WordPress security is one of the most overlooked aspects of Blogging, be it a blogging to make money or blogging for fun. And I don’t believe it is due to ignorance but more due to wrong advice or sometimes even wrong script used for blog installation!
And yet – WordPress Security is one aspect that has potential to damage your reputation, possibly even lead to your blog being banned from Search Engine results!
Triple “P” Of WordPress Security Is A New Concept I have Coined That Is Designed As A Complete Solution to WordPress Protection!
Based on personal experience gained through helping people recover their blogs as well as dealing with my own sites being hacked this concept will deliver End-To-End defense approach to those willing to follow…
As I worked through the issues associated with compromised WordPress blogs I have discovered certain recurring patterns in how the security penetrated. In fact majority of the hacks don’t come from someone sitting in front of computer and actively trying to exploit your specific blog – Hacking Is Automated!
There are couple ways to deal with the process of staying ahead of the game:
- You can dedicate effort to stay current or…
- You can Design Security Into Your Blog
I like second approach as it helps me stay sane when I’m off on vacation in some remote location and simply don’t have the ability to Upgrade as soon as new version of WordPress is released.
While what I describe below is not applicable to every blog 100% especially if you have used Fantastico to install the blog – you can still make sure your installation is a LOT MORE secure against bots and worms.
Triple “P” Of WordPress Security
Idea behind the concept is to implement as many safeguards as needed without compromising functionality of your blog or what is even worth performance. Approach is separated into 3 stages as shown below:
I like systematic approach as it insures nothing important is missed…
Preemptive Security – First “P” or Stage 1
This stage consists of measures you take during installation and Preemptive Actions You Take to keep your blog secure! I’m an advocate of using either a manual blog install or one of the scripted solutions that provide you with secure automated blog installation, such as our own Expert WordPress.
1. Secure Blog Installation
Security should be ensured during your blog installation and is accomplished by simply making sure that values in your wp-config.php are hard to guess. This will avoid a lot of MySQL injection attacks!
I have highlighted all the values in image above that MUST be unique and hard to guess on each and every blog installed. Unfortunately Fantastico installation creates those value easily guess able and I have seen one of the third party WordPress installation scripts that actually removes the 4 Auth keys provided by WordPress for sake of simplicity of install.
They claim to have 15,000 and growing number of “victims” and all I can say to those people – Read On! Stages 2 and 3 will be of utmost importance to you guys!
2. Regular Backups
I like to use WordPress Database Backup plugin and we install it on all our customers blogs as it allows us to schedule backups to be emailed to us. I like to use gmail.com account as this way I can store all my blogs DB backup in one place and if need be – being able to restore each blog to same state it was night before the hack.
Also because SQL Injection hacks sometimes are not discovered until later – i recommend you keep at least a month worth of backups – for incremental restore if needed! Time consuming but beats re-writing content!
Also at the very least you should each month download some of the files unique to your blog from your hosting account. Here are some more common:
- wp-content/ (directory)
Any other unique files you have must be backed up as well! This will allow you to recover file-system if compromised.
3. Timely Upgrades
While you might not have instant access to upgrade your blog to latest version you should do it as soon as opportunity presented! And since ability to upgrade your plugins and WordPress core is now provided to you via One Click simplicity – you should do it!
Preventive Security – Second “P” or Stage 2
This stage will be especially useful if you have installed your blog using Fantastico or been victimized by a promise of functionality and got yourself a blog or few of them using some other tool.
In this stage we will be working on creating Defense Perimeter Around Your Blog to stop most common attacks.
1. Comment SPAM Defense
I consider comment spam a primitive form of hack attack that comes from automated SPAM bots and easily killed and lately often from manual submission. And here is why..
Consider this fact – last few hack attacks against blogs were not designed to destroy your blog but rather take control of it without you knowing about it and inject links into your theme files or blog content to a sites they are trying to push, most often not family friendly sites.
When a Comment Spammer leaves a comment on your blog with a link to similar site – to me it is simply a primitive form of hack attack and I treat it as such! I have described my own fights against comment spam multiple times on this blog but now I use following plugins for protection:
- Akismet due to its superb support I can rely on
- AntiSpam Bee – this one works together or instead of Akismet and one of the best I tried for functionality + compatibility
2. Brute Force Password Hack Attack
By default WordPress allows you to try to login as many times as you like until you are able to remember correct password. Excellent for functionality – not so much for security!
Since most people use “admin” for administrative account – attacker can run a script against your blog login to try guessing administrative password until he succeeds.
Yes, you can prevent this attack to some extent by renaming administrative account or creating new account with administrator privileges and deleting default – but what if you have a lot of posts now under that account?
- Limit Login Attempts plugin is a solution I have tested for myself and can highly recommend. I know there are others similar in functionality but this one worked for me and hence recommendation. Idea is very simple – try to login too many times and your IP will be blocked. Default settings it comes with will work just fine for most!
3. File System Protection
This one is designed to help you protect yourself against attack on through your hosting account. Basically an attacker can hack someone’s account on shared hosting server where your site is and then slowly take control over sites hosted there – including yours!
I fell victim to this type of attack, although my host never admitted it!
Since then I have used and highly recommend WordPress File Monitor plugin. Its functionality is simple and yet, very effective – it monitors the files on your hosting account and notifies you when files are changed. Notification delivered to your Blog Admin dashboard and to email address you give.
Not only you can learn nearly in real time when you files are compromised but also which files will need to restored to fix the problem!
Huge Time Saver!
I know there are many more plugins to help you protect even more and I describe many of them in my post 5 Steps To Practical WordPress Security but here I want to help you create a solid Defense Perimeter against attacks while still retaining simple functionality!
Post-Mortem Security – Third “P” or Stage 3
Is one you hopefully will never have to deal with. But I do believe in being ready and I do my best to teach my customers to do the same!
This step or rather its execution can mean a difference between your blog restored in a matter of hours or days, if ever, as it will depend on your hosting support and how well they do backups for you! You will discover that many hosts don’t!
There are really only 3 things in this stage:
- Have a backup handy! Assuming that you have followed my advice in Stage 1 it is not a problem and you are all set!
- KNOW how to use it! Knowledge is power and knowing how to restore your blog, not theoretically but actually do it can pay dividends when time comes! If you are afraid to do it on production blog, which is fully understandable, I recommend you install a test blog into sub-folder and go through the entire process! You can thank me later!
- Secure Your Hosting! Even if your blog was compromised via SQL injection you would want to change your cPanel password and I actually recommend creating a new user with new password and assign it to your blog database and then change wp-config.php accordingly. Simply delete old DB user after that to make sure that your Database access restored to secure level.
Conclusion And Additional Reading
I don’t believe absolute security of your blog can accomplished or that it even exists and anyone promising you that is simply misleading you! But I also believe that we should take at least some basic precautions to protect our blogs to avoid being exploited by “script kiddies” who got their hand on latest “hack script”.
Level of protection you choose is really up to you and plugins I have listed in this post are only designed to give you solid level of protection through staged approach without impacting your blog functionality. There are some superb Security Guides available for WordPress and if you are willing to extend your horizons – dig in!
- 11 Best Ways to Improve WordPress Security
- A Common-Sense WordPress Security Primer
- 10 Steps To Protect The Admin Area In WordPress
- WordPress Security and How I’m Going to Take All Your Money
Need Additional, Visual Guidance?