A Common-Sense WordPress Security Primer

This is a real-life burglar... still easier to identify than a hacker, sadly.  Creative Commons Share-Alike Attribution Picture by Jofus.

This is a real-life burglar... still easier to identify than a hacker, sadly. Creative Commons Share-Alike Attribution Picture by Jofus.

There’s been a big fuss lately over the latest WordPress hacks that have targetted older versions of WordPress.

And in my view, they show the less pretty side of WordPress and some people in the community… but not all of them.  The attitude has been a straight “upgrade your blog and you’ll be secure.”

Well, I have news for you.  They’re wrong.

You’re Never Secure

Even if you have the very latest version of everything there are, out there, what are known as zero day exploits.  These are vulnerabilities which are kept secret by the hackers who have found them.  They cease to be secret if they become widely used in a large scale attack.  Like the current one against WordPress.

Now, if there are vulnerabilities out there that nobody knows about then your high profile WordPress site or blog could be targetted in a way that you, I, or the (great and lovely) WordPress developers out there don’t know about.

Not Everyone Can Upgrade Immediately

Quite frankly, I find the glib assertion that staying up to date is all you need to be secure to be… terrifying.  It’s bad advice because it leaves people with the feeling that all they need to do is to stay up to date and all is well.  Not only that, but it sidesteps the whole issue that WordPress should really consider running security updates on older versions of WordPress – not all sites can quickly change from one version to another.  When WordPress 2.8 came out it broke multi-use widgets – you could recode them, but then settings could be lost.  There are sites out there that run hundreds of widgets, and re-configuring them will be a big job.  If a new vulnerability comes out in WordPress it may not even be relevant to some sites because they may be doing everything else correctly.

In fact, in a critical environment you absolutely do not update your software without running a full suite of tests to make sure the updates won’t bring down your site.  This is a major problem for sites which, in some cases, are turning over tens of thousands of pounds a month.  Yes, they can throw money at the problem, but it still takes time – and when there’s a vulnerability the one thing you don’t have is a lot of time.  So a site needs to rely on more than just WordPress for security.

How Does That Work Then?

One of the key things about security is to think about what happens when the first line of defence is breached.  In the real physical world, we tend to take multi-part approaches – often based on the risk.  My house has locks on the doors and windows – that’s the first level of security.  But hey, everyone has that, so to make double sure I have an alarm system so that if anyone gets in, an alarm goes off – alerting me if I’m here, or letting neighbours know.

My next level of protection is that of not having much you’d want to steal.  I even used to have a car like that – I didn’t lock it, even, in the hope that somebody would take it out of my life for ever.

But, back to the subject matter… WordPress security is, frankly, just like a front door lock and nothing else.  That’s OK, but you’re not really protecting yourself properly – if someone gets past WordPress then you may have some serious problems.

I’m not going to aim this guide at experts – I’m trying to pitch this to help people who aren’t experts to understand how their WordPress blog can be hacked, and how it can be secured even if a hacker gets through the first layer of protection.

Let’s go through them:

  1. Editing of Themes and Plugins Through the Admin Interface

    We’re going to do a test.  I want you to log in to your installation, and go to Appearance, then Editor.  Generally, you should see the stylesheet first, with comments at the top.  At the bottom of the box you should see this:

    You need to make this file writable before you can save your changes. See the Codex for more information.

    If you don’t, and if you can indeed edit this file, then you have a major security flaw right from the start.  A cross site scripting error (XSS) could easily start to make changes to your theme and plugin files.  Once your theme and plugins can be modified, the hacker has complete, 100% control of your server and its database.

  2. Poor Passwords

    This is really before you even think about WordPress security.  Simply put, do not use a word that can be found on your blog, or in a dictionary.  Learn to use PasswordMaker and its Firefox plugin or similar.  It will make security on various sites much stronger, much more quickly.  If you or any of your users are using dictionary words, then the chances of getting in are far higher.

  3. Poor mySQL Server Security

    Your mySQL database should be reasonably secure.  But many times I’ve found that you can connect to a database remotely.  For this, try using something like mySQL Administrator and connect to your database using the same logonid and password that WordPress uses.  If you can easily reach your DB from any internet connection then again, you have a potential security hole.  All access of this type should either be IP limited, or over an SSH tunnel.  Setting this up is beyond the scope of this feature but your hosts could help, or we can.

  4. Use of FTP Isn’t Terrible, But…

    Now, I make no secret that using FTP isn’t generally that bad, but if you have a site that’s likely to be targetted then you shouldn’t have any form of FTP access.  You should be using SSH and SCP.  At the very least, use SFTP if you can sort out certificates – they don’t have to be paid for, expensive certificates, but can be generated.  Again, getting this working is beyond the scope of this, but hosts and good WordPress consultants can help you with making this happen.

  5. Allowing User Registration

    Sometimes you need or want this – in which case, make damn sure you can keep bang up to date on your WP installs.  But if there isn’t a strong business case for having user registration (and I personally don’t believe there is in 95% of cases) then don’t bother.  If you do have it switched on you’ll notice lots of registrations from around the world.

  6. XMLRPC Support

    A high proportion of attacks on WordPress have come through or made use of the XMLRPC protocol – this is used by many exploits as it helps to automate the process of posting content to a website.  Mostly the protocol is used for pingbacks and remote publishing to a site.  If you don’t need or want those two features then you can safely remove the file xmlrpc.php from your WordPress’s root folder.  Pingbacks are less useful than they used to be, so it’s not an eccentric thing to get rid of.

  7. Firewalls

    Putting your server behind an appropriate firewall can help with certain types of attack.  This is something to talk about with your hosts.  And they do cost money.  A lot of things I’m talking about can be done more cheaply, but for a high profile site a firewall is an absolute must.

  8. Server Permissions

    Apache and the user used to upload files to the server should be kept in separate groups.  This really helps to protect against attacks that get through various layers of protection.  Something could attack your Apache web server and still fail to make updates because it doesn’t have rights.

  9. All the Other Code

    One thing many folk forget about with WP installations is that it depends on a huge range of code and modules.  Are you running an up to date release of PHP?  How about mySQL?  GDLib?  Apache?  There’s a lot of components to a website – although WP makes it look simple you’re actually dealing with a very sophisticated machine.  If you’re running outdated versions of server software there may be significant non-WP vulnerabilities.  Check with your hosts if possible.

  10. Shared Hosting

    Some shared hosting plans are, I can confirm without hesitation, absolutely dreadfully configured.  You may have 800 websites on one cheap old server – none particularly active and none set up or configured by experts.  If one gets hacked, the whole machine becomes vulnerable, and every other site can be hacked.  Often when this happens the host will blame you in various ways.  Sometimes the host may simply find it’s all too much trouble and disappear, along with your website.

    Don’t let that happen to you.

  11. Always Log Out When Finished

    If you log out when you finish your work in the back end of your site, you’ll be much less likely to fall victim to a cross site scripting vulnerability.  So make a habit of it.  Alternatively, have a browser that you only use for WordPress.  Some people may choose to use Firefox for general browsing, and Google Chrome for WordPress work.

  12. Consider Using Real Hosting

    I mean, don’t go for the cheap, commodity hosting that costs £7.95 a month.  Is your online business really that weak that spending on something more serious and carefully managed is a problem?  You have a number of choices.  You could go for a Virtual Private Server or even Dedicated Server from someone like Namesco in the UK, or if your business is really serious talk to the excellent chaps (and our partners when we build big sites) at Kumina in the Netherlands.  There are US equivalents, but I don’t know them, sorry.  By spending more you will generally enjoy a more proactive approach to your site’s security at a server level.  Same goes for spending money on WordPress consultants like, erm, us, to take the worry out of it.  Worth thinking about.

  13. Use Google Alerts as a Final Alarm

    Google Alerts are incredibly useful for many reasons.  One of the uses I make of it is to have searches set up for my primary sites for words such as ‘sex’, ‘phentermine’, ‘viagra’, ‘casino’ and so on.  Then, if anyone gets in and leaves dodgy links on the site then there’s a bigger chance of finding out about it.  If it happens, you’re kind of late, but at least you’re aware of it quickly and have a chance to fix the problem before there’s ranking damage to your site.

Read on for some links to practical tips for securing your WordPress install…

There’s several handy resources out there for you if you want to understand more practical information on improving your site’s security:

Hardening WordPress in the codexa useful guide, from the people who brought you WordPress.

Hardening WordPress with mod rewrite and htaccessan alternative and useful approach that’s not for everybody, but works for many.

Noupe’s guide to WordPress securityalways useful site has some good ideas.

Richard Scoble on why he doesn’t feel safe with WordPress now.

Discussion about this post over at WPTavern.

A post by Matt Mullenweg about this hack on the WordPress Development BlogI think the advice could be a little more rounded and pragmatic, personally.  Not everyone can be 100% up to date.  Upgrades need testing, and folk go offline for weeks at a time…

I don’t necessarily recommend all of the linked tips in securing a site, and some are really for experts to deal with, but this is a starting point to understanding.  However, in almost all guides I think they assume that you can’t do much about the security of your web server.  That’s really down to your hosts having a genuine understanding of web security.  Good hosts do, and you can tweak things on bad hosts, but if the host isn’t great you have to look after yourself as much you can – and that, really, means that if you’re managing your own site you have to become a security expert.

Ultimately, if you’re not comfortable in dealing with security issues, let someone else who is skilled and knowledgeable do it for you.  If you’re running a basic blog and don’t really need a custom or distinctive visual design, get an account at WordPress.com.  If you need something more but without the fine control given by custom shops you can have a WordPress VIP account, and if you want real control you can use a company like us who deal with WordPress on a daily basis and who will do the worrying for you.

  • Santosh Mishra 13 / Aug / 2012 at 11:47 am

    Improving security of your WordPress blog is important. Even one of my blogs has been targeted and completely wiped out from the web server. You covered some really good ways to improve the security of a WordPress blog.

  • Anders Vinther 16 / May / 2012 at 5:36 pm

    This is a great list of things to do to secure your WordPress site…

    I recently had some security problems with my WordPress sites, and ended up doing a lot of research into securing WordPress sites…

    I have now written up my experiences in a WordPress Security Checklist which can be downloaded for free [n.b. please note you will be expected to leave your email address, and interconnect/it can't verify this list] on http://www.wpsecuritychecklist.com.

    My checklist has a few more items and detailed steps for how to get the job done.

    Hopefully the checklist can help other people securing their WordPress sites…

  • Elizabeth Ricci 18 / Apr / 2012 at 9:43 pm

    Great article about protecting your WordPress site, we have written something similar to this on our blog. http://www.lucidagency.com/wordpress/quick-guide-to-securing-wordpress-from-malware-and-hacking/

  • A Common-Sense WordPress Security Primer: 24 / Feb / 2010 at 7:49 pm

    [...] A Common-Sense WordPress Security Primer, by David Coveney of the Liverpool-based InterConnectit IT. An excerpt: [...]

  • [...] A Common sense WordPress Security Primer [...]

  • Steve Taylor 8 / Jan / 2010 at 11:46 am

    Thanks for some good tips, Dave. I came here to contact you about WP security – specifically, I remember your presentation at the Cardiff WordCamp about a big site you worked on. I remember you fended off jibes about still being on 2.7 by saying you thought people upgraded too quickly!

    Anyway, after getting hacked in 2008, I’ve always upgraded asap on all the sites I manage (on top of other security measures of course :-). Most of them aren’t terribly complex, so that’s fine. But there’s a much larger project I’m working on that definitely needs a lot of breathing space between major releases. I’ve been discussing (on wp-hackers) the issue of whether older WP versions are maintained with security patches, and it seems like the current plan is to basically support X.Y until X.Y+2 is current, i.e. support the current and previous release.

    I just wondered how you’ve managed this on sites you’ve not upgraded quickly. Do you apply security fixes manually?

    • Interconnect IT 8 / Jan / 2010 at 12:16 pm

      Hi Steve and thank you for visiting.

      Yes, sometimes we backport critical vulnerabilities. Other times we don’t bother. It depends a lot on what’s happening – for example, a vulnerability affecting xmlrpc.php and subscribers isn’t an issue if you don’t allow subscribers on the site!

      The rule is – if you don’t understand the security issue, then the simple option is to keep yourself bang up to date and hope for the best. But if it’s a big project you need sysadmins with a good understanding of web security, and you need WP developers who can understand the security issues being raised. If not, hire somebody who does. If your large project needs secure hosting or support we’re developing our support desk offering along with creating a hosting partnership with a client. Alternatively there’s always wordpress.com’s VIP hosting.

  • [...] a lot of hubbub lately regarding security and WordPress. You’ve probably read a few of the more popular articles about the matter, and likely heard some of the opinions from notable technology gurus. Some of the [...]

  • Triple "P" Of WordPress Security 21 / Sep / 2009 at 11:38 am

    [...] A Common-Sense WordPress Security Primer [...]

  • [...] Secure Ideas To Improve WordPress Release Strategy Are you Responsible Enough To Run WordPress Security Goes Beyond Having WordPress Up To Date WordPress Users Or Mashable Readers Can’t be This Stupid – Can [...]

  • [...] not limited to PHP, MySQL, folder-file permissions, etc. Dave Coveney also brings up the point that security is more than just WordPress. Even if you have the very latest version of everything there are, out there, what are known as [...]

  • Alex 7 / Sep / 2009 at 1:35 pm

    Finally somone who can understand the true basics of security. Thanks for this, I am gonna go share it.

  • Remkus 6 / Sep / 2009 at 7:27 pm

    Great article David. Nothing really new here for me, but I think this is a good read for a lot of people out there.