I’m so glad to be featuring this fantastic post written by Cindy Bidar, one of the smartest gals I know on the topic of WordPress Security. I’m pleased to announce that Cindy will be providing us with regular WordPress helps over on our brand new WP Tips blog.
It’s no surprise that WordPress is a favorite among online business owners, bloggers, and other web masters. It’s free, easy to install and use, and offers thousands of plugins and themes to extend the functionality and customize the look, so that your site is uniquely yours.
But all that open-source goodness brings with it a pretty big risk of being hacked. Here’s why:
- Just like you, malicious hackers can access the code that makes WordPress and its themes and plugins work. That means they can devise ways to gain unauthorized access to your site. These “backdoors” are discovered at an alarming rate, and hacker networks quickly spread the details of each vulnerability, making it easy for others to take advantage.
- No developer licensing board exists. While that’s a good thing for plugin and theme creators, it means site owners are left to decide if a particular plugin developer truly knows his stuff, or if he’s leaving a door wide open for a hacker.
- Millions of sites are powered by WordPress, from tiny little hobby blogs to huge news outlets. The community of developers and passionate users is enormous, so you can always find the help you need, but the sheer volume (60 million sites according to Forbes magazine) makes it a tempting target for hackers.
- Because its so easy to use, WordPress is attractive to those who aren’t tech savvy. Suddenly, everyone has a web presence, but it’s rather like giving a child a car. Without proper training, someone could get hurt.
Should You Be Worried?
If WordPress was truly a security risk, it’s safe to say it would not be the go-to web publishing platform that it is. After all, one in six sites online is running on a WordPress backend, so that alone tells us it’s a reliable tool.
But due diligence is certainly in order for every website owner. That means taking a few simple steps to lock down your site and keep it protected from the bad guys.
Start with Good Installation
Your host probably gives you access to the oh-so-easy “one click installation for WordPress.” It’s tempting, isn’t it? It’s fast. It’s easy. You don’t have to get your hands dirty at all. Just click a button and you’re done.
Please don’t do it.
One click installers are generally a bad idea. Here’s why:
- They may install an out-of-date version of the software. At the time of this writing, Fantastico is installing WordPress version 3.3.1, while the most current version of WordPress is 3.5.1!
- They may not allow you to choose your database name and user, leaving you vulnerable to attack because hackers know the database name these systems use.
- They leave traces of their existence. You can easily search Google for the telltale signs of a Fantastico installation and be rewarded with a list of thousands of blogs which all have that same database name we mentioned.
- They can “help” you by installing additional themes and plugins you don’t need. One hosting company installs more than 100 themes on every “one click” WordPress installation.
So what’s a website owner to do? Install WordPress manually. Choose your own database name, user, and password, and create an admin user with a different user name. It’s not hard to do, and WordPress gives you all the instructions. If you’re not comfortable with the geeky bits (it’s really not that bad) you can hire a virtual assistant to take care of it for you. Just make sure you specify that anyone you hire should not use a one-click installer.
When you want to keep your home safe from intruders, you don’t start off by digging a moat. You simply change the locks.
The same is true for WordPress security. The first step is to change the locks. That means updating your passwords to something better than your dog’s name or your spouse’s birthday. Ideally, a password should:
- Be 18 characters minimum
- Contain upper- and lower-case letters, numbers, and symbols
- Be unique – never use the same password for two different accounts
- Be un-rememberable – if you know your password, others might, too.
“But,” you’re saying, “how will I remember all my passwords?”
LastPass is a free, secure password management tool that works with any browser. It encrypts and remembers your passwords, and will automatically log you in to every site you visit. The only password you have to remember is your LastPass master password.
Because passwords are encrypted within LastPass, even sophisticated key logging programs won’t be able to detect them as they’re entered. That makes logging in from a public WiFi much more secure.
Don’t forget about your other passwords as well. Your hosting account, domain registrar, and email are all potential points of entry for your online assets, so be sure you’re using strong, unique passwords for all.
User Roles and Capabilities
WordPress has a built in feature to help limit the damage a bad guy can do. It’s called user roles, and the way they work is by allowing you to grant a user only the access he or she needs to do the job at hand. For example, on this blog, I have a user role of “Author.” That means I can log in, create, edit, and publish my own posts. I cannot create pages, add or update plugins or themes, or access the code editor. Should someone gain access to my account, there’s very little they can do to compromise the site.
WordPress user roles are:
- Super Admin – this is the network administrator. He or she has complete access to all WordPress sites within a network.
- Admin – this user is the first that’s created on a single WordPress installation, and has complete control over the site.
- Editor – an editor can publish and manage posts and pages, both his or her own and those that belong to others. He or she cannot access themes, plugins, or the code editor.
- Author – he or she can create, edit, and publish his or her own posts.
- Contributor – a contributor can create and edit his or her own posts, but cannot publish them.
- Subscriber – a subscriber can only read posts, and has no editing capabilities.
You can learn more about roles and capabilities at WordPress.org.
It’s a given, then, that if you have guest posters or others who contribute to your site, you should set them up with the appropriate level of access. But what about you?
While you’re probably logging in as the admin all the time, that can be a potential security risk. A better option is to create another role for yourself – that of Editor, perhaps – and use that identity for your everyday blogging tasks. That way, you don’t have to worry that a hacker who is “listening” as you log in will have admin access to your site.
The same holds true for your hosting account. If you have others who do work for you, there is no reason to give them complete access to your account. For example, if they need to upload a new theme, create an FTP account for them to use. Don’t provide your cPanel user name and password. Always offer the lowest level of access required to get the job done.
A Note About Your Hosting Account
Most hosting providers offer low-cost hosting which they claim includes “unlimited sites, unlimited bandwidth” for less than $10 per month. For someone just starting out, that seems like a great deal. From a security standpoint, though, it is not.
The trouble with hosting multiple sites on a single shared hosting account is that if one site is compromised, they all are.
A better option is to use a host such as MomWebs.com, which provides WHM (Web Host Manager) access, so you can set up each site on its own cPanel account. That helps put a barrier between each site you own, so if one is hacked, the others will be protected. Other hosting companies offer a similar option with their reseller or VPS (virtual private server) plans. The price may be a bit higher per month, but the improved security is worth the cost.
Choosing Safe Plugins and Themes
One of the things that makes WordPress so attractive is the generosity of the development community. Thousands of plugins and themes are freely available to help you create a site that looks and performs exactly the way you want. Of course, that means you’ll eventually stumble upon a few bad eggs, as we saw recently with the Social Media Widget plugin.
While most plugins and themes are safe, but there are a few steps you must take to protect yourself, your website, and your readers:
- Only use plugins and themes from trusted sources. Free plugins and themes should be available on WordPress.org. If they are not, stay away. The folks at WordPress test listed themes and plugins for known security problems, and regularly remove those that no longer comply, so if they only place you can find a particular plugin or theme is from the developer’s own website, find another alternative. Premium plugins and themes should be well supported and well documented.
- Pay attention to security warnings and updates. Conscientious developers respond to vulnerabilities and and threats and update their themes and plugins accordingly.
- Use the tools available to you to monitor your core files for unauthorized changes. See the section below about WordFence.
- Fully inspect any free theme you intend to use for bad links and other evidence of unscrupulous developers. See the video below for examples of bad theme behavior.
I cannot say this enough. Most WordPress security issues can be avoided all together if you just keep your site up to date. WordPress updates the core files several times per year, and they let you know right in your dashboard that an update is available. They even give you a one-click update option, so there is no excuse for not keeping your site updated. The same goes for plugins and themes. When a new version is released, it’s critical that you update.
If you’re afraid something might break when you upgrade (that’s pretty rare), you can hire someone else to do the dirty work for you. If a plugin or theme breaks after you upgrade, find a different one. Do not sacrifice your site’s security for the sake of a theme that is out of date and won’t work with the current version of WordPress.
In addition, keep an eye on plugins that aren’t being updated. Plugins and themes are sometimes abandoned by their developers, so if you’ve been using a plugin for a while and it’s never been updated, it’s a good idea to check the WordPress repository to see if it’s still being supported. If it’s not, get rid of it.
Install Plugins Made for Security
Several plugins exist to help WordPress site owners keep their sites safe. One of the best is WordFence, which allows you to:
- Prevent brute force login attempts by locking out users who try to log in with a bad user name.
- Permanently block the IP addresses of known hackers.
- Block unnecessary crawlers and bots that just waste your bandwidth.
- Monitor plugin and theme files for changes.
- Scan comments for malware and known phishing URLs
Better WP Security is another free plugin that does many of the same things WordFence does, but adds another helpful tool: It allows you to hide your WordPress login. Malicious hackers know they can find the login screen on nearly any WordPress installation simply by adding /wp-admin to the end of the domain. Better WP Security lets you change that default location to anything you choose, so your login screen might be found at /open-sesame instead. It’s unlikely that a hacker will discover a hidden login screen, so this plugin helps keep you safe from brute force attacks.
Another important tool included with Better WP Security is the ability to change the admin user name. If you installed WordPress using an automated tool such as Fantastico, you probably have an admin account. Unfortunately, hackers know that the majority of WordPress installations have such an account, and since they already know the user name, all they have to do is guess the password to get in. WordPress does not allow you to chance user names within the dashboard, but Better WP Security adds that functionality.
Make Regular Backups
If, despite all your precautions, your site is hacked, you’ll be in a much better position if you have a backup. Restoring your site from a backup takes minutes, while cleaning up a hack can take hours and cost you hundreds of dollars.
When you back up your site, remember there are two parts you need: the core files and the database. Most automated backup plugins only back up the database. While that’s important, it leaves out all your file uploads (images, MP3 files, PDFs, etc), your themes, and your plugins. A better solution is to use an all-inclusive plugin such as BackupBuddy, which creates a copy of everything and stores it off-site.
Do not make the mistake of thinking your hosting company is handling this for you. They may be making backups, but that is for their convenience, not yours. Their backups are generally only created once per week, they don’t keep multiple copies (so if the copy they have was created after you were hacked, it’s useless to you), and they are stored on the same server as your site, so in the event of a catastrophe (fire, flood, earthquake) your backups will be lost along with your site.
WordPress Security at a Glance
Here’s what you really need to remember about keeping your WordPress sites secure:
- Use good strong passwords and manage them with an encrypted password tool such as LastPass.
- Give users only the access they need to get the job done – nothing more.
- Use plugins and themes only from trusted sources.
- Update and backup your site frequently.
- Use WordFence and Better WP Security to help keep the bad guys out.
Malicious hackers are out there, and they’re looking for sites that are vulnerable to attack. By compromising an unsecured WordPress site they can distribute malware and viruses, run illegal phishing scams, send thousands of spam emails, or simply deface and destroy the site for sport.
Employ strong security practices such as those outlined here, and stay up to date on the latest WordPress security threats, and you stand a better chance of keeping your site safe from attack.