Keeping Your Self Hosted WordPress Blog Secure
After hearing that Robert Scoble’s WordPress blog was broken into and was compromised by spammers, I started thinking about my own websites, all of which run on WordPress.
There is a controversy bruin on the web as to who to blame for that break in. Was it Robert’s fault for not upgrading to the latest version? Was it WordPress’ fault for not knowing about that hole in its code?
In my personal opinion, the only people to blame for this happening should be the hackers that broke in. Every software developer that creates a piece of software always tries their best to make it as secure as possible, but, as the software grows in popularity then it becomes a target for hackers wanting to “break it.”
This brings me to the WordPress administrator’s responsibility.
It is our duty, as WordPress administrators, to keep our WordPress software up to date with the latest released version. If, as administrators, we don’t keep our WordPress blogs updated and secure, then can we really blame WordPress, or even the hackers, for our lack of concern?
Having said that, we all are very busy and some times it’s hard to keep up with all the software, applications and everything else we use on a day to day basis to run our business. However, if you run your business on top of WordPress and your business can be negatively affected if WordPress is down, then it should be a high priority item in your “to-do” list.
Below, you will find a small list of recommendations for keeping your self hosted WordPress blog secure. This does not pertain to WordPress.com, which is managed by the Automattic.
UPDATE TO LATEST VERSION
Updating to the latest version of WordPress is one of the easiest thing you can do. There is an automatic update feature under “Tools : Upgrade” that will check the version you have and tell you if you have to upgrade. Upgrade is a matter of clicking on the “UPDATE” button and letting WordPress do its thing. Grant you, this automatic update may not work for everyone, so there is the manual way of doing it, which is almost as simple.
DELETE THE “ADMIN” ACCOUNT
As soon as you are done installing WordPress, you should create a new admin account under a different name and then delete the built in “admin” account. That way hackers trying to use your admin account will fail. Just make sure you create a new account that has a role of “admin” assigned to it.
CREATE A “STRONG” ACCOUNT NAME
Creating a strong password is a good thing, but so is creating a strong account name. Follow the same rules as when you are creating a strong password (see below). This will slow down any attempts by hackers trying to break in. (Submitted by Martin)
USE A “STRONG” PASSWORD
Don’t use common passwords like your son’s name, your wife’s birthdate, your dog’s name, etc. Use “strong passwords” consisting of number and letters with upper and lower case mixed. WordPress will tell you if the password you chose for your account is a “strong” one or a “weak” one.
TURN OF USER REGISTRAION
If your site doesn’t need user registration, turn it off. This limits the ability of outsiders to register an account and try to run code through it.
LIMIT THE NUMBER OF LOGIN ATTEMPTS
A hacker will use brute force (repeated attempts at login in) to try to figure out your user name and password. If you limit the number of login attemps, you will slow them down. You can do this by installing a plug-in such as Login LockDown. (Submitted by Martin)
HOST WORDPRESS IN A KNOWN AND RELIABLE HOST COMPANY
I know you want to save money on your hosting account, but please, if your website IS your business, then use a trustworthy host that takes security seriously. Cheap is not always cheap.
USE SECURE PLUG-INS
WordPress allows you to extend it’s functionality by the use of plug-ins. Third party software developers (not associated with WordPress) will write these plug-ins to add functionality to WordPress that may be missing. This is great, however, if the 3rd party developer is not great at writing code or doesn’t care about the security of it’s plugin, then you are compromising your WordPress installation. Check how long the plugin has been around for. Also check out when they last updated it and that it is compatible with the latest version of WordPress. Read the comments about it and finally see how many downloads of it there are. Analyzing this data won’t guarantee that it is secure, but it will help you make an informed decision as to if you should install it or not.
USE SECURE THEMES
Themes allow you to change the look of your site by clicking on a button and selecting a different theme. Make sure whatever theme you purchase or is created for you, that the coder understand proper coding practices, believes in writing secure code and maintains the theme with constant updates.
BACK UP YOUR DATABASE AND FILES
It doesn’t matter how secure you make your site, something will happen to it someday (Murphy’s law). Having said that, you need to back up your database daily (or hourly depending on how busy your site is). There are many ways to back up your database. From manually doing it to automating it via plug-ins such as WordPress Database Backup. I also highly recommend that you back up your entire site (all WordPress code and any related media assets including images, videos, themes, plugins, etc.)
CREATE A DEVELOPMENT SITE
It is always recommended that you create a “development” (mirror copy) site locally on your computer and run any tests and changes to the code locally before publishing it to your main production site. You can easily create a running copy of your WordPress site using MAMP for Mac or WAMP for PC. Once you have a local site to play with, you can go into your WordPress production version and “export” all your data through “Tools : Export”, select “All Authors” and click on the “Download Export File”. You can then go into your local copy of WordPress and do an Import. This will load up all of your blog posts, pages and assets to your local machine. You can then configure your local machine exactly as that of your production machine and now you have a complete backup on your local machine just in case something happens to your production copy.
DON’T ALLOW PHP CODE IN YOUR “PAGES”
There are some plug-ins that allow you to write “inline” code in your WordPress Pages and Posts. Unless you know that plug-in very well and you completely trusts all of your authors, I would not install anything like that.
DISABLE XML-RPC
XML-RPC allows outside applications to post data to your WordPress install. For example, if you have a blog client software that is Windows or Mac Based on your desktop, you can attach to your WordPress blog through it. However to do that, you need to enable XMLRPC connection. If you plan on never posting to your blog from outside of the actual WordPress install, I recommend you turn that off. One less “input” that hackers can come through.
REMOVE THE GENERATOR HEADER
If you look at the source code of a WordPress Generated site, you will see a META tag called “Generator” with a value of “WordPress xxx”. If you remove that header, then hackers won’t know what version of WordPress you are running (just in case your version has a hole). You can easily do this by adding:
remove_action(’wp_head’, ‘wp_generator’); to the functions.php file.
(Submitted by Martin)
HIRE A WORDPRESS CONSULTANT
If the above is too much for you to do, or you didn’t understand half of what I wrote, go ahead and hire a consultant to make sure your WordPress install is safe (of course, we offer that…so contact me if you need help) Yes, it will cost you up front, but I can guarantee you it will be much cheaper then when your site goes down completely and you have no clue what to do. A consultant then, will cost you twice as much, plus the loss to your business due to your website being down.
As you can see there are many things you can do to make your WordPress software as secure as possible. Having said that, nothing is really secure and as soon as a hole is found and patched, hackers will find something else. Unfortunately, that’s the nature of software development, and as WordPress administrators and business owners, we need to put high enough priority in keeping our WordPress website secure, especially, if our business’ economic health depends on it.
Tags: Administration, Development, Hackers, Plug-ins, Wordpress
Posted in Wordpress - 2 Comments »
|
Good read thanks.
Great Posting!!
thanks for your tips.