If your website has been a victim of being hacked, how did it get chosen?
The first thing that happens is that a security flaw is found in Wordpress. WordPress updates its files regularly each year as security holes are found so it is important to keep your WordPress version up-to-date with the latest release.
Once a flaw is found, a script is written to take advantage of the flaw.
Next a search is done to compile a list of sites running the software. For instance if you use ‘Acme photo content management’ and a flaw is found in the file acme.php; then a search is done for acme.php. The site list is compiled by a bot and all the sites are attacked over a very short time. Or a Perl script is run on across several websites looking for flawed programs. ( See RFI vulnerability scanner )
One way to help keep your site off the list is to keep those files off of Google and other search engines. Use your robots.txt file and disallow all directories the public does not see. For WordPress disallow /wp-admin and /wp-content/plugins. Go through your website and disallow in robots.txt all the directories not meant for public viewing.
For WordPress I disallow:
User-agent: *
Disallow: /wp-admin
Disallow: /wp-includes
Disallow: /wp-content/plugins
Disallow: /wp-content/themes
Disallow: wp-app.php
Disallow: wp-atom.php
Disallow: wp-blog-header.php
Disallow: wp-comments-post.php
Disallow: wp-config-sample.php
Disallow: wp-config.php
Disallow: wp-cron.php
Disallow: wp-feed.php
Disallow: wp-login.php
Disallow: wp-links-opml.php
Disallow: wp-mail.php
Disallow: wp-pass.php
Disallow: wp-rdf.php
Disallow: wp-register.php
Disallow: wp-rss.php
Disallow: wp-rss2.php
Disallow: wp-settings.php
Disallow: wp-trackback.php
Disallow: xmlrpc.php
Go through your logs and if you see robots crawling your site that you don’t know. Find out who they are. If you still don’t know – banish them using your .htaccess file.
Next you want to check each directory on your website. If a directory does not have an index.html file, then when someone types that directory into a browser a list of all the files in that directory is shown on the webpage.
You can prevent this by creating a index.html file and placing it in every directory that does not already have one. You can have it says ‘You should not be here’. Yours could include a link back to the home page of the site or anything else you’d like. This keeps prying eyes out of places they should not be.
