This morning, while I was sipping my morning coffee, my WordPress-based website was subjected to a SQL-injection attack attempt. For those of you who are saying, “Huh?” WordPress uses a MySQL database to store the actual data that makes up your WordPress blog or site, including the contents of posts and pages, user names and passwords, configuration settings, and so on.
One of the ways that hackers try to compromise your WordPress installation is to visit your website with special code appended to the end of the url, and see if they can either add, update or retrieve data from your database. This is known as a SQL-injection attack, and is one of the hazards of life on the web.
In this particular case, this hacker was trying to access my admin password (I’ll get to how I know this in a bit), presumably so that they could then log in and wreak havoc with my content, or modify the code in my site files and compromise the security of my site visitors.
Fortunately, because I had set up security precautions with my site, the attack was not successful, and I thought I should share the reasons why so that others who use WordPress can likewise protect themselves. These tips are in no particular order.
- When I set up my WordPress installation, I added a special prefix to my database table names. So, when the hacker tried to access the table wp_users, he (or she!) didn’t succeed, because that table name doesn’t exist on my database.
- I moved my configuration file above the root directory of my server. WP will still work if you move your config.php file one level up from the directory where you’re running WordPress. So, you can only move it above the root, and away from public access, if you’re running WordPress in the root directory of your site (instead of in a domain.com/blog subfolder for instance). Depending on your setup, you may need to ask your host to assist you with doing this.
- I deleted the default admin user account.
- I password-protected my admin folder at the .htaccess level, with a different username and password from the one I use to access the dashboard. Each password is unique and strong, consisting of a mix of upper- and lower-case letters, numbers and symbols.
- I use the Secure WordPress plugin.
- I use the WordPress FireWall plugin. This is how I know there was an attack on my site, and how I know what the nature of the attack was. Thanks to this plugin, I received several email notifications this morning advising me of the attack, enabling me to immediately check my database and files to verify that no changes had been made to either.
- I update WordPress and my plugins regularly. Updating is now so easy, there’s no reason not to do it!