WordPress Security

However, even the best theme cannot make up for security holes left in WordPress by unwary users.

Genesis is a great theme framework and the code is continually checked by professionals and community members alike for any security holes which are repaired with an update to the Genesis Parent Theme. This is one of the great reasons to make proper use of the child theme concept and stay up to date with Genesis.

Most security risks come in 4 varieties and can be prevented by most users.


This list is not comprehensive, but will give you some great advice on making your WordPress installation more secure. At the end of this tutorial, please take time to go through the various sources for additional ideas on how to best protect yourself.

Admin Settings

User Name

I work with a lot of clients and I find that they tend to make one of the biggest mistakes because of how WordPress use to setup by default. Until recently, when using the standard WordPress installation it would automatically create the first user as “admin.” This is a huge security risk because you are giving hackers the first part of your login credentials. If your login name is “admin” then change it now.

  1. Login with your Admin account
  2. Create a new admin level account with a unique login name, not your display name
  3. Login to the new admin level account.
  4. Delete the old Admin account
    • Be sure to assign posts to the new account when prompted
  5. Setup your new account settings including putting your preferred email in

Of course, an equally big security risk is having your display name be the same as your login name. Make sure that these two are different in the user settings. If your login name is easy to identify or guess, then pick a name that is a bit less obvious using the steps above.

Password

If your password is “password” or any variation of that, then go change it immediately. Don’t finish reading this, change it now. Also change your luggage combination and ATM PIN to something other than 1234.

Seriously, people make three huge mistakes when it comes to passwords. They make them too simple, keep them too long, and use the same password everywhere.

Too Simple
Passwords should be fairly complex. Avoid using personal information like birthdays, names, or any real words. Always mix numbers, lowercase, and uppercase characters. Passwords should be 10 characters or longer. I prefer 14-18.

Do use, word abbreviations and alternate spellings. Things not found in the dictionary. Variant capitalization is also very useful. Find things in your life to help you remember complicated passwords. If you like the Bible, use Bible verses. If you are into sports, combine team names, players, and important numbers. If you are a math geek, then let algebra guide you.

Here are some examples of good an bad passwords

  • Bad Passwords:

    • Secret (almost as bad as “Password”)
    • Tyler (my dog’s name. I’ve mentioned him on my blog and it is a real word)
    • October11th2004 (let’s say this is my anniversary. It isn’t but I’m sure you get the idea)
  • Good Passwords:
    • 2O0Soo0Ners0U! (OU Sooners with alt spelling, caps, mixed 2000 year championship year win and special character)
    • tehC^ke!zaL!e (“The Cake is a lie” pop vid culture phrase with alt spelling and special character substitution)
    • Doc9e99ErRaWks (Dr. Pepper Rocks with alt spelling and number substitution)

As you can see, with a little creativity you can come up with very secure passwords based on things you will find easy to remember.

Keep them too long
I have been dealing with passwords since the 1990’s. The other day I logged into an email account I hadn’t used in 10 years. It took me 3 tries to get my password because it hadn’t been changed since I last used it. Sadly many people are using passwords from back then on sites they use everyday. Some super paranoid companies require passwords to be updated every month. This might well be overkill and promote another security risk, writing down your password. A good practice is to change your password every 3-6 months. Set it on your calendar and do it, but don’t make the mistake of just putting a new character at the end, or rotating between two passwords. Instead alternate your spelling and capitalization or even better mix totally new words together to make a unique password each time.

Use them everywhere
Have you considered that if a hacker gets your password and login on one site, they might try that same password on many popular sites, including financial sites, work sites, and other places that should be more secure. Find ways of creatively mixing site details into the password, and vary that formula form site to site. If I found your WP password was wpG00dpA$$worD Then I’m going to guess your Facebook password is fbG00dpA$$worD. Instead, try reG00dpA$$worDzz, which is an alt of “ress” from WordPress” and k0G00dpA$$worD08, which is an alt/backwards of “book” from “Facebook.” Even better would be to have unique passwords for each site.

User Registration

Most of my clients are surprised to learn that users can register for their site. They are also surprised to learn that setting this up wrong can cause them grief. Unless you need users to register for your site, just disable this from the Settings>General menu. If you need users on your site, then make sure they have the correct default role. Leave it at the lowest role that is acceptable. Subscriber for most installations. If you have writers for your blog consider the role that is assigned to them. Contributors can write articles, but require review before publishing, Authors can publish directly, Editors can publish reviewed articles and edit articles, while Admins have access to everything. I have helped clients who have a dozen writers, all with admin level access. This is a very risky practice.

Old Versions

Short version is, update to the latest version if you aren’t already using this version and keep WordPress up to date as well as any plugins.

If you don’t keep reasonably up to date with WordPress you are missing out some cool features and have some huge security risks. WordPress is open source software and that means it is a great platform because many great minds are working to make it better all the time. It also means many devious minds are looking through the code for any little bug they can turn into a huge security hole. Anytime major problems (and even minor ones) are found it is a race for developers to push a security release while hackers break into as many sites as possible. The solution is pretty simple. Upgrade when available. Feel free to wait a few weeks to watch for major bugs, but WordPress is very well tested before so by the time a version goes to release it is a pretty safe move. I have helped clients upgrade from WordPress 2.5 to 3.0. This is a pretty big issue as their site has been exposed to major security risks for a very long time. Don’t be that person.

ServerSettings

Database Prefix

I bet I know something about your database you don’t know. If you look it will have wp_ at the front of every table. This is the default setting for WordPress and poses a potential security risk. When setting up a new installation you can easily set this value to something else and should. Of course it is also possible to change this value. I’ll be talking about a plugin that makes this a fairly risk free process.

File Permissions

Some hosts are using Windows IIS servers for WordPress, but typically servers use a Linux variant, which means you can easily set your file permissions. Often people will set important folders to 777, which means anyone could read, write, and execute files from those folders. This is done for convenience. Often plugins advise this action during setup so that the plugin files can be created properly. While this might be acceptable in the short term, in the long term it is a very dangerous practice. Typically the entire site should have folders set to 755 and files set to 644. This can be done easily via shell using a program such a putty to access your site via SSH if available (Do not use telnet as this is highly unsecure), or FTP using a program such as FileZilla. the wp.config.php file should be 750 since it has your database information in plain text.

.htaccess

Apache webservers have the ability to use the .htaccess file. There are many rules you can put in this file to improve speed, change permalinks, handle redirects, and more. What many people don’t know is that it can also be used to increase the security of your site. Here is a sample file with comments explaining what each code block does. Some portions of the code have a “#” at the front to prevent that segment from running unless the “#” is removed. Also, several portions say “yoursite.com” please be sure to update this to your actual domain. If your server support this you may create a text file in notepad (or other text editor) named htaccess.txt and create your file if it does not exist, then upload the file via FTP and rename it .htaccess or download and edit the existing .htaccess file.


# protect the htaccess file

order allow,deny
deny from all


# disable the server signature
ServerSignature Off

# limit file uploads to 10mb
LimitRequestBody 10240000

# protect wpconfig.php

order allow,deny
deny from all


#who has access who doesnt use deny to block specific IPs
order allow,deny
#deny from 000.000.000.000
allow from all

# disable directory browsing
Options All -Indexes

#disable hotlinking of images with forbidden or custom image option make sure stealingisbad.gif exists
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?youresite.com/.*$ [NC]
#RewriteRule \.(gif|jpg)$ – [F]
#RewriteRule \.(gif|jpg)$ http://www.youresite.com/stealingisbad.gif [R,L]

# protect from spam comments coming from remote access
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.*youresite.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]

#WP code goes here

Additional Server Considerations

Many hosts use a single database, or other shared resources that make it easy for hackers to break into other sites once they gain access to a single site. The only absolute solution to this is to have a Dedicated Server or Virtual Private Server. These cost a good deal more because of the dedicated resources. Shared hosting is cheaper, and many reputable hosts have more secure setups, isolating accounts from each other. Sadly, hosts often blame WordPress when their settings are to blame. If word gets out that a specific host is being hacked worse than others it might be the servers.

If you have shell access you might check your ownership settings. I have seen it recommended that file/folder ownership should be set the same as the Apache server. This makes it much easier to do certain things on the site, often allowing more secure Permissions, but it opens an even bigger security risk as files running scripts will be unrestricted on your site, and through many portions of the server. If this setup is used in a Virtual/Dedicated host environment with multiple accounts it will allow a single hack access to all of the accounts. Make sure each site has ownership set to that specific site.

Plugins

There are many plugins that offer various security options for WordPress, while others can actually be a security risk. Just because a plugin is on the WordPress extends site doesn’t mean it is a well coded plugin. Poor code can make it easier for a hacker to break into your site. Plugins that haven’t been updated in months might pose a security risk, though often simple, well coded plugins don’t need to be updated as often. Read the reviews on a plugin. If it isn’t rated well avoid it. Finally ask yourself if you really need this plugin. I have seen many sites with 30-50 plugins that really only used 15-20 of those plugins. Any plugin you are not using poses an unnecessary security risk. Deactivate and Delete.

Here are some important security plugins.

  • WP Security Scan:

    • Looks for several vulnerabilities including file permissions and database issues
    • Allows the user to change the database prefix (that wp_ thing I mentioned above)
  • Exploit Scanner
    • Scans files AND the database for potential hacks
  • Wp DBManager
    • One of many database backup utilities
    • Also allows DB repairs and optimization from the WordPress Console

Speaking of backups, you do have a backup right? Before making any changes get a backup for your database and files. Then make your site secure and setup backups on a regular schedule. If you are updating daily you need weekly backups at a minimum. If you are only updating once a week, they you might be safe with a monthly backup. If this is a site that is totally static, then a single backup every time you upgrade WordPress is a safe practice. Make sure you keep several backups available. If your only backup includes the hack then you are in trouble.

If I am backing up once a week I’ll keep 8 backups plus a “full backup” that I run every 6 months. If I am only backing up once a month I would keep 6 backups on hand and if I’m backing up every three months I would only keep 4 backups.

You

Without a doubt you are one of the biggest security risks to your site. I don’t say this to be offensive, but your choices affect the site. Are you going to keep up with good passwords, regular updates, proactive scans, and constant backups or will you figure “this will never happen to me?”

More than that, protecting the computers you access your site from is very important. You need solid Firewalls, updated Operating Systems, and vigilant Virus Scanners. If a hacker gets into your computer they can get into your site. In fact, you have given them the keys to any site you use. In addition to software based protection you can be proactive in preventing viruses. Many of the worst viruses come from visiting reputable sites, and many more come from viewing perfectly “innocent” sites. Social networking sites can be full of viruses, largely due to people with outdated virus scanning, and disabled firewalls. Be wary of file downloads and never trust a site that claims you have viruses. Legitimate virus programs aren’t distributed via popups warning of security holes.

For additional resources, check out these links.
Hardening WordPress
11 ways to improve WordPress security
WordPress Security
20 powerful WordPress security plugins and some tips and tricks

Comments

  1. Guilty as charged. Gotta’ get to it.

    Nick, you’re definitely one of the knowledgeable – you get right to it. You available to setup/teak my sites? Have three based on the Lexicon.

    Ciao,
    Bart

  2. Thanks Nick, wonderful post and good links too!