file for all the directories or folders. I have this code and I wonder why the files still showed when I tested for the vulnerability 2?

Thanks so much for this crucial information and I’m sure almost everybody needs to work on it.

Do have a great week ahead! 🙂
Harleena Singh recently posted…Get Online Help for Your Problems at Aha!NOWMy Profile

Reply
    Enstine Muki - January 27, 2014

    Hi Harleena,

    I’m glad this short tut was helpful 😉

    As matter if fact, I have read that adding the line “Options -Indexes” without quotes, to your .htaccess file should do the job. That’s exactly what I find on mine after going the cPanel way. I’m sure the cPanel procedure is to modify the .htaccess file.

    Why you didn’t get it to work initially is what I don’t know – Maybe you got a different piece of code we may want to see here.

    However, I can see that you got it working. Watch out for my next post on how to deal with the ERROR 403 – FORBIDDEN and other error codes.

    Do have a wonderful week ahead
    Enstine Muki recently posted…How To Make Money With Google HelpOutsMy Profile

    Reply
Perambur Kumar - January 27, 2014

Hi Enstine,
Wonderful Post. But I try the first option.
I also unchecked that display_errors – to “off” but it still showing. I also click ‘Save Changes” I don’t know what to do now. Can you say another option for this
http://yourdomainname.com/wp-includes/vars.php
Perambur Kumar recently posted…How to Select the Best WordPress ThemesMy Profile

Reply
Chitraparna Sinha - January 27, 2014

Hi Enstine,

Thanks for this post. I didn’t know about these vulnerabilities. I checked few of my blogs and some did have this error, especially the second one, and I made the changes to secure it.

For some, I am using GoDaddy hosting and I am not able to locate the php.ini file. I searched online and it said GoDaddy doesn’t allow access. I don’t know for sure. Do you have any idea?

Reply

Leave a Reply:

CommentLuv badge

This blog uses premium CommentLuv which allows you to put your keywords with your name if you have had 3 approved comments. Use your real name and then @ your keywords (maximum of 3)
166 Shares
Tweet111
Share48
Share5
+12
WhatsApp