alex sysoef

5 Steps To Practical WordPress Security

WordPress Security is a *HOT* topic and many, including myself have suffered from a blog been destroyed by some dumb script kiddie who managed to get his hands on script that exploits some vulnerability.

Protecting your blog from idiots like that is a MUST but to be quite honest absolute security simply doesn’t exist and we have to make a choice between usability and security and do our best to find that Practical WordPress Security Balance!

balance

In this post I will discuss 5 steps you should take to ensure that balance and achieve Practical WordPress Security you can live with!

And since PRACTICAL side of the implementation plays here a huge role – many of the measures here are optional although recommended! Sometimes it can be easier to restore from backup than IF your blog get hacked than deal with complexities associated with the integrated security!

So, you decide what fits your needs and I simply share what I know work!

Step 1: Backup Your Blog

Understand one thing – been hacked is not a matter of IF but unfortunately WHEN. Once your blog gains popularity number of attacks will increase and one of the attackers just might get lucky!

Backup is your last line of defense but you have to be absolutely sure you have it before you need it!

  • WordPress Database Backup is a plugin I use and install for all my customers due to its simplicity and great functionality that allows you to simply schedule all backups to be emailed to your address, like gmail!

I like to keep about 2 weeks worth of backups just in case but you can obviously keep less although with huge amount of space gmail provides, there is no reason to!

Plugin above takes care of your database which stores most of your information but don’t forget to d a complete backup of the most important files within your blog structure. I would backup at the very minimum wp-content folder and wp-config.php with .htaccess files.

Step 2: Keep You Blog Up To Date

In fact I should have probably put this as Number 1 task because most of the hacked blogs I have seen were due to failure of the owner to upgrade it in time! Reason behind that failure could be many but in the end they all lead to same sad results – your blog is all screwed up by some idiot who managed to get access to a script that does it for him!

Yep, many of the exploits are completely automated via scripts once a vulnerability is discovered!

Considering that now you have an option to update your Core WordPress blog and plugins with a single click of a button – it is something that should become your duty to check and ensure you are running latest version as security issues can be introduced not just with core but also with plugins you have added to enhance functionality!

Also don’t forget to periodically check a site of your theme developer in case any security fixes released! Theme files are also PHP code and can be exploited! I personally prefer using more reputable coders/designers who write code secure from the get go!

Step 3: Secure You Current WordPress Blog

This especially applies to you IF you have used Fantastico installation for the WordPress blog! By default Fantastico creates an easily guessable variable used very commonly by scripts to attempt SQL injections. I have previously written about it in WordPress Security post that has become slightly outdated and this guide replaces it but still explains many of my reasoning’s!

Several plugins come to your rescue in securing blog and you can simply chose which, if any appeal to you:

  • WP Security Scan does a great job at identifying issues and helping you remediate them, educating in process. Consider this plugin your new friend and it has some great features in plans to even more assist you in providing secure installation! And if you didn’t use a secure enough admin password yet – it will let you know! I like that it gives you ability change database prefix and admin username – but please be sure to visit plugin author’s page as some people report issues with those options!

Protecting your wp-admin directory or at least securing the admin login provided by next few plugins and you can choose once again if any of them appropriate for you.

  • AskApache Password Protect plugin is a lot more that login protection. I would call it nothing less then security suite and version 4.7 (unreleased yet) promises even more protection. Just be sure to visit plugin home page to get the latest scoop before you decide to use it!
  • Stealth Login plugin helps you hide well known login url to your blog and not only save yourself the trouble of avoiding brute force attacks but also create an easy to remember login url. Because it uses URL re-write be sure it will not conflict with any existing plugins you might have that do same functions.
  • Semisecure Login Reimagined plugin goes deeper into securing your login via RSA encryption and can be quite useful if you need to login to your blog from public places to protect your password been transmitted in clear text and caught by network sniffers.
  • User Locker plugin is last on the list and also one of my favorite as it simply allows you to specify after how many invalid login attempts to lock account. This effectively helps you fight the brute force password hack! Great option when used in combination with secure password. But do beware that it means you blog loging might have to be changed just because someone got upset with you and typed admin password incorrectly few times! Best way to avoid that scenario is to change admin username to something else and than use alias for publishing your posts!

There are many more plugins that will help you make your blog more secure but my goal is to achieve a Practical Level Of Security!

Step 4: Monitor Your Blog Security

There are couple ways to exploit your blog:

  1. Modify your blog databse via SQL injection or by gaining full control over it
  2. By accessing file structure of your blog and doing damage through the files

If you are doing database backup and protecting your administrative access properly you should do quite well in defending from number 1 as long as you also updated frequently!

But second one can be a big problem still! I have had one of my blogs hacked because someone has gained access to a hosting account and was able to traverse through file structure and modify it at will. Worse yet, I have a very stong suspicion backed by examination of my Apache access and error logs that attacker hacked someone else’s account on same shared host where my site was located and gained access to my blog.

So how do you defend against that, right?!

Actually quite easily using a plugin I will introduce next:

  • WordPress File Monitor by a fellow Virginian Matt Walters does a job quite nicely! It functions like a “tripwire” intrusion detention system by monitoring your files for changes and notifying you about them in real time (WordPress admin dashboard) and via email.

Plugin has several options to configure most important being…

  1. How you will monitor? - I recommend by file date as it is less process intensive on your server, although less secure
  2. How Often to scan? – I specified 1 hour simply because it is about as real time as I want to get. Most of the fixes of the hack involve cleaning the files, usually by restoring and securing the entry point. Knowing which files were modified will make this job a lot simpler!
  3. Exclusion Rules – Extremely important to exclude files that are frequently changing on your blog, such as cached files from wp-super-cache plugin and any others that store frequently changed dynamic files on in your WordPress directory structure. Author has good instructions how to define it and using his default guidelines I was able to get a nice report after couple tries.

And once you setup the plugin – you can enjoy a piece of mind that comes with semi-secure installation of WordPress blog. Right?

Wrong!

Step 5: Test Your WordPress Blog Security

Hey, we have gone this far, no reason tostop now! Lets do the final step and test just how well did we do our work!

  • WP Scanner is a plugin and service at same time that uses plugin to validate that you are scanning your own blog and then use a web interface to test your blog security!

Obviously optional to do but you might be surprised what you will discover! So go ahead and do it! Now!

…..

Still reading? Great because right about now you should feel good about yourself as you have just accomplished a monumental task – you created a WordPress installation more secure then 99.9% of the blogs in existence while retaining Practical Accessibility!

And I think you deserve a bonus tip!

Bonus Tip: Maintain Your Blog

A phrase I heard somewhere “cleanliness is next to godliness” very much applies to your blog as it will run a heck of a lot better if you maintain it nice and clean and database optimized.

  • WP-Optimize plugin will help you do that! It allows you to remove post revisions, comments in the spam queue, un-approved comments within few clicks. Additionally you can rename any username to another username too.

Now you deserve to rest!

If you do even half of the things I have specified above (and I don’t expect you to do them all) you will achieve that Practical WordPress Security level we strive for in 5 simple steps.

Filed under WordPress
Tags: , , , ,

56 Responses to “5 Steps To Practical WordPress Security”

  1. Nico says:

    I would also like to add a WordPress Database Backup in my blog. Although I am just starting my blog and it is not yet popular but I want to install this plugin for precautions. Thanks for the steps you shared, I will keep them handy for my blog’s security. Thank you so much because I’ve learned a lot from your blog and I enjoyed reading your informative and helpful posts.

  2. Sajid says:

    I will definitely check out all the plug-ins you recommended.

    thanks Alex for the tips.

  3. Latif says:

    It�s common for many people to not even realize they have been hacked. Thanks for sharing!

  4. Eddie says:

    Thanks Alex for the tips. I will definitely check out all the plugins you recommended!

  5. Ness says:

    Thanks for the tips. I installed wp security scan after reading this and must say its’ a great tool to tighten security of your wordpress blog.
    .-= Ness´s last blog ..PC Security =-.

  6. Praveen says:

    Wow!!! Nice Stuff buddy…..
    Recently there is a attack over WordPress Blogs by Hackers.The saddest part is exploited security Hole not yet Identified,

    Dirty Attack Over Hundreds Of WordPress Blogs
    http://www.techpraveen.com/2010/04/dirty-attack-over-hundreds-of-wordpress.html

  7. Thomas says:

    Thanks Alex for very good article, spyware and viruses are very widely spread these days. Everybody needs to keep in mind that security is very important nowadays.

  8. farhan says:

    If you worry about your data being intercepted, then you could definitely use SSL. In case you don’t know what it is, SSL is a cryptographic protocol that secures communications over networks such as the Internet.

    Once you’ve checked that your Web server can handle SSL, simply open your wp-config.php file (located at the root of your WordPress installation), and paste the following:
    view source
    print?
    1define('FORCE_SSL_ADMIN', true);

    Save the file, and you’re done!

    Visit my blog for more tweaks.
    My recent post Dofollow Forums Search Engine with Dofollow Forums List

  9. Eric says:

    I’ve tried wp-optimize plugin on one of my blog just for testing purpose, and now it’s a must have plugin for all my blog. thanks for your recommendation Alex!

  10. Adam Palmer says:

    An excellent article. WordPress is actually one of those popular frameworks that seems to suffer with significantly fewer security flaws than some of the other boxed products out there. One of the biggest problems I see users creating with their WP setups is incorrect directory permissions.

  11. Scott says:

    Hey Alex, Well my blog has been hacked and hidden text placed in the background color causing my site to go from a PR2 to gray barred. These plugins are going to be extremely helpful in protecting everything for the most part.

    I have no idea what to do about getting out of gray barred status from Google however. Any suggestions on that would be helpful. I am guessing it will take a while to get out of it and I guess i just need to keep posting.

  12. TheSpotter says:

    Scott,

    Once you clean your blog – use Google webmaster tools to resubmit your blog for re-inclusion into Google index.

  13. Scott says:

    Appreciate it! The easier the better and it looks like this will help.

    Thanks.

  14. Scott says:

    In the 2.5 yrs I have been working with you back when I bought your first release of yoru blogging product not once have you let me down. That is rare in the internet marketing these days and very appreciated. No wonder you have the following you have.

    Thanks again. What you gave me access to is going to give everything I need. I can’t imagine needing anything else.

  15. Scott says:

    Thanks Alex. Quickie question, what plugins would you use to make this as easy a fix as possible? Thank God Google hasn’t completely stripped me from the search results but it showing it as more a penalty and I will resubmit.

    Am I better off with a plugin that masks the directories and a plugin that gives a second layer of password protection? Should that be sufficent? I am not real techie and messing with directories and things like that.

    Thanks!

  16. TheSpotter says:

    http://www.howtospoter.com/web-20/wordpress/triple-p-of-total-wordpress-security <- Scott this is my quick fix :-) BTW, Lock Your Blog product mentioned at the end of the blog post is now free, digital version, I just haven't made it public knowledge:

    http://lockyourblog.com

Trackbacks/Pingbacks