This article was written by Dre Armeda and originally posted on the StudioPress Blog.
Brian Gardner shared it on Google + this morning.
As WordPress security is an often raised topic at out meetups I thought to share the post with our members.
4 Simple Ways to Secure (and Maintain) Your WordPress Website
With the wind in my face and long stretches of open road before me, life is very good when I’m on my Harley.
I ride a lot, and as freeing as it can be, a good rider is always keenly aware of the high risks of being on a motorcycle. A good rider plans — as much as he or she can — for all kinds of contingencies.
The key to being a safe rider is the acceptance of risk.
I have to consider a lot of variables, but ultimately I’ve decided that I want to ride, and I’ve accepted that there will always be a certain level of risk to that activity.
Running a website site is not unlike motorcycle riding when it comes to risk acceptance and overall risk management.
A Responsibility to Your Audience
Though WordPress allows a site creator to go a step above what most website software offers regarding security, it is still Internet based software, and there are inherent risks for you, your data, and your users.
The security of visitors on your site should be a priority, ensuring their visit is free from harmful content. Your website does you no good if it’s harming visitors, or your reputation.
Just like hopping on a bike, you need to be taking a strategic approach to WordPress risk management.
Here are four simple risk reduction approaches you should consider and implement …
1. Clean Your Garage
The paint on a Harley-Davidson is engineered to last 50 plus years — even in extreme heat or cold.
It isn’t designed to withstand that ladder currently leaning up against your garage wall falling on it. Before I brought my precious bike home, I decided to pick up a few things and create a proper parking spot.
We’re extremely fortunate as WordPress users. The WordPress core team does a great job of cleaning up and optimizing the WordPress core on an ongoing basis.
They are committed to the identification and patching of security vulernabilites. Anytime you see a minor release (3.2.x), it’s for bug fixes and security patches.
Here’s a few things to consider with each WordPress update:
Update your core: The most important advice I can give anyone who manages websites is to ensure they are updating their software. When you’re done updating, check everything again, and update some more!
One of the biggest contributors to malware attacks is running outdated software. In fact, it accounts for more than 70% of all the cases we see at Sucuri. This includes various web based software titles, not just WordPress. There are various ways to accomplish this, and it usually takes mere minutes to update the WordPress core.
Have you tried the automatic update feature in WordPress? It works great, and is conveniently located within your WordPress admin panel.
Update themes and plugins: Everything is working just fine, why should I touch plugins? The same reason you’d updating any other software — even more so with themes and plugins — because they don’t necessarily go through the same vetting and testing as WordPress core (unless you’re using StudioPress themes and plugins).
Remove disabled plugins and inactive themes: In August of 2011, there was a public disclosure that the popular TimThumb script included in popular WordPress plugins and themes was vulnerable. Within days we were seeing attackers exploiting the vulnerability with everything from SEO spam to website redirects to infecting every single PHP file on the server with nonsense characters.
As we started to see more and more of these cases we came to realize that most site owners didn’t even realize the script (and resulting malware) was on their server. In other cases, site owners were disabling the vulnerable plugin or theme, but were leaving it on the server. This vulnerability didn’t mind that the theme or plugin wasn’t enabled in WordPress. Attackers started scanning sites looking for Tim Thumb and when they found it, they would arbitrarily execute PHP on the server. When a plugin or theme is inactive, WordPress does not load it.
However, it is still accessible and executable on the web server. This is one of the most overlooked vulnerabilities on a WordPress install and one of the first avenues hackers cruise when looking for ways to exploit a site. If you aren’t using the plugin or theme, remove it from your site! That goes for all software really, if you’re not using it, remove it from the server. There is no sense in storing it there if it’s not being leveraged.
There’s nothing worse than leaving it there, forgetting about it, then getting infected through something that you don’t even need. In the end, by removing all unneeded software, files, and data from your server, you’re reducing your risk of future vulnerabilities being exploited, and it’s less you have to update or maintain.
Update your server: If you’re being held accountable, your web host should be as well. Are they keeping the server software update? Are you running the latest web server software? If you’re not sure, ask them! If that doesn’t net the results you’re looking for, you can scan your site at Sucuri and it will tell you.
2. Close Your Garage Door
As obvious as this may sound, one of the things I seriously considered when buying my bike was the state of my own home.
Where was I going to park my new ride? How would I ensure that it would be protected when I was away from it?
How does this apply to WordPress?
Making sure your local infrastructure is as safe as possible is the starting point for most everything you will do online.
Here are a few areas that will help reduce your risk from the beginning:
Keep your computer up-to-date: Ensure you’re patching or installing updates regularly. Automatic Updates are good. Most OS vendors are patching security issues often, it’s important to stay updated.
Install an anti-virus solution: AV solutions don’t only protect you from computer viruses, they are also helpful to detect malicious software that may try to attack your web properties.
Software firewalls: Yes, they are still relevant.
Safe Browsing: Just because your website is a super ninja doesn’t mean others are too. Most desktop viruses and malware these days are passed via infected websites. If it doesn’t look right, it probably isn’t. If you’re a Firefox user check out theNoScript Extension, It allows you to manage the scripts being loaded by websites so that the latest drive-by doesn’t catch you with a funny pop-up.
3. Don’t Leave Your Keys in the Ignition
I was having a great day at the office a few days back.
When I left to head home, I realized that my bike’s key was in the ignition — in the on position — which had drained my battery. I was lucky though.
What if someone with malicious intent realized the key to my ride was sitting in the ignition? I’d be dealing with my insurance company right now.
The simplest forms of authentication use some type of keying mechanism. This is one of the quickest ways for attackers to gain access to your site, and ride off into the sunset.
Let me ask you this, are your passwords strong enough to ward off an attack long enough to disinterest an attacker?
Did you know that the most stolen password in 2011 was “password”?
Here are the top 5 worst passwords:
Hackers aren’t sitting around all afternoon randomly typing passwords. They automate attacks using a technique called the dictionary attack. They create a large list of common passwords and automate an attack trying each one until they find what they’re looking for.
Here are a few things to help you fight password attacks:
Change your passwords often: The longer you use the same password, the more time you’re giving hackers to try and crack it. If you change it frequently, you shorten the window of attack.
Don’t share passwords: Passwords are like toothbrushes, you should keep them to yourself. And discard them, and get a new one, if they have been used by others.
Use Passphrases: Passphrases are basically long passwords, something with a meaning. For example: F0urScoR3&s3v3NYeAr$aG0Now – this passphrase is pretty complex, but you’ll see that it contains 3-4 words, uppercase, lowercase, numbers and symbols. I am fond of Abraham Lincoln and the Gettysburg Address so this would be fairly easy for me to remember. You don’t have to go crazy like the example, but the idea is to use a more complex set of characters that would be very difficult to guess.
4. Find a Good Mechanic
I don’t trust my bike with just anyone.
I have poured my heart into upgrading, and customizing it. I have spent countless hours architecting the ride, the look, the feel. Sound familiar?
In a lot of ways I approach my websites the same way, and when choosing a web host I research considerably before giving over the keys to the kingdom. Anytime you install a plugin or let a designer make changes to your site, you are handing them the keys to your kingdom. Your hosting provider always has the keys to your kingdom.
Do your research, get recommendations, and choose wisely. Here’s a few things to consider when using thrid-party offerings:
Plugins: Not all plugins are created equally. Unintentionally, an inexperienced plugin designer can open up all kinds of security vulnerabilities in your site or simply tank its performance. Read the reviews of plugins you select and try and stick to ones that have shown a history of updating and evolving their code on a regular basis.
Designers: The WordPress design community has grown significantly and there are lots of great resources to choose from. Make sure and get recommendations for a qualified designer and consider having them implement their design on top of a reputable framework like Genesis. A framework really helps to keep your designer in design and configuration mode versus coding. Unless a designer is an experienced WordPress developer as well, coding can often lead to security and performance issues. Even if they are an experienced WordPress designer, it doesn’t hurt to stress to them that security is important and ask them to keep it in mind by adhereing to some of the advice in this post as well as the basics ofWordPress hardening from the Codex .
Hosting: Most hosting platforms are designed to be everything to everyone. If you select a hosting provider that specializes in WordPress and is proactive in its approaches to security, your chances of having performance, operational, or security issues will lessen. Copyblogger Media’s Synthesis Managed WordPress Hosting, for example, combines a minimalist, locked down stack with proactive PHP scanning software to prevent hackers from accessing its customer’s sites, or even gaining information about them. It’s also safe to say that the folks at Copyblogger understand WordPress, SEO, and hosting and integrate that knowledge into their customer support.
I hope this helps in your travels down the WordPress highway.
As you can see, a few simple plans can go a long way in heading off disaster, and bringing you peace-of-mind.
Dre Armeda is the CEO and co-founder of Sucuri, an Internet security software and services firm. Sucuri has partnered with Copyblogger Media’s Synthesis Hosting to provide site dehacking, proactive scanning, and site cleanup professional services.