We’ve recently been plagued with a number of hacking and spamming events caused by WordPress installations. Or, more accurately, out-of-date WordPress installations.
As great a piece of software as WordPress is, if it’s not kept up-to-date with the latest releases and security patches then it becomes a magnet for even the most amateur hacker. Scripts such as xmlrpc.php can be easily manipulated to send out large amounts of spam. You may not think this is an issue for you personally but if just one of those spam messages hits a spam trap, then the server’s IP address is blacklisted and other users will find they’re unable to send mail.
We’re not having a go at WordPress here. It’s a great piece of software and there’s a reason it’s the world’s most popular blogging platform, however you cannot simply install it and forget about it. It MUST be kept up-to-date. This issue is not restricted to WordPress of course – it affects any PHP software running on your server – WordPress is just more of a target due to the volume of installations out there.
There are many tools freely available that can ‘lock-down’ your WordPress installation – one we’ve played with ourselves is:
It’s a WordPress plugin that’s available free, very easy to install and provides a run-down of the things you should do once you’ve installed WordPress (such as disabling the dreaded xmlrpc.php!)
There are server wide settings we can employ that will help stop some of these attacks however they also restrict genuine functionality which then causes more issues.