What's new

WordPress Security Tips

FirstPageResults

Top Contributor
Chris from wpsupport.com.au has written a basic overview and offered some suggestions for locking down your WordPress websites.

Please feel free to leave some comments.

(Author: Chris)
------------------------------------------------------------

WordPress Security Tips


Basic WordPress Security Tips

With WordPress being one of the most popular web publishing platforms, it means that it's also a popular target for web-based attacks.

Most of these attacks are automated and seek out old versions of WordPress, using default settings, vulnerable plug-ins and themes or incorrect file permissions and weak passwords.

A compromised site can have numerous serious ramifications such as losing search engine rankings or being excluded from the search engine results pages altogether. Search engines and anti-virus systems can also alert users that a site is "unsafe". Not a good look!


Old Versions of WordPress

The WordPress community as a whole is extremely responsible when it comes to updating their software but it only takes a small percentage of WordPress sites to make a massive number. According to BuiltWith.com (http://trends.builtwith.com/cms), at the time of writing, WordPress accounts for 63% of content management systems running on the web.

The simple solution is to always make sure you stay up to date with a current version. The WordPress developers are quick to push out a security fix, so make sure you take advantage of these updates.


Change the Default Settings

This is an easy one and helps put you a little higher than most of the lower hanging fruit. All you need to do is to change the default administrator username and default table prefix (anything other then wp_) at the time of installation.


Vulnerable Plug-ins and Themes

The popularity of WordPress has attracted an entire eco-system of developers and market places. Within these market places (and the broader web) there are vastly varying qualities of plug-ins and themes. I usually recommend users look for popular themes and plug-ins because not only are they most likely to be of a higher quality but they are also more likely to be updated and supported. Personally, I use a mixture of both free and commercial plugins and themes.


Incorrect File Permissions

This is something you want to get right, it's a very common reason (along with old versions of WordPress) why sites are exploited. I always get advice from a particular web host on this if I'm unsure and recommend you do the same, since every host can be different.

If you're using a package management feature such as cPanel/Fantastico/Easy Apps (where installing WordPress is a one-click process), these options are usually taken care of for you (such as http://faq.ventraip.com.au/questions/91/How+do+I+install+Wordpress?). The following assumes that you're managing your own permissions in a shared environment. It's also worth noting that VentraIP also have a "Permission Fixer" which can be handy if you mess things up and need to revert to default permissions (see http://faq.ventraip.com.au/questions/30/Why+is+my+website+displaying+a+'500+internal+server+error'?).

A typical WordPress installation requires that the following files and directories are writable:

Code:
/.htaccess
/wp-content/uploads/
/wp-content/themes/name-of-theme (if you wish to edit in the Dashboard)

/wp-content/uploads/

Your uploads folder must be writable and this usually goes against what many hosting providers will recommend. You will find many references recommending never using 777, which is great advice and correct, however, it's often the only way WordPress will work on some common shared hosting environments. If you've set your uploads (or media, caching etc. - anywhere where files need to be written) to 777, you can use the following directives below in a .htaccess file within the upload (or anywhere you have set 777) directory itself.

/wp-content/uploads/.htaccess

Code:
Deny from all
<FilesMatch "\.(gif|jpe?g|png)$">
Allow from all
</FilesMatch>

You should note that this restricts the file type to accept only images, which should be ok for standard usage.

.htaccess

Your mileage may vary on this one, as above, if you're unsure always check with your web host. It does really depend on how your hosting provider manages their permissions.

Many hosting providers will request that you only set file permissions to 644, so you have a few options. I recommend you either update the .htaccess file by hand (by SSH for FTP/SCP/SFTP) or set the permissions of the .htaccess file to 666, set your permalink format and then change it to 644. Common configurations of WordPress don't usually write to the .htaccess in the web root other than during the initial set up.

For example Quadra Hosting has a great knowledge base article about file permissions for their particular environment:

https://support.quadrahosting.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=142

You can also find the official WordPress document on file permissions here:

http://codex.wordpress.org/Changing_File_Permissions

TIP: .htaccess is just a way of configuring web server options at the directory and file level. On Unix-based systems, files beginning with a period are hidden so make suure you have your FTP/SCP/SFTP client software set to "show hidden files.


Good Overall Security

Choose good passwords. This one may seem obvious, however, it’s commonly overlooked. This applies not only to your WordPress password but your SFTP/SCP/FTP and hosting account password too. Always use long passwords. The longer and more complex the better. I always recommend people think in terms of "passphrases" rather than passwords. A good password management tool is also a great help.

Make regular backups of your files and your database. Not if but *when* something goes wrong, a current backup will save your skin. You can get both free and commercial plugins (or services, see the next point) that can cater to any backup option you can dream of.

Also, always only used trusted secure networks and secure protocols for your web and email traffic. Internet kiosks or free wifi may be tempting but make sure you understand the risks.


WordPress Security Services

There are many services that specialise in keeping your WordPress site updated and monitored for security issues such as VaultPress and Securi. There are also hosted WordPress services that offer security and backup options as part of their plans.


Summary

In summary, adhere to good security practices such as using strong passwords, make sure your WordPress installation and configuration is correct and keep your version of WordPress (including plugins and themes) regularly updated. Thanks to Ned and the team at DN Trade for inviting me to post this article. If you're interested in learning more about WordPress, there is a world or resources at your fingertips. I've listed a few good starting points at my website http://wpsupport.com.au.
 

neddy

Top Contributor
Hey Chris, thanks for making the effort to write that article.

Your website looks great too!

Good luck with your venture. I know a few people who would like to come along to one of your workshops. :)
.
 

Chris.C

Top Contributor
Just to clarify - I didn't write this article. In case there was any confusions. It was a different Chris C.

I know this for sure because I have had numerous complaints from hosts over the years about out of date wordpress installs and plugins which have lead to breaches and compromised share hosting servers...

:p

So I'm in no position to advise on setting up secure wordpress installs...

:D

But I have definitely taken some notes.
 

FirstPageResults

Top Contributor
Just to clarify - I didn't write this article. In case there was any confusions. It was a different Chris C.

I know this for sure because I have had numerous complaints from hosts over the years about out of date wordpress installs and plugins which have lead to breaches and compromised share hosting servers...

:p

So I'm in no position to advise on setting up secure wordpress installs...

:D

But I have definitely taken some notes.

Sorry that's my bad :eek:
 

findtim

Top Contributor
all good advice as i am now almost 100% wordpress having converted most of my websites from basic php to wordpress.

i use "backup buddy" from "plugin buddy dot com" its GREAT, my host also backups weekly all my sites, i know this as i have been attacked before i purchased BB and they were able to restore the 11 sites instantly with their backup which was only days old.

"pass phrase" is a good term, i have an excel doc that contains all my passwords and its backedup on our 3 laptops and 2 terra's BUT if it all went up in flames i think i could get into any of my sites as i use "pass phrasing"

i suppose if someone breaks my code for one then i'm shot for the many others but i have 3 different levels of pass phrases:

just like my backpacking days it goes like this,

What i can afford to loose, what i'd be bummed out to loose and what i can't loose. So the passphrases get more difficult as the need increases.

eg in backpacker mode: clothes ! ohh well , mobile phone ! bummer, passport !!!!!!!! no way.

----------

plugin updates: i'm presently developing a plugin to automatically backup your wordpress site and then update your plugins and then re backup your site and set it to do that every week/fortnight/month whatever you want, there are automated backups eg backup buddy but i haven't been able to find an automated plugin updater.

if anyone knows then please let me know

tim
 

Blue Wren

Top Contributor
plugin updates: i'm presently developing a plugin to automatically backup your wordpress site and then update your plugins and then re backup your site and set it to do that every week/fortnight/month whatever you want, there are automated backups eg backup buddy but i haven't been able to find an automated plugin updater.

if anyone knows then please let me know

tim

Sounds very helpful. Backing up WP with 99.9% reassurance has been a little hazy for me in past.
 

findtim

Top Contributor
Sounds very helpful. Backing up WP with 99.9% reassurance has been a little hazy for me in past.

what i have found ( and thus my desire for a plugin to do it for me) is i keep all my plugins in ONE folder on my computer. I then systematically backup the WP site and then update the plugins, if something goes pear shaped then i open FTP and rename the plugin folder and reinstall that plugin back to its original statis and then don't update it until next time

its much easier then trying to put a complete wordpress site back together.

OOHHH also i have test domains so i do them first as they are not my clients so i get to find out the dodgy updates without bringing a clients site down.

eg: i have 1 plugin i use on almost every site " genesis simple sidebars" , the present update will crash a site BUT not if you do it last ? weird hey, so i update everything and then update it and i have no problems !

as you can imagine the common thing to do is go down the page and hit update so it must be a conflict with another plugin after the letter G ( genesis...)


tim

PS: my plugin will be a commercial version not free as i think its worth it.
 

fatzebra

Member
Chris,

The site looks great and the article is fantastic!

We do get asked a lot about security in wordpress, so it's nice to find a good article about it.
 

helloworld

Top Contributor
You can also secure your wp-admin by changing the htaccess file so only certain Ip's can access that page.
 

findtim

Top Contributor
You can also secure your wp-admin by changing the htaccess file so only certain Ip's can access that page.

wouldn't work for me as i might be out of the office and get a phone call, duck into a internet cafe and update some things, happened to me 2 weeks ago a frantic client said " we need to get rid of that info on the homepage NOW" , he was in a meeting and found out he got it all wrong ! so i saved his arse as i was next to an internet cafe at the time ... go figure?

tim
 

chris

Top Contributor
The plan is to run them at all major cities, including regional areas.

I'm also definitely looking at webinars and videos etc. Will keep DN Trade in the loop for sure!
 

Blue Wren

Top Contributor
The plan is to run them at all major cities, including regional areas.

I'm also definitely looking at webinars and videos etc. Will keep DN Trade in the loop for sure!

Great news Chris. I will look out for it then.
 

iejs

Regular Member
I went to one of Chris' workshops yesterday and it was great. 'Already looking forward to the next one:)

Thanks Chris!
 

Community sponsors

Domain Parking Manager

AddMe Reputation Management

Digital Marketing Experts

Catch Expired Domains

Web Hosting

Members online

Forum statistics

Threads
11,098
Messages
92,044
Members
2,394
Latest member
Spacemo
Top