The first part of this article covered some of the basics when it comes to WordPress security. This installment will focus on some of the basic steps you can take to address some of the vulnerabilities that are common to web applications and those that are unique to WordPress itself.
A Foundation in Good Security
Before we start with installing plugins or changing file and folder permissions we need to start with you and your computer.
Think about it, you are the Admin of your blog; you have control over everything and you use your computer to access that blog. If these two things are not secured then it doesn’t matter what else you do as far as security is concerned, your blog will be easy to compromise.
Is your computer malware free?
Before you install WordPress onto your server, before you create the database before you do anything related to your blog make sure that you computer is free of viruses, worms, Trojan Horses, spyware, etc. Malware that resides on your computer has the ability to log every action you take and report it back to another computer. If it sees you login to your bank, it can capture your account and password information; likewise if it sees you login to www.yourblogname.com/wp-admin it can capture your username and password. If the bad guys have this information then they own your site. Make sure that you update your anti-virus software and run it frequently. If you already have a blog set up, take this precaution anyways. If you find malware on your computer clean it off and change your password immediately. Check to see if there have been any additional admin accounts created as well; if they are not ones you recognize then you should think about deleting them.
Speaking of passwords…
Are you one of those people who use a strong password? That’s good, as long as you use different strong passwords for all of your different accounts. People who use the same password over multiple accounts run the risk of that password being compromised somewhere. If an attacker has that and it works on all of your accounts then they have access to everything. Instead of just password complexity, think password diversity. If you have trouble remembering all of those passwords then use a piece of software known as a password safe to store them in.
Stay up to date
One final word on security fundamentals; stay up to date. It was mentioned that your anti-virus software should be up to date at all times. This is so it can identify all of the latest malware that is out there. Likewise, your WordPress installation should be up to date and all of your plugins should be as well. These updates usually address any known vulnerabilities in the code itself.
The Plugins
One of the easiest ways to add functionality to any blog is by using a plugin. Plugins, however, can be a way for you to better secure your blog but they can also be a way for someone to breach it as well.
Plugins contain code, and it is that very code that may be vulnerable to an attack so it is important that you keep your plugins updated but that you also remove any plugins you are not using on your blog. While you are at it, remove any themes that are not being used as well as these may contain vulnerabilities also. For this reason you should only install themes and plugins that come from reliable, trusted sources.
As previously stated, plugins can also be used to help secure your blog. At a minimum, you should install plugins to handle the following:
- System hardening
- System scanning
- File monitoring
- Firewall tasks
- Backup and recovery
One plugin, Better WP Security, takes care of most in the aforementioned list. It will help hide essential information from potential attackers by taking steps like changing the URLs for the dashboard, renaming the admin account, changing the database table prefixes and much more. It will also protect the application itself by forcing strong passwords, limiting file editing and scanning a site to find vulnerabilities among other things. Other features included in this plugin are the ability to monitor the file system for changes, schedule backups of your database and look out for automated attacks from bots.
The drawback to this plugin? It isn’t fully functional for blogs that have WordPress installed on Windows IIS server; it will only work to its fullest on Apache, LiteSpeed or NGINX web servers (NGINX servers will require you to manually edit your virtual host configuration). If you are unsure which operating system your server runs, check with your hosting provider to make sure.
If Better WP Security isn’t the plugin you want to go with, there are others that can handle different aspects of security for your blog. One of the most highly regarded plugins is Acunetix WP Security. Created by a leader in the web application security space, this plugin will do many of the same things that Better WP Security does to obscure information from attackers, harden the system and backup your blog. What it does not do is monitor files to see if anything has been changed and it does not have the same ability to thwart attacks from bots and other agents. There are some other features that it does not have that can be found in Better WP Security, however Acunetix does work on Windows IIS web servers as well as Apache, LiteSpeed and NGINX. It will also scan your blog and provide a security overview report with information any vulnerability it finds. This alone makes WP Security worth a look as Acunetix sells professional vulnerability scanning tools to many leading security firms.
Your blog should also run a web application firewall in front of it to protect against any outside attacks. Plugins like NinjaFirewall for WordPress will protect against threats like cross-site scripting, brute-force scanners and shell scripts. If will also sanitize input to guard against attacks like SQL injections and block attackers from scanning your site for vulnerabilities. These tools are so important that the credit card companies strongly suggest they be used on any e-commerce site. This one is for free and provides a solid barrier of protection for your blog.
There is one other plugin that needs to be mentioned as it takes the place of all three of the ones mentioned here and that is the Sucuri WordPress plugin. Not only is it the most comprehensive security plugin you will find, customers also have access to a great support team if they run into any configuration or management problems. Unlike the others, Sucuri does come with a yearly subscription fee but if your blog is part of your business it might just be worth the $90.
Using the .htaccess file
Many security checklists will tell you to change file and folder permissions and this is a good thing because it helps prevent access to your site. That isn’t covered here too much because the plugins that were mentioned will take care of this. If you want to do this yourself then you can do this using any FTP program and following the guidelines under the File Permissions section here http://codex.wordpress.org/Hardening_WordPress.
While file permissions will not be looked at, making some changes to the .htaccess file will be. This file defines access control to certain areas of your web site, and in this instance your WordPress site.
In order to edit the .htaccess file you will need to use an FTP program. Most web hosting companies offer this as part of their management console so this will do for making changes to the file.
Once opened you should see something that looks like this:
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
We are going to add some things after the # END WordPress so that when you update WordPress your changes will not be overwritten.
The first file to protect is wp-config.php that stores information about the database and the site itself. To the .htaccess file add:
<Files wp-config.php>
order allow,deny
deny from all
</Files>
Once saved, this will deny outside access to wp-config.php.
You can also add a snippet of code to this file to protect the .htaccess file as well. Using:
<Files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</Files>
will do just that.
Securing a WordPress site means being constantly vigilant. The methods attackers use to compromise sites is always evolving. They discover new vulnerabilities every day so staying on top of things is paramount.
While no site will ever be 100% secure against attack, these tools will certainly help keep most of the bad guys out and will alert you to any that do make their way past your defenses.