wordpress security logoWordPress Security is becoming very popular topic lately but it is only natural. As platform becomes popular and widely adopted – it becomes a nice target to “crackers”. What makes matters worse is constant and aggressive upgrade cycle chosen by the developers and No Simple Way to keep up with them… almost (more on that later).

Upgrades that define the very innovative nature of the WordPress blogs are also the culprit of the Security Problems! It is what prevents the platform from becoming a true mainstream and keeping it within the “geeky” realm.

  • Reality is – Most People Just Want A Platform They Can Use To Publish!

Upgrade is seen by many bloggers as annoyance, ignored on many occasions and as result – their blogs get hacked! In this post I want to discuss some of the WordPress Security measures available to you and how to take advantage of it!

But before I even begin talking about security – I want to make my case AGAINST Fantastico installation. While it will work fine for most people and simplifies the process – it leaves you more open to attacks. Here is why:

  • Every Fantastico install creates a database in format: yourusername_wrdp1 (replace 1 with 2,3 etc. number, which will increase with each subsequent install). Can be guessed.
  • Fantastico install at this point creates ALL database tables with same prefix: “wp_“. SQL injection cracks rely on guessing your database prefix and leaving it at default – leaves you exposed to those problems. Unfortunately with Fantastico you have no way of easily changing it.

If you think you can easily live with those – go ahead and continue to use Fantastico, what do I know, right?!

WordPress Security Measures Currently Available to You

  • First I want to give you a great link to a guide created by one of my customers and friends (I hope) – WordPress Security Guide. Last revision I seen had 16 pages filled with info that covers all you need to know to secure your blog install and at less then $6 – it is great resource.
  • And here is a free report, actually a White Paper on creating secure WordPress install. Seem to be current, as latest revision at the time of writing this post was April 2008. Keep in mind that some of the info within the paper seem to be a bit dated specifically info on some plugins, so be a mindful. It is a great baseline you can use and covers many advanced steps related to creating your DB a LOT more secure.

But if you are actually interested to read my small contribution I will cover only the basics that anyone can do without being “anal” about it… I like the security and want my blog to be as secure as possible but without me spending too much time on it!

Secure WordPress Installation

1. File Permissions should to be restrictive enough. This one is important as it defines the security at the file level on your host and while I can discuss it – there is no need to do what was already done quite nicely in Official Codex Hardening WordPress guide. Be sure to set those permissions once you upload the package to your server.

2. WP-CONFIG.PHP security. Starting with WordPress 2.5 we have received several options that helps us make our WordPress blog more secure in addition to existing options:

  • define(‘SECRET_KEY’, ‘put your unique phrase here’) – Replace the “put your unique phrase here” with a security key you can generate by visiting this link. This key makes cookies secure against attacks where someone has hacked into your database via an SQL injection exploit. Failure to change this key by many users of WordPress 2.5 actually led to an exploit addressed by WordPress 2.5.1. You can read more on it here, if interested.
  • $table_prefix = ‘wp_’ – Do Change the “wp_” prefix to something different. SQL injection exploits rely on this prefix to be as defined by default and simply changing this one bit makes your blog more secure.

3. Strong Database Password. I know it’s obvious but still need to be pointed out. Don’t ignore this option and make your DB password unique and hard to guess – you only need to do it once and making this one secure in your best interests.

4. Keeping Core Blog Up-To-Date. This one is one of the best things you can do for yourself – keep your blog up to date. This is one of the most dreaded tasks and yet – if you want to use WordPress – you pretty much have no choice!

While many (including myself) have believed that some older versions of WordPress are secure to use – it is simply not true! Take a WordPress 2.3.3 for example. When 2.5 release came out many (including Blog Herald) have stated that WordPress 2.3.3 is a secure version and people who are using it can continue to use even though Upgrade to latest recommended – it wasn’t required.

Well, fast forward couple month and we have a nice exploit that gives attackers pretty much full control over your WordPress 2.3.3 blog. And since that version no longer supported or developed – your only option is upgrade to latest 2.5.1. And now you are limited on time…

As much as I wish WordPress Dev team makes the process of Core upgrade as simple as one created for Plugins Upgrade – right now that option doesn’t exist. So here is second best option that worked quite nicely for me:

  • WordPress Automatic Upgrade Plugin – in my tests I was able to successfully go from 2.3.* versions to latest 2.5.1 with absolutely no issues (outside of some plugins issue known to exist for 2.5.+). What I like the most about this plugin is that it creates full backup of your blog in process and provides you with download option. In my tests – it is better to deactivate ALL plugins prior to starting upgrade. Keith Dsouza did a great job and his own blog provides you with additional support options.

5. Keeping plugins up to date. Starting with WordPress 2.3 you were provided with an option to upgrade your plugins using a simple once click process (or via FTP for some bloggers). Use it, especially if new version is a security release. One note on this one – do be sure you actually need the new version. I have seen it time and time again when some older version is actually might be a better fit.

Simple example: Share This plugin. I prefer to use the Share This Classic which is 1.5.5 version but my blog is showing 2.1 as latest available and prompts me for install. Sorry, I don’t need that version and will stay with Classic because I don’t like to load the javascript from remote servers if I don’t have to.

Being mindful on your upgrades is all I mean bu this step…

6. Use themes from reliable sources. With multiple choices available it is very important to use a theme of good quality and from designer who knows what he is doing. Theme files are filled with PHP code to make your blog work properly and in many cases do custom queries to the Database and if improperly or poorly coded (for whatever the reason) – they can be and will be exploited!

In fact many hacks done on WordPress blogs rely on this fact and can be attributed to the theme and not the blog itself.

WordPress Security Plugins To Help You

Resilience of the WordPress community is one of the main attractions to the platform in my opinion. When there is a need – there is an opportunity, which generally answered by one of the developers through creation of plugin that addresses the issue. Please keep in mind – these are plugins that deal directly with security of your blog, Not The Backup or SPAM Protection!

While you might not want to use each and everyone of them – here are the options you have available:

  • WP Security Scan – Scans your WordPress installation for security vulnerabilities and suggests corrective actions. Please make sure you vist the support forums available with plugin to know what you are facing and for any possible issues.
  • Phone Factor – brand new plugin by Alex King and creates a new cool option to secure login to your blog, here is quote from Alex “When you log in to your WordPress blog with PhoneFactor enabled, you receive a phone call asking you to press # to authorize. When you do so, you are logged in. If you do not, then the login attempt fails”.
  • WordPress Exploit Scanner – another new plugin by one of the core developers that scans your blog fr changes. When you blog is compromised – “crackers” leave behind the code in modified files or DB, this plugin attempts to locate it and let you know.
  • Force SSL – this plugin forces all user login to the blog to be done via SSL layer and protect your passwords from being captured during the login phase. Useful if you have SSL certificate on your account.
  • Secure WordPress – nice plugin that does some basic security things to your blog: “Little basics for secure your WordPress-installation: Remove Error-Information on Login-Page; add index.html to plugin-directory; remove the wp-version”
  • Ask Apache Password Protect plugin protect your blog file via very strong Apache based .htpassword protection. It does quite a bit in terms of helping you secure your blog access but do make sure you know what you are doing and read the info author provide.

While there are many more available, plugins I have listed above seem to address pretty much every aspect you might need. Feel free to experiment and use them.

WordPress Security Additional Reading

Outside of the links already provided above, there are a few other posts I can easily recommend you read, if you have the time and desire. An idea to provide as much valuable and relevant information to a reader, well developed and masterfully executed by Lorelle Von Fossen will continue here (now, that I’m done with flattery 😎 ):

So there you have it- if all the information above is not enough to help you increase WordPress Security – I don’t know what will.