Delete unused themes and plugins from your WordPress website, particularly those that are automatically installed by WordPress.
Do you have a WordPress website? So so then go to your web browser and enter this (replace 'yourdomain.com' with your actual domain name):
Chances are you will get an error message that begins with:
PHP Fatal error: Call to undefined function get_header() in ...
The '...' will be the full path to a file on your website. This is a security issue known as Full Path Disclosure. A hacker can use this information to hack your website by:
- Using it in combination with other vulnerabilites to steal configuration files.
- Engage in a brute-force attack on your web hosting control panel.
This is not just a theoretical vulnerability!
The easy fix is to simply delete unused themes and plugins. For example, wordpress normally installs one or more themes into the theme directory ("Twenty Twelve', etc). If you are not using those themes then delete them.
For those clients paying us on a monthly or annual basis to manage their websites or blogs, we take a different approach: We create a honeypot.
We leave the unused theme folders in place ('twentyeleven', 'twentytwelve' etc). We replace the existing index.php file with a new one that notifies us via email of the acccess attampt and reports the attacker's email address. It looks like this:
$culprit = "An FPD attack was initiated from " . $_SERVER['REMOTE_ADDR'];
mail('youremail address','FPD ATTACK ATTEMPT',$culprit,'From: email@example.com');
As a result we often receive these notifications and the attacker's IP address is usually somewhere in eastern Europe.