alex sysoef

WordPress Security

wordpress security logoWordPress Security is becoming very popular topic lately but it is only natural. As platform becomes popular and widely adopted – it becomes a nice target to “crackers”. What makes matters worse is constant and aggressive upgrade cycle chosen by the developers and No Simple Way to keep up with them… almost (more on that later).

Upgrades that define the very innovative nature of the WordPress blogs are also the culprit of the Security Problems! It is what prevents the platform from becoming a true mainstream and keeping it within the “geeky” realm.

  • Reality is – Most People Just Want A Platform They Can Use To Publish!

Upgrade is seen by many bloggers as annoyance, ignored on many occasions and as result – their blogs get hacked! In this post I want to discuss some of the WordPress Security measures available to you and how to take advantage of it!

But before I even begin talking about security – I want to make my case AGAINST Fantastico installation. While it will work fine for most people and simplifies the process – it leaves you more open to attacks. Here is why:

  • Every Fantastico install creates a database in format: yourusername_wrdp1 (replace 1 with 2,3 etc. number, which will increase with each subsequent install). Can be guessed.
  • Fantastico install at this point creates ALL database tables with same prefix: “wp_“. SQL injection cracks rely on guessing your database prefix and leaving it at default – leaves you exposed to those problems. Unfortunately with Fantastico you have no way of easily changing it.

If you think you can easily live with those – go ahead and continue to use Fantastico, what do I know, right?!

WordPress Security Measures Currently Available to You

  • First I want to give you a great link to a guide created by one of my customers and friends (I hope) – WordPress Security Guide. Last revision I seen had 16 pages filled with info that covers all you need to know to secure your blog install and at less then $6 – it is great resource.
  • And here is a free report, actually a White Paper on creating secure WordPress install. Seem to be current, as latest revision at the time of writing this post was April 2008. Keep in mind that some of the info within the paper seem to be a bit dated specifically info on some plugins, so be a mindful. It is a great baseline you can use and covers many advanced steps related to creating your DB a LOT more secure.

But if you are actually interested to read my small contribution I will cover only the basics that anyone can do without being “anal” about it… I like the security and want my blog to be as secure as possible but without me spending too much time on it!

Secure WordPress Installation

1. File Permissions should to be restrictive enough. This one is important as it defines the security at the file level on your host and while I can discuss it – there is no need to do what was already done quite nicely in Official Codex Hardening WordPress guide. Be sure to set those permissions once you upload the package to your server.

2. WP-CONFIG.PHP security. Starting with WordPress 2.5 we have received several options that helps us make our WordPress blog more secure in addition to existing options:

  • define(‘SECRET_KEY’, ‘put your unique phrase here’) – Replace the “put your unique phrase here” with a security key you can generate by visiting this link. This key makes cookies secure against attacks where someone has hacked into your database via an SQL injection exploit. Failure to change this key by many users of WordPress 2.5 actually led to an exploit addressed by WordPress 2.5.1. You can read more on it here, if interested.
  • $table_prefix = ‘wp_’ – Do Change the “wp_” prefix to something different. SQL injection exploits rely on this prefix to be as defined by default and simply changing this one bit makes your blog more secure.

3. Strong Database Password. I know it’s obvious but still need to be pointed out. Don’t ignore this option and make your DB password unique and hard to guess – you only need to do it once and making this one secure in your best interests.

4. Keeping Core Blog Up-To-Date. This one is one of the best things you can do for yourself – keep your blog up to date. This is one of the most dreaded tasks and yet – if you want to use WordPress – you pretty much have no choice!

While many (including myself) have believed that some older versions of WordPress are secure to use – it is simply not true! Take a WordPress 2.3.3 for example. When 2.5 release came out many (including Blog Herald) have stated that WordPress 2.3.3 is a secure version and people who are using it can continue to use even though Upgrade to latest recommended – it wasn’t required.

Well, fast forward couple month and we have a nice exploit that gives attackers pretty much full control over your WordPress 2.3.3 blog. And since that version no longer supported or developed – your only option is upgrade to latest 2.5.1. And now you are limited on time…

As much as I wish WordPress Dev team makes the process of Core upgrade as simple as one created for Plugins Upgrade – right now that option doesn’t exist. So here is second best option that worked quite nicely for me:

  • WordPress Automatic Upgrade Plugin – in my tests I was able to successfully go from 2.3.* versions to latest 2.5.1 with absolutely no issues (outside of some plugins issue known to exist for 2.5.+). What I like the most about this plugin is that it creates full backup of your blog in process and provides you with download option. In my tests – it is better to deactivate ALL plugins prior to starting upgrade. Keith Dsouza did a great job and his own blog provides you with additional support options.

5. Keeping plugins up to date. Starting with WordPress 2.3 you were provided with an option to upgrade your plugins using a simple once click process (or via FTP for some bloggers). Use it, especially if new version is a security release. One note on this one – do be sure you actually need the new version. I have seen it time and time again when some older version is actually might be a better fit.

Simple example: Share This plugin. I prefer to use the Share This Classic which is 1.5.5 version but my blog is showing 2.1 as latest available and prompts me for install. Sorry, I don’t need that version and will stay with Classic because I don’t like to load the javascript from remote servers if I don’t have to.

Being mindful on your upgrades is all I mean bu this step…

6. Use themes from reliable sources. With multiple choices available it is very important to use a theme of good quality and from designer who knows what he is doing. Theme files are filled with PHP code to make your blog work properly and in many cases do custom queries to the Database and if improperly or poorly coded (for whatever the reason) – they can be and will be exploited!

In fact many hacks done on WordPress blogs rely on this fact and can be attributed to the theme and not the blog itself.

WordPress Security Plugins To Help You

Resilience of the WordPress community is one of the main attractions to the platform in my opinion. When there is a need – there is an opportunity, which generally answered by one of the developers through creation of plugin that addresses the issue. Please keep in mind – these are plugins that deal directly with security of your blog, Not The Backup or SPAM Protection!

While you might not want to use each and everyone of them – here are the options you have available:

  • WP Security Scan – Scans your WordPress installation for security vulnerabilities and suggests corrective actions. Please make sure you vist the support forums available with plugin to know what you are facing and for any possible issues.
  • Phone Factor – brand new plugin by Alex King and creates a new cool option to secure login to your blog, here is quote from Alex “When you log in to your WordPress blog with PhoneFactor enabled, you receive a phone call asking you to press # to authorize. When you do so, you are logged in. If you do not, then the login attempt fails”.
  • WordPress Exploit Scanner – another new plugin by one of the core developers that scans your blog fr changes. When you blog is compromised – “crackers” leave behind the code in modified files or DB, this plugin attempts to locate it and let you know.
  • Force SSL – this plugin forces all user login to the blog to be done via SSL layer and protect your passwords from being captured during the login phase. Useful if you have SSL certificate on your account.
  • Secure WordPress – nice plugin that does some basic security things to your blog: “Little basics for secure your WordPress-installation: Remove Error-Information on Login-Page; add index.html to plugin-directory; remove the wp-version”
  • Ask Apache Password Protect plugin protect your blog file via very strong Apache based .htpassword protection. It does quite a bit in terms of helping you secure your blog access but do make sure you know what you are doing and read the info author provide.

While there are many more available, plugins I have listed above seem to address pretty much every aspect you might need. Feel free to experiment and use them.

WordPress Security Additional Reading

Outside of the links already provided above, there are a few other posts I can easily recommend you read, if you have the time and desire. An idea to provide as much valuable and relevant information to a reader, well developed and masterfully executed by Lorelle Von Fossen will continue here (now, that I’m done with flattery 8-) ):

So there you have it- if all the information above is not enough to help you increase WordPress Security – I don’t know what will.

Filed under WordPress
Tags: , , , ,

15 Responses to “WordPress Security”

  1. My blog got hacked once, but I had been sending daily updates to my Gmail account. I got it back up in less than two hours. For me, the backup is the most essential security tool. I figured I could spend time worrying about hacks and adding all the security features I could find or I could use Google Alerts to message me when my site changed. I think I can get it back up in an hour if it happens again. For some, you can lose a lot of money in an hour. For me, this is the best solution: a good backup plan. And I have yet to add any super security plugins to my blog.

    • TheSpot-er says:

      Stephan,

      I agree, backup is a MUST for any blogger. Problem is latest exploits operate on your database as well, so you last backup might be infected or even one before it or even more. Sometimes crackers are quite innovative and can infect your blog and leave it dormant for a while. I recommend you have a look at first article I have listed in recommended reading in this post. Nice reading and you will see how simply having backup might not be enough to avoid the problem..

      So to be short – backup is a must but only as PART of the overall strategy. You don’t have to be too elaborate and I’m actually quite against wasting too much time on it but basics in place will save you a lot of grief…

      Alex

  2. Sherif says:

    Alex

    Thanks for writing. I noticed that an older secure of wordpress sites survive security attacks better than newer versions that were installed with the simple one click fantastico tool.
    Needless to say that everyone should upgrade when they can.
    This is just my observation of how essential it is to apply simple measures for securing a site, rather than just upgrading with fantastico.

    Thanks again,
    Sherif

    Sherifs last blog post..Simple Steps to Upload Your Files to the Web Without FTP software?

    • TheSpot-er says:

      Thanks Sherif,

      I have expressed it before and repeat it again – Fantastico should be outlawed :-) its simplicity creates more problems then it solves.

      Alex

  3. nice article, thank’s for knowledge. http://to2k.com

    Totok Purwantas last blog post..HP EX470 MediaSmart Home Server

  4. Dennis Edell says:

    Dang! One post I shouldn’t have read. Without fantastico I probably wouldn’t be blogging…at least never gotten started.

    Dennis Edells last blog post..First Ever Direct Sales Web Marketing Blog Article Round-Up, Yeehaw!

  5. Great post,

    I’m happy to say I never got hacked but thanks for the heads up and great advice, I’m starting to upload the necessary plugins right now.

  6. Very well done post, thanks a lot. Compared to our guru Matt Cutts (who gave some indications some time ago in his blog), I found your hints much more concrete and well documented by the reference links.

    I once got hacked with a WP blog, and same happened again 2 weeks later until I upgraded. So certainly backups are nice to have, but indeed you never know whether there is any kind of backdoor. It is safer to sleep without this fear.

    So in fact I already started with some of the measures, especially adding passwords to the admin section and limiting access to the files.

    Indeed changing prefix of database shold be one of the most efficient things to do, but this seems to be a bit more complicated on existings installs with some more plugins than just the basic edition.

  7. Rhys says:

    Thanks Alex!

    You did a lot of research for this post and your explanations are very helpful. Good one!

    Rhyss last blog post..Maximize SEO like a ‘Pro’

  8. Hang on, fantastico dont create tables in the database, wp install did, and its very easy to change the prefix to something else. Am I missing something here?

  9. axioblogger says:

    WordPress 2.6 has been released. The official wordpress blog claims that worpress 2.6 has fixed 194 bugs. I hope this is true.

    axiobloggers last blog post..WordPress 2.6 is Released

  10. One thing with wordpress that has really annoyed me recentely is something , either a hacking attempt or something that is considered malicious appeared on my blog. I was totally unaware until I came up against one of my posts in the SERPS.

    Google (and FF3) was blocking my site saying it was potentially harmful – This could ahve been like it for ages – thanks Webmaster Tools for the warning! (none received)

    I got this sorted and was allowed back in without the restriction but today I find it has happened again – may have been like it for some weeks.

    Now I do not know what it is, something to do with a stat counter so I have been forced to upgrade my wordpress in case its a vulnerability. This has not come without complications as I lost all my categories! Grr – annoying!

Trackbacks/Pingbacks

  1. [...] Alex Sysoef, of Expert WordPress, says that you should never use Fantastico to install your blogs and that you should install them manually.  Alex is the one that recommended the report on his blog post WordPress Security. [...]