Reader Question: Is WordPress Safe To Use?

Terri recently sent me an email and wanted to know some precautionary steps as well as advice on how to keep WordPress safe from being hacked. Terri also wanted to know the differences in security between a self hosted version of WordPress versus the security risks of using WordPress.com

I have been doing a lot of research about the pros/cons of different blogging platforms and CMS. At the same time, I have come across a lot of information related to WordPress sites being hacked and other security issues. When I read about the pros/cons of self-hosted vs hosted solutions for blogs, it is interesting that I don’t read too much about security vulnerabilities being a huge disadvantage to using a self-hosted solution. How concerned should bloggers be about being hacked? Is the threat big enough for someone not to choose WP as a blogging platform or CMS? Besides backing up your database (which could be infected also) and upgrading WP to the most recent version, what other precautions should you take to keep a WP blog safe? Also, I heard that the upgrades that WP makes makes it more open to attacks. Your thoughts?

Well Terri, I’ll first start off by pointing you to a post that Matt Mullenweg published a few months ago which goes into detail on how to keep your blog safe.

The article boils down to a couple of simple points:

Upgrading WordPress ASAP to the newest release.
Changing Your Password On A Regular Basis/Using A Strong Password

The majority of times it’s discovered that a WordPress powered site has been hacked, that site was using an older version of WordPress. This makes sense given that newer versions patch previously discovered security holes.

Hosted / WordPress.com

When deciding if you should go the hosted or self hosted route because of security, using WordPress.com is going to come out on top. This is because Automattic runs a tight ship with WordPress.com. Generally, the only thing you’ll have to worry about is using a strong password. WordPress.com doesn’t allow users to upload third party widgets, nor do they allow javascript from being executed in a Text Widget.

Self Hosted / WordPress.org:

When going the self hosted route, it’s a different ballgame. There is an awesome article on the WordPress Codex which goes into detail on how to harden your WordPress installation ( Hardening_WordPress ). At a glance though, this is what you’ll have to worry about:

1 Vulnerabilities on your computer
2 Vulnerabilities in the WordPress package itself
3 Server vulnerabilities
4 Network vulnerabilities
5 Passwords
6 File permissions
7 Database security
8 Securing wp-admin
9 SSL Encryption Security
10 Plugins
10.1 Security Plugins
10.2 Plugins that need write access
10.3 Code execution plugins
11 Security through obscurity

As you can see, there is plenty more to worry about using a self hosted version of WordPress rather than letting Automattic do the worrying for you. However, after going through each section of the Hardening WordPress article, you should be ready to go.

Security Through Plugins:

Alternatively, you can step it up a notch by using a variety of different plugins which are available to help make WordPress that much more secure. Here is a list of plugins/resources to help you along the way.

WP Security Scan – This plugin acts like a spyware/virus scanner in that it scans your WordPress installation for security vulnerabilities and suggests corrective actions.

Login Encrypt – Login Encrypt appends a snippet of javascript to the wp-login which generates a unique DES key each time a user logs in. Using that key, the password of the user is encrypted.

AskApache Password Protect – This plugin makes it easy to put up a virtual wall around your WordPress installation. This plugin allows you to create a username and password to protect your entire /wp-admin/ folder and login page. Plugin can only be used on Apache based webservers.

Admin SSL – Secures any WordPress URL using Private or Shared SSL. Once the plugin is activated go to the Admin SSL config page to enable SSL and read the installation instructions.

Login Lockdown – Login LockDown records the IP address and timestamp of every failed login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. A good way to protect against brute force attacks.

Resources:

Noupe showcases 10 WordPress security tips/tricks/hacks

BlogSecurity released a Whitepaper specifically about WordPress security. The whitepaper is at version 1.2 and was released back in April of 2008.

Speckyboy gives you his list of the best 10 security WordPress plugins to use

Is the threat big enough for someone not to choose WP as a blogging platform or CMS?

In my opinion, no. WordPress is the most popular blogging/publishing platform on the web which means it’s a prime target for hackers. It doesn’t matter which publishing platform you decide to go with, each one of them has or will have security vulnerabilities. To make things worst, you could have a perfectly hardened WordPress installation and discover it’s been hacked thanks to something like an SQL injection via a plugin you installed. It’s a constant race between good and evil. If you make it a routine to keep ahead of the game and keep your blog up to date, more often than not, you’ll be safe.

Also, I heard that the upgrades that WP makes makes it more open to attacks. Your thoughts?

This is what I would consider to be FUD (Fear, Uncertainty, Doubt). Upgrading WordPress from one version to the next does not make it more prone to security vulnerabilities. In fact, it’s the complete opposite. There is only one scenario I can think of where this might be an issue and that is, if you were to upgrade to a newer version of WordPress and that version had a 0 day exploit within the code that no one knew about, then you could be at risk. But considering no one would know about the exploit, what could be done about it? Nothing.

So rest assure that upgrading your blog as soon as you can after a new version has been released is one of the best things you could do to keep your blog safe. Not doing so is a recipe for disaster.

Conclusion:

Terri, I hope that answers all of your questions. You now know the differences in security between using a self hosted version versus a hosted version of WordPress. With the Codex article along with the resource links and plugins, you now have a better grasp on how to ensure your blogs safety against malicious attacks.

Your Turn:

If you had to answer Terri’s questions, what would have said differently? Do you disagree with anything I’ve said? Let me know in the comments. Also, if you have any more tips and tricks in terms of making WordPress more secure, share those as well.

9 thoughts on “Reader Question: Is WordPress Safe To Use?”

guya says:

July 26, 2008 at 5:22 am

Thank you for the informative article.
I’ve also written about this subject after my blog has been hacked:
http://blog.guya.net/2008/06/16/my-blog-has-been-hacked/
Jeff Chandler says:

July 23, 2008 at 1:18 pm

You’re quite welcome.
Anonymous says:

July 23, 2008 at 9:48 am

Hi Jeffro,

Excellent post. This is very helpful. Thanks for taking the time to respond to my questions.
Sud says:

July 21, 2008 at 12:02 pm

Hi –

I use the delicious firefox extension to tag and bookmark articles directly out of google reader. The feedburner footer for delicious linking sucks (I don’t want a new window that first directs me to a page to bookmark and then forwards me to a page for the article I just read that I then have to close myself).

Currently in order to bookmark anything in delicious, I have to click on your feed, wait for the page to load, and then bookmark it on delicious.

Could you please add a permalink to the end of your feed so I can bookmark without visiting? If the permalink of the post goes to feedburner and there are no permalinks in the footer, often I don’t bookmark it in delicious because of the hassle.
Chris SEO says:

July 21, 2008 at 8:27 am

yeah I’ve had a few instances of spam/hack issues with wordpress. You just need to keep a close eye on it and have the proper plugins installed.
Jeff Chandler says:

July 21, 2008 at 3:21 am

Good morning Barbara. I’m glad this post was helpful. You are a great example as to why bloggers/writers should add explanations after acronyms because not everyone may know the lingo associated with a topic.
Jeff Chandler says:

July 21, 2008 at 3:19 am

Thanks whole heartedly pholpher. Means a lot when coming from you I hope this helps keep those blogs from being hacked. I mean, there is single guarantee to prevent things from happening. All you can do is place as many walls between the attackers and your blog and hope they give up before they get to the goods.
Barbara Ling, Virtual Coach says:

July 21, 2008 at 1:35 am

Morning,

Truly a great collection of must-have plugins and must-do actions. I had never heard of “This is what I would consider to be FUD (Fear, Uncertainty, Doubt). ” – very useful acronym.

Thanks for sharing! Barbara
pholpher says:

July 21, 2008 at 1:04 am

Great post. Definitely bookmarking this. I had a blog get hacked and I’ve been looking for information on how to make my blogs more secure. Thanks!

Comments are closed.