And in my view, they show the less pretty side of WordPress and some people in the community… but not all of them. The attitude has been a straight “upgrade your blog and you’ll be secure.”
Well, I have news for you. They’re wrong.
You’re Never Secure
Even if you have the very latest version of everything there are, out there, what are known as zero day exploits. These are vulnerabilities which are kept secret by the hackers who have found them. They cease to be secret if they become widely used in a large scale attack. Like the current one against WordPress.
Now, if there are vulnerabilities out there that nobody knows about then your high profile WordPress site or blog could be targetted in a way that you, I, or the (great and lovely) WordPress developers out there don’t know about.
Not Everyone Can Upgrade Immediately
Quite frankly, I find the glib assertion that staying up to date is all you need to be secure to be… terrifying. It’s bad advice because it leaves people with the feeling that all they need to do is to stay up to date and all is well. Not only that, but it sidesteps the whole issue that WordPress should really consider running security updates on older versions of WordPress – not all sites can quickly change from one version to another. When WordPress 2.8 came out it broke multi-use widgets – you could recode them, but then settings could be lost. There are sites out there that run hundreds of widgets, and re-configuring them will be a big job. If a new vulnerability comes out in WordPress it may not even be relevant to some sites because they may be doing everything else correctly.
In fact, in a critical environment you absolutely do not update your software without running a full suite of tests to make sure the updates won’t bring down your site. This is a major problem for sites which, in some cases, are turning over tens of thousands of pounds a month. Yes, they can throw money at the problem, but it still takes time – and when there’s a vulnerability the one thing you don’t have is a lot of time. So a site needs to rely on more than just WordPress for security.
How Does That Work Then?
One of the key things about security is to think about what happens when the first line of defence is breached. In the real physical world, we tend to take multi-part approaches – often based on the risk. My house has locks on the doors and windows – that’s the first level of security. But hey, everyone has that, so to make double sure I have an alarm system so that if anyone gets in, an alarm goes off – alerting me if I’m here, or letting neighbours know.
My next level of protection is that of not having much you’d want to steal. I even used to have a car like that – I didn’t lock it, even, in the hope that somebody would take it out of my life for ever.
But, back to the subject matter… WordPress security is, frankly, just like a front door lock and nothing else. That’s OK, but you’re not really protecting yourself properly – if someone gets past WordPress then you may have some serious problems.
I’m not going to aim this guide at experts – I’m trying to pitch this to help people who aren’t experts to understand how their WordPress blog can be hacked, and how it can be secured even if a hacker gets through the first layer of protection.
Let’s go through them:
Editing of Themes and Plugins Through the Admin Interface
We’re going to do a test. I want you to log in to your installation, and go to Appearance, then Editor. Generally, you should see the stylesheet first, with comments at the top. At the bottom of the box you should see this:
You need to make this file writable before you can save your changes. See the Codex for more information.
If you don’t, and if you can indeed edit this file, then you have a major security flaw right from the start. A cross site scripting error (XSS) could easily start to make changes to your theme and plugin files. Once your theme and plugins can be modified, the hacker has complete, 100% control of your server and its database.
This is really before you even think about WordPress security. Simply put, do not use a word that can be found on your blog, or in a dictionary. Learn to use PasswordMaker and its Firefox plugin or similar. It will make security on various sites much stronger, much more quickly. If you or any of your users are using dictionary words, then the chances of getting in are far higher.
Poor mySQL Server Security
Your mySQL database should be reasonably secure. But many times I’ve found that you can connect to a database remotely. For this, try using something like mySQL Administrator and connect to your database using the same logonid and password that WordPress uses. If you can easily reach your DB from any internet connection then again, you have a potential security hole. All access of this type should either be IP limited, or over an SSH tunnel. Setting this up is beyond the scope of this feature but your hosts could help, or we can.
Use of FTP Isn’t Terrible, But…
Now, I make no secret that using FTP isn’t generally that bad, but if you have a site that’s likely to be targetted then you shouldn’t have any form of FTP access. You should be using SSH and SCP. At the very least, use SFTP if you can sort out certificates – they don’t have to be paid for, expensive certificates, but can be generated. Again, getting this working is beyond the scope of this, but hosts and good WordPress consultants can help you with making this happen.
Allowing User Registration
Sometimes you need or want this – in which case, make damn sure you can keep bang up to date on your WP installs. But if there isn’t a strong business case for having user registration (and I personally don’t believe there is in 95% of cases) then don’t bother. If you do have it switched on you’ll notice lots of registrations from around the world.
A high proportion of attacks on WordPress have come through or made use of the XMLRPC protocol – this is used by many exploits as it helps to automate the process of posting content to a website. Mostly the protocol is used for pingbacks and remote publishing to a site. If you don’t need or want those two features then you can safely remove the file xmlrpc.php from your WordPress’s root folder. Pingbacks are less useful than they used to be, so it’s not an eccentric thing to get rid of.
Putting your server behind an appropriate firewall can help with certain types of attack. This is something to talk about with your hosts. And they do cost money. A lot of things I’m talking about can be done more cheaply, but for a high profile site a firewall is an absolute must.
Apache and the user used to upload files to the server should be kept in separate groups. This really helps to protect against attacks that get through various layers of protection. Something could attack your Apache web server and still fail to make updates because it doesn’t have rights.
All the Other Code
One thing many folk forget about with WP installations is that it depends on a huge range of code and modules. Are you running an up to date release of PHP? How about mySQL? GDLib? Apache? There’s a lot of components to a website – although WP makes it look simple you’re actually dealing with a very sophisticated machine. If you’re running outdated versions of server software there may be significant non-WP vulnerabilities. Check with your hosts if possible.
Some shared hosting plans are, I can confirm without hesitation, absolutely dreadfully configured. You may have 800 websites on one cheap old server – none particularly active and none set up or configured by experts. If one gets hacked, the whole machine becomes vulnerable, and every other site can be hacked. Often when this happens the host will blame you in various ways. Sometimes the host may simply find it’s all too much trouble and disappear, along with your website.
Don’t let that happen to you.
Always Log Out When Finished
If you log out when you finish your work in the back end of your site, you’ll be much less likely to fall victim to a cross site scripting vulnerability. So make a habit of it. Alternatively, have a browser that you only use for WordPress. Some people may choose to use Firefox for general browsing, and Google Chrome for WordPress work.
Consider Using Real Hosting
I mean, don’t go for the cheap, commodity hosting that costs £7.95 a month. Is your online business really that weak that spending on something more serious and carefully managed is a problem? You have a number of choices. You could go for a Virtual Private Server or even Dedicated Server from someone like Namesco in the UK, or if your business is really serious talk to the excellent chaps (and our partners when we build big sites) at Kumina in the Netherlands. There are US equivalents, but I don’t know them, sorry. By spending more you will generally enjoy a more proactive approach to your site’s security at a server level. Same goes for spending money on WordPress consultants like, erm, us, to take the worry out of it. Worth thinking about.
Use Google Alerts as a Final Alarm
Google Alerts are incredibly useful for many reasons. One of the uses I make of it is to have searches set up for my primary sites for words such as ‘sex’, ‘phentermine’, ‘viagra’, ‘casino’ and so on. Then, if anyone gets in and leaves dodgy links on the site then there’s a bigger chance of finding out about it. If it happens, you’re kind of late, but at least you’re aware of it quickly and have a chance to fix the problem before there’s ranking damage to your site.
Read on for some links to practical tips for securing your WordPress install…
There’s several handy resources out there for you if you want to understand more practical information on improving your site’s security:
Hardening WordPress in the codex – a useful guide, from the people who brought you WordPress.
Hardening WordPress with mod rewrite and htaccess – an alternative and useful approach that’s not for everybody, but works for many.
Noupe’s guide to WordPress security – always useful site has some good ideas.
A post by Matt Mullenweg about this hack on the WordPress Development Blog – I think the advice could be a little more rounded and pragmatic, personally. Not everyone can be 100% up to date. Upgrades need testing, and folk go offline for weeks at a time…
I don’t necessarily recommend all of the linked tips in securing a site, and some are really for experts to deal with, but this is a starting point to understanding. However, in almost all guides I think they assume that you can’t do much about the security of your web server. That’s really down to your hosts having a genuine understanding of web security. Good hosts do, and you can tweak things on bad hosts, but if the host isn’t great you have to look after yourself as much you can – and that, really, means that if you’re managing your own site you have to become a security expert.
Ultimately, if you’re not comfortable in dealing with security issues, let someone else who is skilled and knowledgeable do it for you. If you’re running a basic blog and don’t really need a custom or distinctive visual design, get an account at WordPress.com. If you need something more but without the fine control given by custom shops you can have a WordPress VIP account, and if you want real control you can use a company like us who deal with WordPress on a daily basis and who will do the worrying for you.