I run a couple of WordPress websites.
I started as user seven years ago, progressed to maintaining sites for a few organizations and am now moving into installation and development for others.
WordPress is one of the most popular open source content management systems currently in use. (There is a great summary of it’s history, strengths and weaknesses on Wikipedia). That’s great in that it means that there is a large community focused on ongoing development, security patches and plugin development to extend framework capabilities. It’s bad in that it presents a large target for hacking and malware attacks. Kevin Muldoon’s piece over at the WPMU dev community is a great summary of WordPress’s vulnerabilities and the tools available to fend off attacks. The short version is that no one action will prevent a skilled determined hacker from getting in – but a layered approach will slow him (or her) down and make the effort much less worthwhile.
The following is a list of security practices that I find useful.
- Use a reputable hosting company. I use Dreamhost. It’s good value for the money, scales (for when a business takes off and needs more server capacity) and has good automation and documentation. It also provides the CloudFlare content distribution network (CDN) to account holders to capture and push out to distribution points static versions of your dynamic pages. CloudFlare provides an additional layer of protection in that hackers hit the static pages, not the dynamically served pages coming from your ISP.
- Purchase an SSL certificate and use it on your site. SSL (Secure Socket Layer) ensures that all traffic to and from your site is encrypted in both directions, from a user’s machine to the site and from the site back to the user. It ensures that passwords are never sent in the clear, even over unsecured wifi service points, such as those still found in many coffee shops and public work spaces. When a site’s URL starts with https, that site has a security certificate.
- Set and use your WordPress security keys.
- Keep your WordPress installation up-to-date. Along with performance improvements, the updates are also released to plug identified vulnerabilities.
- Only install the themes and plugins you need. If you need to try out a gazillion plugins (we’ve all gone through that phase) please do it on your development server, or locally on your development computer with a LAMP, MAMP, WAMP, XXAMP or AMPPS stack.
- Customize your database table prefixes. All WordPress database installations name the installed tables with the initial prefix “wp_”. Hacking tools and scripts look for this prefix. You can alter the table names during installation to a customized table prefix. It’s a simple, but it makes the hacker take some additional steps to correctly ID your database.
- Don’t use WordPress plugins that aren’t updated regularly. They may not have been patched for recently identified security vulnerabilities.
- Use plugins from the WordPress plugin repository and themes from the WordPress theme repository, or from reputable vendors. These plugins and themes are tested for code quality as part of the repository approval process.
- Test your installed plugin code with the Plugin Check plugin to check for security vulnerabilities. Test your installed themes with Theme Check. These plugins examine the customized PHP within your plugin or theme for known security vulnerabilities.
- Pay for reputable plugins and themes – or throw some cash at the free ones in the repository once your venture has some positive cash flow. Development takes time and money. By paying the developer, you support them in doing better work – and in patching the most recently identified security vulnerabilities promptly!
- Set appropriate file usage permissions. According to WordPress, you should use the following permissions on a WordPress site:
- All directories should be 755 or 750
- All files should be 644 or 640
- wp-config.php should be 600
- Use your htaccess files to control access to your site. You can do a lot with this one little file.
- Use MX Toolbox to check your site and email addresses to see if they are on blacklists.
- Limit login attempts. The default is 20. I’ve set some of my sites to 10 – and others even lower.
Then there are the basics:
- Don’t log in over an unsecured network (no encryption).
- Ensure that no one sees you enter usernames and passwords.
- Ensure that your machine is free of viruses and malware, through the use of antivirus software.
- Use a secure file transfer protocol (SFTP) such as FileZilla to upload and download files from your site.
The following are techniques and tools that I plan to explore over the next few weeks.
- Turn off error reporting.
- Setting up two-factor authentication.
- Hiding the login page.
- Removing the WordPress version number from public view.