alex sysoef

5 Steps To Practical WordPress Security

WordPress Security is a *HOT* topic and many, including myself have suffered from a blog been destroyed by some dumb script kiddie who managed to get his hands on script that exploits some vulnerability.

Protecting your blog from idiots like that is a MUST but to be quite honest absolute security simply doesn’t exist and we have to make a choice between usability and security and do our best to find that Practical WordPress Security Balance!

balance

In this post I will discuss 5 steps you should take to ensure that balance and achieve Practical WordPress Security you can live with!

And since PRACTICAL side of the implementation plays here a huge role – many of the measures here are optional although recommended! Sometimes it can be easier to restore from backup than IF your blog get hacked than deal with complexities associated with the integrated security!

So, you decide what fits your needs and I simply share what I know work!

Step 1: Backup Your Blog

Understand one thing – been hacked is not a matter of IF but unfortunately WHEN. Once your blog gains popularity number of attacks will increase and one of the attackers just might get lucky!

Backup is your last line of defense but you have to be absolutely sure you have it before you need it!

  • WordPress Database Backup is a plugin I use and install for all my customers due to its simplicity and great functionality that allows you to simply schedule all backups to be emailed to your address, like gmail!

I like to keep about 2 weeks worth of backups just in case but you can obviously keep less although with huge amount of space gmail provides, there is no reason to!

Plugin above takes care of your database which stores most of your information but don’t forget to d a complete backup of the most important files within your blog structure. I would backup at the very minimum wp-content folder and wp-config.php with .htaccess files.

Step 2: Keep You Blog Up To Date

In fact I should have probably put this as Number 1 task because most of the hacked blogs I have seen were due to failure of the owner to upgrade it in time! Reason behind that failure could be many but in the end they all lead to same sad results – your blog is all screwed up by some idiot who managed to get access to a script that does it for him!

Yep, many of the exploits are completely automated via scripts once a vulnerability is discovered!

Considering that now you have an option to update your Core WordPress blog and plugins with a single click of a button – it is something that should become your duty to check and ensure you are running latest version as security issues can be introduced not just with core but also with plugins you have added to enhance functionality!

Also don’t forget to periodically check a site of your theme developer in case any security fixes released! Theme files are also PHP code and can be exploited! I personally prefer using more reputable coders/designers who write code secure from the get go!

Step 3: Secure You Current WordPress Blog

This especially applies to you IF you have used Fantastico installation for the WordPress blog! By default Fantastico creates an easily guessable variable used very commonly by scripts to attempt SQL injections. I have previously written about it in WordPress Security post that has become slightly outdated and this guide replaces it but still explains many of my reasoning’s!

Several plugins come to your rescue in securing blog and you can simply chose which, if any appeal to you:

  • WP Security Scan does a great job at identifying issues and helping you remediate them, educating in process. Consider this plugin your new friend and it has some great features in plans to even more assist you in providing secure installation! And if you didn’t use a secure enough admin password yet – it will let you know! I like that it gives you ability change database prefix and admin username – but please be sure to visit plugin author’s page as some people report issues with those options!

Protecting your wp-admin directory or at least securing the admin login provided by next few plugins and you can choose once again if any of them appropriate for you.

  • AskApache Password Protect plugin is a lot more that login protection. I would call it nothing less then security suite and version 4.7 (unreleased yet) promises even more protection. Just be sure to visit plugin home page to get the latest scoop before you decide to use it!
  • Stealth Login plugin helps you hide well known login url to your blog and not only save yourself the trouble of avoiding brute force attacks but also create an easy to remember login url. Because it uses URL re-write be sure it will not conflict with any existing plugins you might have that do same functions.
  • Semisecure Login Reimagined plugin goes deeper into securing your login via RSA encryption and can be quite useful if you need to login to your blog from public places to protect your password been transmitted in clear text and caught by network sniffers.
  • User Locker plugin is last on the list and also one of my favorite as it simply allows you to specify after how many invalid login attempts to lock account. This effectively helps you fight the brute force password hack! Great option when used in combination with secure password. But do beware that it means you blog loging might have to be changed just because someone got upset with you and typed admin password incorrectly few times! Best way to avoid that scenario is to change admin username to something else and than use alias for publishing your posts!

There are many more plugins that will help you make your blog more secure but my goal is to achieve a Practical Level Of Security!

Step 4: Monitor Your Blog Security

There are couple ways to exploit your blog:

  1. Modify your blog databse via SQL injection or by gaining full control over it
  2. By accessing file structure of your blog and doing damage through the files

If you are doing database backup and protecting your administrative access properly you should do quite well in defending from number 1 as long as you also updated frequently!

But second one can be a big problem still! I have had one of my blogs hacked because someone has gained access to a hosting account and was able to traverse through file structure and modify it at will. Worse yet, I have a very stong suspicion backed by examination of my Apache access and error logs that attacker hacked someone else’s account on same shared host where my site was located and gained access to my blog.

So how do you defend against that, right?!

Actually quite easily using a plugin I will introduce next:

  • WordPress File Monitor by a fellow Virginian Matt Walters does a job quite nicely! It functions like a “tripwire” intrusion detention system by monitoring your files for changes and notifying you about them in real time (WordPress admin dashboard) and via email.

Plugin has several options to configure most important being…

  1. How you will monitor? - I recommend by file date as it is less process intensive on your server, although less secure
  2. How Often to scan? – I specified 1 hour simply because it is about as real time as I want to get. Most of the fixes of the hack involve cleaning the files, usually by restoring and securing the entry point. Knowing which files were modified will make this job a lot simpler!
  3. Exclusion Rules – Extremely important to exclude files that are frequently changing on your blog, such as cached files from wp-super-cache plugin and any others that store frequently changed dynamic files on in your WordPress directory structure. Author has good instructions how to define it and using his default guidelines I was able to get a nice report after couple tries.

And once you setup the plugin – you can enjoy a piece of mind that comes with semi-secure installation of WordPress blog. Right?

Wrong!

Step 5: Test Your WordPress Blog Security

Hey, we have gone this far, no reason tostop now! Lets do the final step and test just how well did we do our work!

  • WP Scanner is a plugin and service at same time that uses plugin to validate that you are scanning your own blog and then use a web interface to test your blog security!

Obviously optional to do but you might be surprised what you will discover! So go ahead and do it! Now!

…..

Still reading? Great because right about now you should feel good about yourself as you have just accomplished a monumental task – you created a WordPress installation more secure then 99.9% of the blogs in existence while retaining Practical Accessibility!

And I think you deserve a bonus tip!

Bonus Tip: Maintain Your Blog

A phrase I heard somewhere “cleanliness is next to godliness” very much applies to your blog as it will run a heck of a lot better if you maintain it nice and clean and database optimized.

  • WP-Optimize plugin will help you do that! It allows you to remove post revisions, comments in the spam queue, un-approved comments within few clicks. Additionally you can rename any username to another username too.

Now you deserve to rest!

If you do even half of the things I have specified above (and I don’t expect you to do them all) you will achieve that Practical WordPress Security level we strive for in 5 simple steps.

Filed under WordPress
Tags: , , , ,

56 Responses to “5 Steps To Practical WordPress Security”

  1. Matt says:

    Thanks for mentioning WordPress File Monitor. I’m hoping to release a new version within the next week or so, so stay tuned for that :)

    Take care and thanks for the mention :)

    • TheSpotter says:

      Matt, one thing that is missing is individual file exclusion – I would love to be abe to exclude error_log and some others based on regexpression (pattern).

      Alex

  2. Thanks for your submission to the Forty- Sixth edition of the Blog Carnival: Blogging. Your post has been accepted and its live:

    http://thatsblog.com/blog-carnival-blogging/blog-carnival-blogging-forty-sixth-edition

    -ThatsBlog.com

  3. Sherif says:

    Alex
    Great article, thanks for the tip about Matt’s file monitor. I will give it a try.
    Sherif

    Sherifs last blog post..Website Wishlist: Men vs Women

  4. Ryan Edward says:

    Keeping your computer clean of spyware is a good thing too. I recently had one of my sites hacked when my PC got infected with a keylogging program. Luckily I noticed the added javascript right away and was able to backup my website and restore my system.

    Ryan Edwards last blog post..How to Learn Piano Notes

  5. Colin says:

    Excellent post Alex,
    I have come under attack over the past few days and use many of the plugins suggested and it has helped to combat the threats of an attempted SQL Injection.
    File monitor I have not yet installed but will be very soon :)

    • TheSpotter says:

      Thanks Colin.

      SQL injection is one that is fairly easy to fight off, as long as you removed all the easily guessable values, such as admin username and wp_prefix and used strong password.

  6. aaron says:

    thanks Alex for the tips. I will definitely check out all the plugins you recommended, especially the wp scanner.

    aarons last blog post..Using The Forex Trailing Stop With MT4

  7. One of the great things about WordPress is that even though it is mainstream and therefore might be the target of people with bad intentions it is also a killer resource because so many plugins have been created to take care of almost anything that you can think of. Thank you for the post!

    Mikael @ Retire Earlys last blog post..How to Retire Early and Rich by Making a Commitment

  8. Very well written article. One of the best I’ve read about WordPress security. In addition to backing up the files, I recommend using a software that I personally use called SyncBackSE. It can automatically download the files for you via FTP by scheduling it ahead of time.

    Tom

    Tom @ Internet Marketing Blogs last blog post..4 Tried and Tested Ways to Increase Opt-In Conversion Rates

  9. Dennis Edell says:

    The problem with tep 2 i, the immediate (and definite) bugs get you worse then waiting.

    Dennis Edells last blog post..100 Strategies Book Review FollowUp – I Name Names!

  10. There is one more security hole I found out recently. Type in URL browser,
    http://www.yourblogname.com/wp-content/plugins
    and if all plugins opened, anybody can download your plugins.
    To fix this, go to cpanel, index manager, for the selected folder change to ‘no indexing’.
    This will stop anybody from accessing your files.
    Roy Kuruvila

    Roy @ webmaster toolss last blog post..Internet Marketing-Some Successful Marketing Strategies over a Long Time

  11. Rich says:

    Those are great tips.

    I assumed getting hacked was part of the business. At least WP is fairly secure..anyone have Mambo sites before? Wow, I must have gotten it 3 or 4 times..yikes!

    Thanks for sharing!

    Richs last blog post..Mortgage Refinance in Corpus Christi, Texas

  12. Brad Officer says:

    Thanks for all the tips here. Security is a hot topic right now around all the WP blogs, but I think you may have written the most all encompassing list of must haves and must do’s. Great article.

    Brad Officers last blog post..Short Sale Help in Jacksonville

  13. Hi Alex, excellent post. I can’t tell you how many times I see people post in the WP forums with questions as to why their blog is not working properly. Then when it’s all said and done, they discover the problem was they were hacked. It is only then that they decide to do something about their blog’s security.

    I have a few more tips I’d like to add.

    1. Make sure your login page is not indexed by search engines. This one kind of goes with your URL rewrite suggestion. Most “kids” simply look for easy targets. They’ll Google a known WordPress file and directory name and wait to see who shows up. Don’t be there.

    2. Limit who has access to your /admin area through .htaccess

    3. Use a firewall plugin. I like the WordPress Firewall Plugin by SEO Egghead.

    Glad I found your site and am subscribing now.

    John Hoff – WpBlogHosts last blog post..How To Fully Backup WordPress Anytime With Just A Few Clicks

  14. Brandon says:

    Appreciate the security advice. I’ve had a blog hacked before through some vulnerabilities. They tried to use my blog as a way of getting links back to their site. The links didn’t show up when viewing the blog but I could see them when I looked at the Cache of the page.

    I came to find out that I wasn’t the only one who it happened to but this goes on all the time. Very unfortunate.

    Brandons last blog post..Tim Mai

    • That’s a good point, Brandon. It’s common for many people to not even realize they have been hacked. A lot of people think a mischievous hacker’s motives are to simply crash their blog – but that’s not the case.

      What use is a broken blog to them? Most would rather use your blog to their advantage without you knowing about it.

      You’re lucky you found the problem before Google did. Such links could get you banned from their search engine because Googlebot thinks you’re a spammer.

    • Matt says:

      This is actually one of the major reasons WordPress File Monitor was written. If you know the files were modified, you can go looking for mischievous code such as this.

      • Brandon says:

        Matt,

        I will have to take a look at File Monitor.

        I had no idea where or what files were changed so I just deleted the entire blog, site and database and started over again. That was a pain but no one could find the hacked files and I even had my hosting company look at it but they were not a huge help unfortunately.

  15. Darrellw says:

    I’ve spent a lot of time looking for a plugin or using the .htaccess and the passwd file to lock down the wp-admin so no-one can access it. Does anyone have a link to how to set this up . I also have tried to do the same for awstats with no luck. Thanks in advance – great post , I usually do my backups with php-admin and I also copy the wp-content folder to my desktop

    For tips and advice to find the best sunglasses if so, go to http://bestsunglasses.us for advice and guidance

Trackbacks/Pingbacks

  1. RT @TheSpotter: 5 Steps To Practical WordPress Security: WordPress Security is a *HOT* topic http://s3nt.com/gwgy

  2. 100rabh™ says:

    good read for WordPress security http://is.gd/zOnG

  3. My friend Alex Sysoef (@TheSpotter) shares 5 important, practical steps to implementing WordPress Blog Security http://budurl.com/sqlv

  4. Cori Padgett says:

    RT @nicheprof: My friend Alex Sysoef(@TheSpotter) shares 5 important, practical steps 2 implementing WP Blog Security http://budurl.com/sqlv

  5. Robert Barry says:

    Reading: 5 Steps To Practical WordPress Security http://tinyurl.com/pea33p

  6. RT @Grahamh: 5 Steps To Practical WordPress Security – http://bit.ly/okfxh

  7. 5 Steps To Practical WordPress Security http://tinyurl.com/pea33p

  8. Tom Duong says:

    RT @Joel_Rodriguez 5 Steps to have a secure Word Press Blog – http://bit.ly/MnBAI

  9. […] are some people making money online while others are not?” and Alex_Sysoef presents 5 Steps To Practical WordPress Security posted at WordPress Web 2.0 How-To Spot-er, saying, “Protecting your blog from idiots like […]

  10. […] 5 Steps To Practical WordPress Security (howtospoter.com) […]

  11. […] there are many more plugins to help you protect even more and I describe many of them in my post 5 Steps To Practical WordPress Security but here I want to help you create a solid Defense Perimeter against attacks while still retaining […]