FirstPageResults
Top Contributor
Chris from wpsupport.com.au has written a basic overview and offered some suggestions for locking down your WordPress websites.
Please feel free to leave some comments.
(Author: Chris)
------------------------------------------------------------
WordPress Security Tips
Basic WordPress Security Tips
With WordPress being one of the most popular web publishing platforms, it means that it's also a popular target for web-based attacks.
Most of these attacks are automated and seek out old versions of WordPress, using default settings, vulnerable plug-ins and themes or incorrect file permissions and weak passwords.
A compromised site can have numerous serious ramifications such as losing search engine rankings or being excluded from the search engine results pages altogether. Search engines and anti-virus systems can also alert users that a site is "unsafe". Not a good look!
Old Versions of WordPress
The WordPress community as a whole is extremely responsible when it comes to updating their software but it only takes a small percentage of WordPress sites to make a massive number. According to BuiltWith.com (http://trends.builtwith.com/cms), at the time of writing, WordPress accounts for 63% of content management systems running on the web.
The simple solution is to always make sure you stay up to date with a current version. The WordPress developers are quick to push out a security fix, so make sure you take advantage of these updates.
Change the Default Settings
This is an easy one and helps put you a little higher than most of the lower hanging fruit. All you need to do is to change the default administrator username and default table prefix (anything other then wp_) at the time of installation.
Vulnerable Plug-ins and Themes
The popularity of WordPress has attracted an entire eco-system of developers and market places. Within these market places (and the broader web) there are vastly varying qualities of plug-ins and themes. I usually recommend users look for popular themes and plug-ins because not only are they most likely to be of a higher quality but they are also more likely to be updated and supported. Personally, I use a mixture of both free and commercial plugins and themes.
Incorrect File Permissions
This is something you want to get right, it's a very common reason (along with old versions of WordPress) why sites are exploited. I always get advice from a particular web host on this if I'm unsure and recommend you do the same, since every host can be different.
If you're using a package management feature such as cPanel/Fantastico/Easy Apps (where installing WordPress is a one-click process), these options are usually taken care of for you (such as http://faq.ventraip.com.au/questions/91/How+do+I+install+Wordpress?). The following assumes that you're managing your own permissions in a shared environment. It's also worth noting that VentraIP also have a "Permission Fixer" which can be handy if you mess things up and need to revert to default permissions (see http://faq.ventraip.com.au/questions/30/Why+is+my+website+displaying+a+'500+internal+server+error'?).
A typical WordPress installation requires that the following files and directories are writable:
/wp-content/uploads/
Your uploads folder must be writable and this usually goes against what many hosting providers will recommend. You will find many references recommending never using 777, which is great advice and correct, however, it's often the only way WordPress will work on some common shared hosting environments. If you've set your uploads (or media, caching etc. - anywhere where files need to be written) to 777, you can use the following directives below in a .htaccess file within the upload (or anywhere you have set 777) directory itself.
/wp-content/uploads/.htaccess
You should note that this restricts the file type to accept only images, which should be ok for standard usage.
.htaccess
Your mileage may vary on this one, as above, if you're unsure always check with your web host. It does really depend on how your hosting provider manages their permissions.
Many hosting providers will request that you only set file permissions to 644, so you have a few options. I recommend you either update the .htaccess file by hand (by SSH for FTP/SCP/SFTP) or set the permissions of the .htaccess file to 666, set your permalink format and then change it to 644. Common configurations of WordPress don't usually write to the .htaccess in the web root other than during the initial set up.
For example Quadra Hosting has a great knowledge base article about file permissions for their particular environment:
https://support.quadrahosting.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=142
You can also find the official WordPress document on file permissions here:
http://codex.wordpress.org/Changing_File_Permissions
TIP: .htaccess is just a way of configuring web server options at the directory and file level. On Unix-based systems, files beginning with a period are hidden so make suure you have your FTP/SCP/SFTP client software set to "show hidden files.
Good Overall Security
Choose good passwords. This one may seem obvious, however, it’s commonly overlooked. This applies not only to your WordPress password but your SFTP/SCP/FTP and hosting account password too. Always use long passwords. The longer and more complex the better. I always recommend people think in terms of "passphrases" rather than passwords. A good password management tool is also a great help.
Make regular backups of your files and your database. Not if but *when* something goes wrong, a current backup will save your skin. You can get both free and commercial plugins (or services, see the next point) that can cater to any backup option you can dream of.
Also, always only used trusted secure networks and secure protocols for your web and email traffic. Internet kiosks or free wifi may be tempting but make sure you understand the risks.
WordPress Security Services
There are many services that specialise in keeping your WordPress site updated and monitored for security issues such as VaultPress and Securi. There are also hosted WordPress services that offer security and backup options as part of their plans.
Summary
In summary, adhere to good security practices such as using strong passwords, make sure your WordPress installation and configuration is correct and keep your version of WordPress (including plugins and themes) regularly updated. Thanks to Ned and the team at DN Trade for inviting me to post this article. If you're interested in learning more about WordPress, there is a world or resources at your fingertips. I've listed a few good starting points at my website http://wpsupport.com.au.
Please feel free to leave some comments.
(Author: Chris)
------------------------------------------------------------
WordPress Security Tips
Basic WordPress Security Tips
With WordPress being one of the most popular web publishing platforms, it means that it's also a popular target for web-based attacks.
Most of these attacks are automated and seek out old versions of WordPress, using default settings, vulnerable plug-ins and themes or incorrect file permissions and weak passwords.
A compromised site can have numerous serious ramifications such as losing search engine rankings or being excluded from the search engine results pages altogether. Search engines and anti-virus systems can also alert users that a site is "unsafe". Not a good look!
Old Versions of WordPress
The WordPress community as a whole is extremely responsible when it comes to updating their software but it only takes a small percentage of WordPress sites to make a massive number. According to BuiltWith.com (http://trends.builtwith.com/cms), at the time of writing, WordPress accounts for 63% of content management systems running on the web.
The simple solution is to always make sure you stay up to date with a current version. The WordPress developers are quick to push out a security fix, so make sure you take advantage of these updates.
Change the Default Settings
This is an easy one and helps put you a little higher than most of the lower hanging fruit. All you need to do is to change the default administrator username and default table prefix (anything other then wp_) at the time of installation.
Vulnerable Plug-ins and Themes
The popularity of WordPress has attracted an entire eco-system of developers and market places. Within these market places (and the broader web) there are vastly varying qualities of plug-ins and themes. I usually recommend users look for popular themes and plug-ins because not only are they most likely to be of a higher quality but they are also more likely to be updated and supported. Personally, I use a mixture of both free and commercial plugins and themes.
Incorrect File Permissions
This is something you want to get right, it's a very common reason (along with old versions of WordPress) why sites are exploited. I always get advice from a particular web host on this if I'm unsure and recommend you do the same, since every host can be different.
If you're using a package management feature such as cPanel/Fantastico/Easy Apps (where installing WordPress is a one-click process), these options are usually taken care of for you (such as http://faq.ventraip.com.au/questions/91/How+do+I+install+Wordpress?). The following assumes that you're managing your own permissions in a shared environment. It's also worth noting that VentraIP also have a "Permission Fixer" which can be handy if you mess things up and need to revert to default permissions (see http://faq.ventraip.com.au/questions/30/Why+is+my+website+displaying+a+'500+internal+server+error'?).
A typical WordPress installation requires that the following files and directories are writable:
Code:
/.htaccess
/wp-content/uploads/
/wp-content/themes/name-of-theme (if you wish to edit in the Dashboard)/wp-content/uploads/
Your uploads folder must be writable and this usually goes against what many hosting providers will recommend. You will find many references recommending never using 777, which is great advice and correct, however, it's often the only way WordPress will work on some common shared hosting environments. If you've set your uploads (or media, caching etc. - anywhere where files need to be written) to 777, you can use the following directives below in a .htaccess file within the upload (or anywhere you have set 777) directory itself.
/wp-content/uploads/.htaccess
Code:
Deny from all
<FilesMatch "\.(gif|jpe?g|png)$">
Allow from all
</FilesMatch>You should note that this restricts the file type to accept only images, which should be ok for standard usage.
.htaccess
Your mileage may vary on this one, as above, if you're unsure always check with your web host. It does really depend on how your hosting provider manages their permissions.
Many hosting providers will request that you only set file permissions to 644, so you have a few options. I recommend you either update the .htaccess file by hand (by SSH for FTP/SCP/SFTP) or set the permissions of the .htaccess file to 666, set your permalink format and then change it to 644. Common configurations of WordPress don't usually write to the .htaccess in the web root other than during the initial set up.
For example Quadra Hosting has a great knowledge base article about file permissions for their particular environment:
https://support.quadrahosting.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=142
You can also find the official WordPress document on file permissions here:
http://codex.wordpress.org/Changing_File_Permissions
TIP: .htaccess is just a way of configuring web server options at the directory and file level. On Unix-based systems, files beginning with a period are hidden so make suure you have your FTP/SCP/SFTP client software set to "show hidden files.
Good Overall Security
Choose good passwords. This one may seem obvious, however, it’s commonly overlooked. This applies not only to your WordPress password but your SFTP/SCP/FTP and hosting account password too. Always use long passwords. The longer and more complex the better. I always recommend people think in terms of "passphrases" rather than passwords. A good password management tool is also a great help.
Make regular backups of your files and your database. Not if but *when* something goes wrong, a current backup will save your skin. You can get both free and commercial plugins (or services, see the next point) that can cater to any backup option you can dream of.
Also, always only used trusted secure networks and secure protocols for your web and email traffic. Internet kiosks or free wifi may be tempting but make sure you understand the risks.
WordPress Security Services
There are many services that specialise in keeping your WordPress site updated and monitored for security issues such as VaultPress and Securi. There are also hosted WordPress services that offer security and backup options as part of their plans.
Summary
In summary, adhere to good security practices such as using strong passwords, make sure your WordPress installation and configuration is correct and keep your version of WordPress (including plugins and themes) regularly updated. Thanks to Ned and the team at DN Trade for inviting me to post this article. If you're interested in learning more about WordPress, there is a world or resources at your fingertips. I've listed a few good starting points at my website http://wpsupport.com.au.
