Terri recently sent me an email and wanted to know some precautionary steps as well as advice on how to keep WordPress safe from being hacked. Terri also wanted to know the differences in security between a self hosted version of WordPress versus the security risks of using WordPress.com
I have been doing a lot of research about the pros/cons of different blogging platforms and CMS. At the same time, I have come across a lot of information related to WordPress sites being hacked and other security issues. When I read about the pros/cons of self-hosted vs hosted solutions for blogs, it is interesting that I don’t read too much about security vulnerabilities being a huge disadvantage to using a self-hosted solution. How concerned should bloggers be about being hacked? Is the threat big enough for someone not to choose WP as a blogging platform or CMS? Besides backing up your database (which could be infected also) and upgrading WP to the most recent version, what other precautions should you take to keep a WP blog safe? Also, I heard that the upgrades that WP makes makes it more open to attacks. Your thoughts?
Well Terri, I’ll first start off by pointing you to a post that Matt Mullenweg published a few months ago which goes into detail on how to keep your blog safe.
The article boils down to a couple of simple points:
- Upgrading WordPress ASAP to the newest release.
- Changing Your Password On A Regular Basis/Using A Strong Password
The majority of times it’s discovered that a WordPress powered site has been hacked, that site was using an older version of WordPress. This makes sense given that newer versions patch previously discovered security holes.
Hosted / WordPress.com
Self Hosted / WordPress.org:
When going the self hosted route, it’s a different ballgame. There is an awesome article on the WordPress Codex which goes into detail on how to harden your WordPress installation ( Hardening_WordPress ). At a glance though, this is what you’ll have to worry about:
- 1 Vulnerabilities on your computer
- 2 Vulnerabilities in the WordPress package itself
- 3 Server vulnerabilities
- 4 Network vulnerabilities
- 5 Passwords
- 6 File permissions
- 7 Database security
- 8 Securing wp-admin
- 9 SSL Encryption Security
- 10 Plugins
- 10.1 Security Plugins
- 10.2 Plugins that need write access
- 10.3 Code execution plugins
- 11 Security through obscurity
As you can see, there is plenty more to worry about using a self hosted version of WordPress rather than letting Automattic do the worrying for you. However, after going through each section of the Hardening WordPress article, you should be ready to go.
Security Through Plugins:
Alternatively, you can step it up a notch by using a variety of different plugins which are available to help make WordPress that much more secure. Here is a list of plugins/resources to help you along the way.
WP Security Scan – This plugin acts like a spyware/virus scanner in that it scans your WordPress installation for security vulnerabilities and suggests corrective actions.
AskApache Password Protect – This plugin makes it easy to put up a virtual wall around your WordPress installation. This plugin allows you to create a username and password to protect your entire /wp-admin/ folder and login page. Plugin can only be used on Apache based webservers.
Admin SSL – Secures any WordPress URL using Private or Shared SSL. Once the plugin is activated go to the Admin SSL config page to enable SSL and read the installation instructions.
Login Lockdown – Login LockDown records the IP address and timestamp of every failed login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. A good way to protect against brute force attacks.
BlogSecurity released a Whitepaper specifically about WordPress security. The whitepaper is at version 1.2 and was released back in April of 2008.
Is the threat big enough for someone not to choose WP as a blogging platform or CMS?
In my opinion, no. WordPress is the most popular blogging/publishing platform on the web which means it’s a prime target for hackers. It doesn’t matter which publishing platform you decide to go with, each one of them has or will have security vulnerabilities. To make things worst, you could have a perfectly hardened WordPress installation and discover it’s been hacked thanks to something like an SQL injection via a plugin you installed. It’s a constant race between good and evil. If you make it a routine to keep ahead of the game and keep your blog up to date, more often than not, you’ll be safe.
Also, I heard that the upgrades that WP makes makes it more open to attacks. Your thoughts?
This is what I would consider to be FUD (Fear, Uncertainty, Doubt). Upgrading WordPress from one version to the next does not make it more prone to security vulnerabilities. In fact, it’s the complete opposite. There is only one scenario I can think of where this might be an issue and that is, if you were to upgrade to a newer version of WordPress and that version had a 0 day exploit within the code that no one knew about, then you could be at risk. But considering no one would know about the exploit, what could be done about it? Nothing.
So rest assure that upgrading your blog as soon as you can after a new version has been released is one of the best things you could do to keep your blog safe. Not doing so is a recipe for disaster.
Terri, I hope that answers all of your questions. You now know the differences in security between using a self hosted version versus a hosted version of WordPress. With the Codex article along with the resource links and plugins, you now have a better grasp on how to ensure your blogs safety against malicious attacks.
If you had to answer Terri’s questions, what would have said differently? Do you disagree with anything I’ve said? Let me know in the comments. Also, if you have any more tips and tricks in terms of making WordPress more secure, share those as well.