Triple “P” Of Total WordPress Security
WordPress security is one of the most overlooked aspects of Blogging, be it a blogging to make money or blogging for fun. And I don’t believe it is due to ignorance but more due to wrong advice or sometimes even wrong script used for blog installation!
And yet – WordPress Security is one aspect that has potential to damage your reputation, possibly even lead to your blog being banned from Search Engine results!
Triple “P” Of WordPress Security Is A New Concept I have Coined That Is Designed As A Complete Solution to WordPress Protection!
Based on personal experience gained through helping people recover their blogs as well as dealing with my own sites being hacked this concept will deliver End-To-End defense approach to those willing to follow…
As I worked through the issues associated with compromised WordPress blogs I have discovered certain recurring patterns in how the security penetrated. In fact majority of the hacks don’t come from someone sitting in front of computer and actively trying to exploit your specific blog – Hacking Is Automated!
There are couple ways to deal with the process of staying ahead of the game:
- You can dedicate effort to stay current or…
- You can Design Security Into Your Blog
I like second approach as it helps me stay sane when I’m off on vacation in some remote location and simply don’t have the ability to Upgrade as soon as new version of WordPress is released.
While what I describe below is not applicable to every blog 100% especially if you have used Fantastico to install the blog – you can still make sure your installation is a LOT MORE secure against bots and worms.
Triple “P” Of WordPress Security
Idea behind the concept is to implement as many safeguards as needed without compromising functionality of your blog or what is even worth performance. Approach is separated into 3 stages as shown below:
I like systematic approach as it insures nothing important is missed…
Preemptive Security – First “P” or Stage 1
This stage consists of measures you take during installation and Preemptive Actions You Take to keep your blog secure! I’m an advocate of using either a manual blog install or one of the scripted solutions that provide you with secure automated blog installation, such as our own Expert WordPress.
1. Secure Blog Installation
Security should be ensured during your blog installation and is accomplished by simply making sure that values in your wp-config.php are hard to guess. This will avoid a lot of MySQL injection attacks!
I have highlighted all the values in image above that MUST be unique and hard to guess on each and every blog installed. Unfortunately Fantastico installation creates those value easily guess able and I have seen one of the third party WordPress installation scripts that actually removes the 4 Auth keys provided by WordPress for sake of simplicity of install.
They claim to have 15,000 and growing number of “victims” and all I can say to those people – Read On! Stages 2 and 3 will be of utmost importance to you guys!
2. Regular Backups
I like to use WordPress Database Backup plugin and we install it on all our customers blogs as it allows us to schedule backups to be emailed to us. I like to use gmail.com account as this way I can store all my blogs DB backup in one place and if need be – being able to restore each blog to same state it was night before the hack.
Also because SQL Injection hacks sometimes are not discovered until later – i recommend you keep at least a month worth of backups – for incremental restore if needed! Time consuming but beats re-writing content!
Also at the very least you should each month download some of the files unique to your blog from your hosting account. Here are some more common:
- wp-content/ (directory)
- wp-config.php
- .htaccess
- sitemap.xml
- sitemap.xml.gz
Any other unique files you have must be backed up as well! This will allow you to recover file-system if compromised.
3. Timely Upgrades
While you might not have instant access to upgrade your blog to latest version you should do it as soon as opportunity presented! And since ability to upgrade your plugins and WordPress core is now provided to you via One Click simplicity – you should do it!
Preventive Security – Second “P” or Stage 2
This stage will be especially useful if you have installed your blog using Fantastico or been victimized by a promise of functionality and got yourself a blog or few of them using some other tool.
In this stage we will be working on creating Defense Perimeter Around Your Blog to stop most common attacks.
1. Comment SPAM Defense
I consider comment spam a primitive form of hack attack that comes from automated SPAM bots and easily killed and lately often from manual submission. And here is why..
Consider this fact - last few hack attacks against blogs were not designed to destroy your blog but rather take control of it without you knowing about it and inject links into your theme files or blog content to a sites they are trying to push, most often not family friendly sites.
When a Comment Spammer leaves a comment on your blog with a link to similar site – to me it is simply a primitive form of hack attack and I treat it as such! I have described my own fights against comment spam multiple times on this blog but now I use following plugins for protection:
- Akismet due to its superb support I can rely on
- AntiSpam Bee – this one works together or instead of Akismet and one of the best I tried for functionality + compatibility
2. Brute Force Password Hack Attack
By default WordPress allows you to try to login as many times as you like until you are able to remember correct password. Excellent for functionality – not so much for security!
Since most people use “admin” for administrative account – attacker can run a script against your blog login to try guessing administrative password until he succeeds.
Yes, you can prevent this attack to some extent by renaming administrative account or creating new account with administrator privileges and deleting default – but what if you have a lot of posts now under that account?
- Limit Login Attempts plugin is a solution I have tested for myself and can highly recommend. I know there are others similar in functionality but this one worked for me and hence recommendation. Idea is very simple – try to login too many times and your IP will be blocked. Default settings it comes with will work just fine for most!
3. File System Protection
This one is designed to help you protect yourself against attack on through your hosting account. Basically an attacker can hack someone’s account on shared hosting server where your site is and then slowly take control over sites hosted there – including yours!
I fell victim to this type of attack, although my host never admitted it!
Since then I have used and highly recommend WordPress File Monitor plugin. Its functionality is simple and yet, very effective – it monitors the files on your hosting account and notifies you when files are changed. Notification delivered to your Blog Admin dashboard and to email address you give.
Not only you can learn nearly in real time when you files are compromised but also which files will need to restored to fix the problem!
Huge Time Saver!
I know there are many more plugins to help you protect even more and I describe many of them in my post 5 Steps To Practical WordPress Security but here I want to help you create a solid Defense Perimeter against attacks while still retaining simple functionality!
Post-Mortem Security – Third “P” or Stage 3
Is one you hopefully will never have to deal with. But I do believe in being ready and I do my best to teach my customers to do the same!
This step or rather its execution can mean a difference between your blog restored in a matter of hours or days, if ever, as it will depend on your hosting support and how well they do backups for you! You will discover that many hosts don’t!
There are really only 3 things in this stage:
- Have a backup handy! Assuming that you have followed my advice in Stage 1 it is not a problem and you are all set!
- KNOW how to use it! Knowledge is power and knowing how to restore your blog, not theoretically but actually do it can pay dividends when time comes! If you are afraid to do it on production blog, which is fully understandable, I recommend you install a test blog into sub-folder and go through the entire process! You can thank me later!
- Secure Your Hosting! Even if your blog was compromised via SQL injection you would want to change your cPanel password and I actually recommend creating a new user with new password and assign it to your blog database and then change wp-config.php accordingly. Simply delete old DB user after that to make sure that your Database access restored to secure level.
Conclusion And Additional Reading
I don’t believe absolute security of your blog can accomplished or that it even exists and anyone promising you that is simply misleading you! But I also believe that we should take at least some basic precautions to protect our blogs to avoid being exploited by “script kiddies” who got their hand on latest “hack script”.
Level of protection you choose is really up to you and plugins I have listed in this post are only designed to give you solid level of protection through staged approach without impacting your blog functionality. There are some superb Security Guides available for WordPress and if you are willing to extend your horizons – dig in!
- 11 Best Ways to Improve WordPress Security
- A Common-Sense WordPress Security Primer
- 10 Steps To Protect The Admin Area In WordPress
- WordPress Security and How I’m Going to Take All Your Money
Need Additional, Visual Guidance?
Get FREE DVD – Lock Your Blog! FREE Access to The Ultimate Step-By-Step Video Guide To WordPress Security!
More Options Print This Page! Subscribe With RSS Reader Subscribe by EmailFiled under WordPress |
Related posts: |
About The Blog Author
Alex Sysoef is an IT Consultant, Internet Marketer and ProBlogger who shares his passion and knowledge of WordPress, SEO, Social Media and traffic strategies on his blog WordPress Howto Spotter. Connect on Twitter or Facebook
Till now I have been just using some plug-ins to secure my blog. But this post is an eye opener. Thanks for that elaborated and informative blog post.
.-= Stephen´s last blog ..Here are the Online Survey Companies where you can earn decent part time money =-.
Tips for increasing brand awareness for your website using Twitter. Alex Sysoef presents: Triple “P” Of Total WordPress Security posted at WordPress Howto Spotter. WordPress security is one of the most overlooked aspects of [...]
You’ve made an absolutely useful list for wordpress security. I’ve read before get hacked by somebody. Unfortunately, all his hard work was gone. It’s all because his WP lacks security. This must be # 1 priority, no matter what.
Thanks for the excellent post Alex. I generally try to keep preventative measures in mind when setting up a WP installation, but as you clearly and correctly point out, nowadays, it just isn’t enough.
I’ve bookmarked this post to make sure I go through the check list for each new install I do. Excellent stuff… keep on keepin on;-)
All the best,
John Saxon
How to cure anxiety
.-= John´s last blog ..Anxiety Stopping Exercises =-.
Great information.I like some of those, as long as I’m not very experienced blogges I must say that I know some people that were hacked (or cracked as some say) and there is nothing pleasant about it.
One of my blogs had been hacked a few months ago and it’s the worst nightmare I ever had! Yes, you’re right. The hackers are not willing to destroy the blog and slowly taking over and controlling it from the inside.
I’ll try the given steps above. Thanks a lot!
.-= BloggerDaily´s last blog ..5 Tips for Writing Hot Article =-.
Thanks for feedback.
On side note – since your comment was genuine I have approved it but I generally don’t allow keywords in Name. Please read TOS
Wow. Didn’t even think about security to be honest. Thanks for the eye opener. Is there anywhere left that is safe nowadays??
.-= Chris Fox´s last blog ..Google Terminator Review =-.
I think I have overlooked the security of my wordpress for a long time.I even don’t have a backup plan.It is very dangerous when I think it now.I will soon start my backup plan by using DB-backup plugin.
I work on a couple of wordpress sites and never come across these type of stuffs. Your post will be really useful for me in many ways. I came to know from your post that – Starting a blog is not at an issue running is successfully without any issue is all matters.
Thanks for sharing information about how to protect blog. I had heard about this in the past but was not aware about what exactly should be done to protect the blog.
So thanks again.
nice info for me..but, if i doing wordpress installation with manual install..where i can get my secret key?
.-= topanz´s last blog ..Berapa Banyak Uang Yang Anda Keluarkan Untuk Hosting? =-.
WordPress provides you with a generator:
https://api.wordpress.org/secret-key/1.1/
Thanks for the info! I have recently made some security changes to my site that like you mentioned above fantastico doesnt do a good enough job with. But there were a few things in your post that I found I left out, got some work to do!
.-= Curtis N´s last blog ..Survey Program Reviews | Are Survey Programs Necessary? =-.
Please do share.
I’m sure people would love to know what else can be done. Although my goal was to create not a fortress but a comprehensive level of security for the blog without impacting functionality.
ya thanks for the post its really good and precious one but some one is right it is important to share what can help people protect their blogs against the idiots. i am new to this site and hope to continue …. thanks!
A good trick.
I do extra security by implement SSL.
.-= Ceryn´s last blog ..Simplicity Is Most Important Thing In Forex Trading =-.
Hi Alex
Thanks for the security reminder…. we all get lazy and concentrate on posts at the expense of security.
Also some good tips from your commenters.
An obvious one you mention is “Cpanel password” – obvious but for me a neglected one.
A job for later today.
Happy 2010.
.-= Keith Davis´s last blog ..Ooh la la… =-.