1. Welcome to DNTrade. If you want to find out about the latest domain name industry news or talk, share, learn, buy, sell, trade or develop domain names - then you've come to the right place. It's a diverse and active community, with domain investors, web developers and online marketers - and it's free! Click here to join now.
    Dismiss Notice

WordPress Security Tips

Discussion in 'Guest Articles' started by FirstPageResults, May 30, 2012.

  1. FirstPageResults

    FirstPageResults Membership: VIP

    Joined:
    May 26, 2009
    Messages:
    1,906
    Likes Received:
    106
    auDA Member:
    Yes
    Chris from wpsupport.com.au has written a basic overview and offered some suggestions for locking down your WordPress websites.

    Please feel free to leave some comments.

    (Author: Chris)
    ------------------------------------------------------------

    WordPress Security Tips


    Basic WordPress Security Tips

    With WordPress being one of the most popular web publishing platforms, it means that it's also a popular target for web-based attacks.

    Most of these attacks are automated and seek out old versions of WordPress, using default settings, vulnerable plug-ins and themes or incorrect file permissions and weak passwords.

    A compromised site can have numerous serious ramifications such as losing search engine rankings or being excluded from the search engine results pages altogether. Search engines and anti-virus systems can also alert users that a site is "unsafe". Not a good look!


    Old Versions of WordPress

    The WordPress community as a whole is extremely responsible when it comes to updating their software but it only takes a small percentage of WordPress sites to make a massive number. According to BuiltWith.com (http://trends.builtwith.com/cms), at the time of writing, WordPress accounts for 63% of content management systems running on the web.

    The simple solution is to always make sure you stay up to date with a current version. The WordPress developers are quick to push out a security fix, so make sure you take advantage of these updates.


    Change the Default Settings

    This is an easy one and helps put you a little higher than most of the lower hanging fruit. All you need to do is to change the default administrator username and default table prefix (anything other then wp_) at the time of installation.


    Vulnerable Plug-ins and Themes

    The popularity of WordPress has attracted an entire eco-system of developers and market places. Within these market places (and the broader web) there are vastly varying qualities of plug-ins and themes. I usually recommend users look for popular themes and plug-ins because not only are they most likely to be of a higher quality but they are also more likely to be updated and supported. Personally, I use a mixture of both free and commercial plugins and themes.


    Incorrect File Permissions

    This is something you want to get right, it's a very common reason (along with old versions of WordPress) why sites are exploited. I always get advice from a particular web host on this if I'm unsure and recommend you do the same, since every host can be different.

    If you're using a package management feature such as cPanel/Fantastico/Easy Apps (where installing WordPress is a one-click process), these options are usually taken care of for you (such as http://faq.ventraip.com.au/questions/91/How+do+I+install+Wordpress?). The following assumes that you're managing your own permissions in a shared environment. It's also worth noting that VentraIP also have a "Permission Fixer" which can be handy if you mess things up and need to revert to default permissions (see http://faq.ventraip.com.au/questions/30/Why+is+my+website+displaying+a+'500+internal+server+error'?).

    A typical WordPress installation requires that the following files and directories are writable:

    Code:
    /.htaccess
    /wp-content/uploads/
    /wp-content/themes/name-of-theme (if you wish to edit in the Dashboard)
    /wp-content/uploads/

    Your uploads folder must be writable and this usually goes against what many hosting providers will recommend. You will find many references recommending never using 777, which is great advice and correct, however, it's often the only way WordPress will work on some common shared hosting environments. If you've set your uploads (or media, caching etc. - anywhere where files need to be written) to 777, you can use the following directives below in a .htaccess file within the upload (or anywhere you have set 777) directory itself.

    /wp-content/uploads/.htaccess

    Code:
    Deny from all
    <FilesMatch "\.(gif|jpe?g|png)$">
    Allow from all
    </FilesMatch>
    You should note that this restricts the file type to accept only images, which should be ok for standard usage.

    .htaccess

    Your mileage may vary on this one, as above, if you're unsure always check with your web host. It does really depend on how your hosting provider manages their permissions.

    Many hosting providers will request that you only set file permissions to 644, so you have a few options. I recommend you either update the .htaccess file by hand (by SSH for FTP/SCP/SFTP) or set the permissions of the .htaccess file to 666, set your permalink format and then change it to 644. Common configurations of WordPress don't usually write to the .htaccess in the web root other than during the initial set up.

    For example Quadra Hosting has a great knowledge base article about file permissions for their particular environment:

    https://support.quadrahosting.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=142

    You can also find the official WordPress document on file permissions here:

    http://codex.wordpress.org/Changing_File_Permissions

    TIP: .htaccess is just a way of configuring web server options at the directory and file level. On Unix-based systems, files beginning with a period are hidden so make suure you have your FTP/SCP/SFTP client software set to "show hidden files.


    Good Overall Security

    Choose good passwords. This one may seem obvious, however, it’s commonly overlooked. This applies not only to your WordPress password but your SFTP/SCP/FTP and hosting account password too. Always use long passwords. The longer and more complex the better. I always recommend people think in terms of "passphrases" rather than passwords. A good password management tool is also a great help.

    Make regular backups of your files and your database. Not if but *when* something goes wrong, a current backup will save your skin. You can get both free and commercial plugins (or services, see the next point) that can cater to any backup option you can dream of.

    Also, always only used trusted secure networks and secure protocols for your web and email traffic. Internet kiosks or free wifi may be tempting but make sure you understand the risks.


    WordPress Security Services

    There are many services that specialise in keeping your WordPress site updated and monitored for security issues such as VaultPress and Securi. There are also hosted WordPress services that offer security and backup options as part of their plans.


    Summary

    In summary, adhere to good security practices such as using strong passwords, make sure your WordPress installation and configuration is correct and keep your version of WordPress (including plugins and themes) regularly updated. Thanks to Ned and the team at DN Trade for inviting me to post this article. If you're interested in learning more about WordPress, there is a world or resources at your fingertips. I've listed a few good starting points at my website http://wpsupport.com.au.
     
    charlie likes this.
  2. neddy

    neddy Membership: VIP

    Joined:
    Oct 17, 2008
    Messages:
    3,695
    Likes Received:
    1,153
    auDA Member:
    Yes
    Hey Chris, thanks for making the effort to write that article.

    Your website looks great too!

    Good luck with your venture. I know a few people who would like to come along to one of your workshops. :)
    .
     
  3. Chris.C

    Chris.C Membership: VIP

    Joined:
    Sep 23, 2010
    Messages:
    2,098
    Likes Received:
    124
    Just to clarify - I didn't write this article. In case there was any confusions. It was a different Chris C.

    I know this for sure because I have had numerous complaints from hosts over the years about out of date wordpress installs and plugins which have lead to breaches and compromised share hosting servers...

    :p

    So I'm in no position to advise on setting up secure wordpress installs...

    :D

    But I have definitely taken some notes.
     
  4. FirstPageResults

    FirstPageResults Membership: VIP

    Joined:
    May 26, 2009
    Messages:
    1,906
    Likes Received:
    106
    auDA Member:
    Yes
    Sorry that's my bad :eek:
     
  5. findtim

    findtim Membership: VIP

    Joined:
    Dec 13, 2011
    Messages:
    7,402
    Likes Received:
    1,572
    auDA Member:
    Yes
    all good advice as i am now almost 100% wordpress having converted most of my websites from basic php to wordpress.

    i use "backup buddy" from "plugin buddy dot com" its GREAT, my host also backups weekly all my sites, i know this as i have been attacked before i purchased BB and they were able to restore the 11 sites instantly with their backup which was only days old.

    "pass phrase" is a good term, i have an excel doc that contains all my passwords and its backedup on our 3 laptops and 2 terra's BUT if it all went up in flames i think i could get into any of my sites as i use "pass phrasing"

    i suppose if someone breaks my code for one then i'm shot for the many others but i have 3 different levels of pass phrases:

    just like my backpacking days it goes like this,

    What i can afford to loose, what i'd be bummed out to loose and what i can't loose. So the passphrases get more difficult as the need increases.

    eg in backpacker mode: clothes ! ohh well , mobile phone ! bummer, passport !!!!!!!! no way.

    ----------

    plugin updates: i'm presently developing a plugin to automatically backup your wordpress site and then update your plugins and then re backup your site and set it to do that every week/fortnight/month whatever you want, there are automated backups eg backup buddy but i haven't been able to find an automated plugin updater.

    if anyone knows then please let me know

    tim
     
  6. chris

    chris Administrator

    Joined:
    Mar 7, 2010
    Messages:
    2,253
    Likes Received:
    829
    auDA Member:
    Yes
    Thanks for the feedback, much appreciated!
     
  7. Blue Wren

    Blue Wren Membership: VIP

    Joined:
    Jan 23, 2012
    Messages:
    909
    Likes Received:
    107
    Sounds very helpful. Backing up WP with 99.9% reassurance has been a little hazy for me in past.
     
  8. findtim

    findtim Membership: VIP

    Joined:
    Dec 13, 2011
    Messages:
    7,402
    Likes Received:
    1,572
    auDA Member:
    Yes
    what i have found ( and thus my desire for a plugin to do it for me) is i keep all my plugins in ONE folder on my computer. I then systematically backup the WP site and then update the plugins, if something goes pear shaped then i open FTP and rename the plugin folder and reinstall that plugin back to its original statis and then don't update it until next time

    its much easier then trying to put a complete wordpress site back together.

    OOHHH also i have test domains so i do them first as they are not my clients so i get to find out the dodgy updates without bringing a clients site down.

    eg: i have 1 plugin i use on almost every site " genesis simple sidebars" , the present update will crash a site BUT not if you do it last ? weird hey, so i update everything and then update it and i have no problems !

    as you can imagine the common thing to do is go down the page and hit update so it must be a conflict with another plugin after the letter G ( genesis...)


    tim

    PS: my plugin will be a commercial version not free as i think its worth it.
     
  9. fatzebra

    fatzebra Membership: Community

    Joined:
    Feb 22, 2012
    Messages:
    13
    Likes Received:
    0
    Chris,

    The site looks great and the article is fantastic!

    We do get asked a lot about security in wordpress, so it's nice to find a good article about it.
     
  10. helloworld

    helloworld Membership: VIP

    Joined:
    Apr 21, 2012
    Messages:
    1,116
    Likes Received:
    165
    You can also secure your wp-admin by changing the htaccess file so only certain Ip's can access that page.
     
  11. iejs

    iejs Membership: VIP

    Joined:
    Jul 19, 2008
    Messages:
    91
    Likes Received:
    0
    I'm really looking forward to the workshops.
     
  12. findtim

    findtim Membership: VIP

    Joined:
    Dec 13, 2011
    Messages:
    7,402
    Likes Received:
    1,572
    auDA Member:
    Yes
    wouldn't work for me as i might be out of the office and get a phone call, duck into a internet cafe and update some things, happened to me 2 weeks ago a frantic client said " we need to get rid of that info on the homepage NOW" , he was in a meeting and found out he got it all wrong ! so i saved his arse as i was next to an internet cafe at the time ... go figure?

    tim
     
  13. chris

    chris Administrator

    Joined:
    Mar 7, 2010
    Messages:
    2,253
    Likes Received:
    829
    auDA Member:
    Yes
    Thanks for the positive feedback!

    I've just updated the site with links to the next 2 workshops in Melbourne.

    http://wpsupport.com.au/wordpress-training/

    There will be lots more coming up, I'll be sure to update DN Trade with the info.

    Thanks again for the support :)
    Chris
     
  14. Blue Wren

    Blue Wren Membership: VIP

    Joined:
    Jan 23, 2012
    Messages:
    909
    Likes Received:
    107
    This is great. Wish they were held on the Gold Coast also.
     
  15. FirstPageResults

    FirstPageResults Membership: VIP

    Joined:
    May 26, 2009
    Messages:
    1,906
    Likes Received:
    106
    auDA Member:
    Yes
    Maybe they could do a webinar :)
     
  16. chris

    chris Administrator

    Joined:
    Mar 7, 2010
    Messages:
    2,253
    Likes Received:
    829
    auDA Member:
    Yes
    The plan is to run them at all major cities, including regional areas.

    I'm also definitely looking at webinars and videos etc. Will keep DN Trade in the loop for sure!
     
  17. findtim

    findtim Membership: VIP

    Joined:
    Dec 13, 2011
    Messages:
    7,402
    Likes Received:
    1,572
    auDA Member:
    Yes
    for presentations/lessons i've found camtasia pretty good to use once you use it alot

    tim
     
  18. Blue Wren

    Blue Wren Membership: VIP

    Joined:
    Jan 23, 2012
    Messages:
    909
    Likes Received:
    107
    Great news Chris. I will look out for it then.
     
  19. iejs

    iejs Membership: VIP

    Joined:
    Jul 19, 2008
    Messages:
    91
    Likes Received:
    0
    I went to one of Chris' workshops yesterday and it was great. 'Already looking forward to the next one:)

    Thanks Chris!
     
  20. chris

    chris Administrator

    Joined:
    Mar 7, 2010
    Messages:
    2,253
    Likes Received:
    829
    auDA Member:
    Yes
    Thanks for coming and for your feedback! There will be lots more in the future :)