This past week, I was in conversation with a colleague who casually mentioned, “WordPress is known for its security issues.” Mind you, the context didn’t really matter, but the point is that he was right. WordPress has a reputation for being insecure. And while it is no stranger to security issues, the core software is not at fault for most of the security threats facing the WordPress platform. In light of this reputation, I’m going to walk you long the topic of WordPress, security and how to mitigate real-world threats to your website.
WordPress is an open-source software application and as such some people believe that its weakness is that attackers can view the code, therefore it must be insecure. This is false. In fact, because the code is accessible among the millions of web users, its security is improved. WordPress has very much earned a positive reputation for the community’s response to security threats and vulnerabilities.
If nothing else, please take to heart that it is not WordPress that is insecure; it is the user.
It’s alright, because you made it to this amazing post, you will understand how to minimize security threats so your site remains secure, reliable and speedy.
Table of Contents
To make things easier, feel free to click ahead to the following sections. This can get a bit long, but since you’re here, you’re probably short on time.
- Why Me?
- Why WordPress?
- Common Threats
- Rethinking “Security”
- How to Secure Your Site
- Recommended Tools
- Final Thoughts
1. WHY ME?
I know what you’re thinking – “I don’t have anything of value to a hacker.” Or even better, “I’m not big enough. Only banks need security.” This is a large misconception because online security is not an ego-based threat. Just as much as attackers want access to Lebron James’ bank account, they also want to hack your website.
Think for a moment what you do have. You have a website that gets indexed by search engines (hopefully), you probably have an audience large or small. You might even have financial or user data stored somewhere on your server. Another point that most people forget about is that their website resides on a web server. That web server is connected to the web with a ludicrous amount of network bandwidth and computing resources. Much like why ants might find their way in your home, it’s not so much your house that is valuable, it is the food that is valuable. Web servers, mail servers and the data stored on your servers are the food.
Much like how insects that invade your home, you won’t know you’ve been attacked until it’s too late.
Today, most online threats consist of automated robots (scripts) that are randomly scanning for vulnerable websites. If you web server responds favorably, then they move on to deeper attacks. We’ll talk about this later below.
The reality is that even if your WordPress website is just a photoblog, a hobby or even a revenue-generating business, security is everyone’s business. Everyone is a target. If you run a website on the internet, short of ripping the Ethernet cable out of the wall, it’s at risk. It’s not just WordPress, either. We’ll touch on that next.
2. WHY WORDPRESS?
Clearly, if WordPress needs its own security guide, it must be vulnerable, right? Not so. WordPress is the most popular content management system on the web today. This means that for attackers, WordPress yields the most reward to target since many people host their websites on them.
… And since people are well, human, they also don’t obsess or necessarily look forward to applying security updates. So, you have a popular web application (WordPress) combined with the higher likelihood some users don’t update their configurations (Be honest, do you?), and now you have a rich target worth pursuing.
What motivates attackers to target WordPress? Aside from being annoying, the payoffs can be lucrative. They are in it for the money. Most website hacks often result in installing a remote control device (also known as a ‘botnet’) into the web server or injecting shady hyperlinks into your site so they trick search engines thinking their off-label prescription pills or knock-off Michael Kors bags are popular on the web. These sites are not directly related to the attacker’s, but they receive a kickback for traffic and sales they accrue.
So, you see, we have the perfect environment for attackers to target WordPress. It’s lucrative; it’s scalable; it’s hardly noticed; and it’s relatively easy if users allow them in. Next, I’ll explain what most attackers target when it comes to WordPress.
3. COMMON THREATS
First, before I go into this, you need to understand that security is always a moving target. No matter if it’s building security, deceiving people or computer technology – security threats evolve and adapt to their targets. For instance, as computer viruses no longer were transmitted by floppy disks, viruses were transmitted via email. And as email has become relatively more secure, viruses are now transmitted via ever-so-popular USB drives. If you found a USB drive, you’d probably plug it in to your computer to see what’s on it, right? By the time you’ve done that, it’s too late, you’re a target.
Attackers commonly look for any of the below items when they are automatically scanning for vulnerable targets:
- Out-of-date WordPress installations
- WordPress installations with out-of-date themes or plugins
- WordPress installations with default usernames
- Users with weak, simple passwords
- Web servers that have been configured insecurely
- Sites that have already been hacked
- Sites that can send email to the outside world
- Sites that are likely to contain credit card or other valuable data
- Sites with lots of readers/viewers
- Sites that rank very well for select terms in search engines
… I think you get the idea. If the website is either poorly maintained, is out of date or if the user didn’t create strong passwords, it is likely a target. Cisco released a report that underscores my point – attackers are not after individuals, but the underlying internet architecture that regular people use.
So, with these risks in play, attackers often do either of these four activities (often called ‘payloads’):
1. Install a script that allows later access for nefarious purposes.
2. Modify the content of your website to promote their links.
3. Download personally identifiable information like email addresses.
4. Attack e-commerce functions on website for the purpose of fraud.
Most often, people will notice their website is displaying strange links, is completely “blank” or otherwise has been flagged by Google for malicious activity. This is often the tip of the iceberg – deeper security risks remain and requires further investigation. It’s like when your car’s radiator fluid is low – if you refill it, you’re good enough to make it to a qualified mechanic because the fluid will likely leak out again until properly repaired.
Like I mentioned in the earlier section – WordPress hacks are not about you personally or necessarily the platform itself. It’s simply a means to an end for attackers to get money. You’re just another victim among thousands. It’s up to you if you want to be a victim again.
To have a secure WordPress site, you must understand the tenets of proper security. In the next section, I explain how to think and act securely – even if you are hacked now.
4. RETHINKING SECURITY
At this point, I explained why attackers are not going after you personally, why WordPress is a high-value target and common threats faced by site owners. Many people are looking for the quick-fix for security ills. As a WordPress site owner, you might not have an IT staff or a degree in computer science – that’s okay. You don’t need to know all the specifics to understand the magnitude of the threats and how to mitigate them.
As I mentioned earlier, security is a moving target. Threats evolve. Targets change positions. Attackers have different motivations. One thing is clear, as more and more of us depend on the cloud and use social media, attackers are moving that direction.
I would estimate that 95 percent of all hacking activities are performed by automated bots. These bots take known security vulnerabilities and spew them out across the web to discover vulnerable websites. Most traffic that actually hits your website isn’t the real hacker, but is likely another compromised web site. It’s no longer about blocking one or two IP addresses – you no longer know your attackers.
So, how do you secure your website from attackers you don’t know?
You need to adopt mindful security practices. No, I don’t think you need to wear a tinfoil hat and avoid all online communication (even though Edward Snowden probably does). Just like you lock your car and stow your valuables away when you park your car at the mall unconsciously, you need to treat your website as if there are always attackers trying to get in. (Truth: They are always trying now.)
Here are several key principles of computer security:
- Balance Security with Convenience – If you have very strong passwords stored in a “passwords.txt” file, what good are passwords?
- Enforce only the Minimum-Required Access – If everyone has ‘administrator’ access to a system, if someone gets hacked, serious damage can occur.
- Employ Multiple Defenses – Don’t rely on only one vendor or configuration to prevent attacks.
- Plan for Being Breached – Assume that you can be hacked; know what you will do and what information they could get access to.
- Maintain Current Offsite Backups – If your site becomes hacked and the backups are taken down with it, you’ll be starting from scratch.
- Test Your Security Defenses and Practices – Regularly verify that your security systems are secure and put them to the test.
More fundamentally, in the security community, they subscribe to the C.I.A. acronym: Confidentiality, Integrity and Availability. Simply these three components relate to protecting information and whom accesses it.
You can choose not to abide by these practices. But it’s costly. You will either experience a catastrophic compromise or need to shell out thousands for a security consultant to clean up the mess that you ultimately caused. An ounce of prevention is worth a pound of cure. Stay a few steps ahead and you’ll be grateful.
What if you are the target? This is where social engineering and pretexting comes into play. Keep your information such as your birthday, mother’s maiden name, favorite pet, birthplace, first car you had, etc., completely secret. Attackers can piece your identity together and use it to reset credentials for your email or other online services.
So, as a general rule, make it challenging for an attacker to compromise your accounts. A great example of this is to look into two-factor authentication. Even if I have your password and your identity, I won’t be able to sign into your web-based account with the service initiating a text message (or similar) that must be entered correctly before granting access.
5. HOW TO SECURE YOUR WORDPRESS WEBSITE
Okay, if you skipped all the previous sections to find the tools, plugins and step-by-step guide to secure your WordPress site, please take the seven minutes needed to understand how to approach your security situation. The worst-case scenario is that I’m completely wrong and you can come right back to this section.
I’m presuming that you at least have context and skimmed the above sections. If you did, you solved for half of your security concerns. Now, let’s work on the other half.
You might be thinking, “Hey, Joe, if you tell us how your secure your sites, doesn’t that make you more vulnerable?” Good question. I live through the concept that, “Security through obscurity leaves you with neither.” In essence, it’s already known and out there, so why bother hiding it. If I can help at least another person appreciate their WordPress installation that much more, it’s worth it. And if I could help you, all that much more rewarding.
Here are 13 of my approaches that I take when securing WordPress sites for myself and others.
I. Quality Managed Hosting. I choose to use managed WordPress host like WP Engine or Pagely. Without getting too deep into the minutia, trust that their staff and engineers have configured their networks to detect and block zero-day vulnerabilities, malicious attackers and immunize their infrastructure from abusive users. While they aren’t the cheapest web hosting around, they offer a myriad of useful tools that make them worth it.
II. Weekly Check for Updates. If I don’t check daily, I do check at least weekly on all my sites to make sure their themes, plugins and core software is updated. While updating frequently carries an inherent risk of damage, I have not need any significant problems updating often. WordPress now automatically updates Core by default. Some Managed WordPress hosts run a modified Core and they automatically deploy to users – but that’s the premium service you pay for.
III. Clean Code, Fewer Plugins. Some people pride themselves on how many plugins they use. I don’t. I pride myself on how few I use. The fewer plugins, the fewer vulnerabilities and performance issues. If you are using multiple plugins to do fairly minor things, consider removing them.
IV. Trusted Themes. While I tend to modify existing themes, I know not everyone has that opportunity. If you are using a free theme, stick to the ones listed on WOrdPress.org. For premium themes, I use professionally supported and well-documented Theme Frameworks like Genesis and Thesis. For the developers, you can use the likes of Underscores as a robust framework to start from (but I figure you already know this).
V. Daily Backups, Easily Restorable. I’ve had to rely on my backups and it was very nice to select the date in time I needed to ‘rewind’ to, a couple clicks and done. No hassle. This is how backups should be. Not only do I back up my database, I also back up my files and other settings. This process is known as “snapshots” of my site. The backup data itself is secure and only available within 30 minutes of my request and expire afterward. BackupBuddy is an out-of-the-box solution that’s well worth the modest price it asks for. I’ve restored sites safely and securely within minutes, not hours or days.
VI. DNS Proxy, Cloudflare. I use the service Cloudflare to proxy all my traffic at the DNS level. What does that mean? It means before anyone can actually hit my web server, they first hit Cloudflare. This way, Cloudflare uses its intelligence to filter out malicious traffic, compromised machines and other bots so my site doesn’t even have to deal with it. While this works to filter a lot of the junk out, it doesn’t catch everything. The main reason Cloudflare is recommended is its resistance to massive DDOS (Denial of Service) attacks in addition to its security filtering. As a result, websites load faster, faster. A newer solution that has earned a lot of buzz is Cloudproxy, which has similar functions but is run by the smart team at Sucuri.
VII. Remove ‘Admin’ User, Use Random User ID. It’s obvious that the first user of WordPress is named “admin” and the first user ID is “1.” For an attacker, this means that the next step is to guess your password. As with many of our first forays in WordPress, we might not have set a good password for the admin user as we were just “testing” things out. With that in mind, change your password to use 12+ characters with upper and lower case letters, numbers and symbols.
VIII. Change Database Prefix. I like doing this myself via MySQL, but you don’t need to do that. Changing your database prefix prevents attackers with known exploits to target a default database. So, even if you are vulnerable and they succeed with MySQL injection, the likelihood they will use your exact database prefix is extremely slim. An added benefit of using randomly-generated prefixes is that you will be able to find which backups belong to which sites (development vs. staging vs. production, for instance).
IX. Disable Trackbacks, Limit Comments. Trackbacks are useful… in 2004. Since then, they have been greatly abused for spam and can even be used to carry out massive DDOS attacks. The best course is to disable them and only allow comments on pages or posts where you expect public discussion. Related, I also use Disqus to “proxy” my comments and filter them for spam before they land on my site. I’ve found Disqus is quite effective, scalable and remarkably accurate.
X. Implement iThemes Security Plugin. This security plugin (formerly, Better WP Security) allows fine-grain control of nearly all the security elements within WordPress itself. In this plugin, I specifically limit logins aggressively, enforce strong passwords for all users, removes WordPress version headers, block known bad hosts (lists), restrict HTTP request methods, blocks non-English characters in URLs, limits error message details, restricts XML-RPC and blocks a list of IP ranges I consider suspicious. In a nutshell, this plugin is a useful tool to strengthen your WordPress installation.
XI. Review Logs Regularly, Take Action. Not all activities in your logs are tried-and-true hacking attempts. A majority are as I’ve said, automated scans. But if you see a misbehaving host or strange pattern in access attempts, block that host. For good measure, take the time to scan your WordPress site for known issues.
XII. Audit the File System, Remove Unknown Files. Become familiar with the file structure and file names of the WordPress core files. Some attacks play into the idea that users won’t know better. For instance, “wpcontent” is not a valid folder, but “wp-content” is. Review the files that you suspect are not supposed to be there and remove them. Enforce the proper permissions to make sure that scripts do not execute dangerous arbitrary code on your webserver.
XIII. Follow Security News, Advisories and Blogs. Since security is a moving target, you can choose to be the victim or the well-informed. I prefer to be well-informed. Read up on the Hardening WordPress Codex guide as well as the updates posted by Sucuri on their blog. It’s also a good idea to pay attention to updates posted to the WordPress.org Blog, which often has links to security advisories and details on the latest updates.
This advice, for the most part, will keep you safe and secure. The theme here is to not be complacent with your security. It’s only as strong as its weakest link. This next section will list the tools and services I recommend with regards to WordPress and security.
6. RECOMMENDED WORDPRESS SOLUTIONS
Not everyone needs the highest-end solution. I know that. You should know that as well. While I do have a relationship with a number of these services featured in this post, they aren’t always a great fit for everyone, but they are great solutions. I’ll kick it to you straight so you can decide for yourself which solution is best for your needs.
A misnomer I hear from the WordPress community is, “Well, WordPress is free, so why should I pay for anything?” The code is free, as in free speech. But unless you know PHP and are familiar with the essentials of Linux, you might struggle with configuring your website the first time. The talent, innovation and overall support is what you are paying for.
You can only choose two of these poisons: Fast, Cheap, Good. My point is that when considering purchasing a solution/service in the WordPress community, you get what you pay for. A lot of people work hard to make life easier for you. It’s only fair, if you gain value in return, to compensate those accordingly.
WP Engine – Premium managed hosting. Once you go to WP Engine, you won’t ever need to upgrade to another host. And when you do, you had better be listed on NASDAQ. I’ve been using WP Engine personally and professionally and have appreciated their features that cater to developers such as staging deployments (meaning you can touch your site and no one sees it but you), in addition to their partnership with Sucuri. They have phone-based support that genuinely cares about customers in addition to chat support and a ton of perks like SSL, CDN and dedicated IP if you need it, for a nominal fee of course.
Pagely – Affordable premium managed hosting. Pagely was founded before any of the Managed WordPress providers appeared on the scene. They’ve been quietly copied and duplicated across the industry, but they have the most operating experience compared to the other providers. Their proprietary angle is that they use innovative firewalls and performance-boosting CDNs across their customers for greatest performance at a great price. Their platform has received a lot of enhancements recently, so that means they’re up to something big.
Dreamhost – Cheap, great for small sites that don’t drive revenue or other business goals. I’ve been a loyal customer since 2005, effectively using them for all my small projects and learning the ins and outs of PHP and MySQL. Offers a wealth of goodies that makes starting out easy. Dreamhost has partnered with me to offer one free domain registration, $17 off the annual plan and a dedicated IP for new users that use the promo code WPSECURITYGUIDE when signing up. A dedicated IP is ideal to make sure that other users on a shared host don’t damage your reputation and greatly harm your site.
StudioPress – StudioPress is the author of the famed ‘Genesis Framework.’ They author a ton of professional, fast-loading and secure themes that are proven among the WordPress community. Most themes have a tutorial that explains how to set them up right the first time. Their ‘Pro Plus’ pack is a great deal that gives you unlimited access to all their premium themes for one price. All my sites run on Genesis because it just works.
DIY Themes – DIY Themes creates the original premium WordPress theme framework, Thesis. They have refactored their code and they claim it’s even faster than Genesis, but I haven’t really seen a difference. They have a different approach to creating themes than Genesis. I like both their 1.8.x and 2.1.x editions and they give you access with a ton of tutorials with them, too. Admittedly, the DIY Themes community isn’t nearly as large as the StudioPress one… but that’s your call.
Free WordPress Themes – I’m not kidding when I say look at the WordPress themes listed on WordPress.org. They have been checked out that they are safe, functional and usable for the WordPress community. This year, I’ve seen an improvement in the quality of the themes featured on the site.
Backup Buddy – I’ve mentioned earlier that Backup Buddy saved my but once before. I screwed up a client’s site (we all do it once), and I had BackupBuddy so I was able to quickly restore the broken database and files without them ever knowing. It’s a professional plugin that you can depend on when you need it. Also, it makes transferring sites much easier. Just know that it has some conflicts with some Managed hosting providers, so check the FAQs and forums first.
iThemes Security – The all-in-one security plugin that you can configure to protect your site. Requires some level of comfort making server changes.
Redirection – Prevent click-fraud from malware sitting on compromised visitors. You can easily control the redirects to target URLs, so you know how they perform. I use this wherever I have affiliate links. Easy to configure and control.
Cloudflare – Did you setup Cloudflare? If so, you want to enable the Cloudflare plugin so you can track the real IP addresses of visitors. Otherwise, comments and activity are tracked as coming from the Cloudflare network.
Sucuri – Since you’re here looking into security issues with WordPress, there is no other leader like Sucuri for premium support and clean-ups of hacked sites. For the fair price of one hour of computer repair, you get protection for your site as well as malware cleanup annually. Ask around, they’re the best.
Web Page Test – Not sure exactly what is rendering on your site or its performance impact? Web Page Test will allow you test it in a controlled environment in many locations around the world. I use it to make sure my Managed WordPress hosting providers are delivering on their promises. At a least, it’s good to know how fast your site loads for most people. This gives you those answers.
GTMetrix – Similar to Web Page Test, but they focus on making specific recommendations for improving speed. I like comparing and contrasting the advice in both WPT and GTM; both are good, just slightly different priorities.
7. FINAL THOUGHTS
Hopefully this guide gave you the direction and compelled you to think about the decisions in managing your website. I want to revisit the topic that kicked off the start of this guide. Why WordPress? It’s not only WordPress. All of the threats and the attacks here can occur on Drupal, Joomla or any other content management system. Due to WordPress’ popularity and lower-barrier to entry, it is more commonly used and not often maintained by more web users.
If you stay up on maintance of WordPress. Just like how you do the dishes and take out the trash, maintaining your website is a responsibility for having an online web presence. Managed hosts greatly reduce this need, but you still should be aware of all the moving pieces in online security.
Security is a moving target. It will continue to move towards web hosts and other cloud-based services. The importance of security detection at the network and DNS level will be even more important. Additionally, the more web hosts collaborate with each other, the greater everyone will win. Always be innovating and constantly improving; don’t ignore the past. That’s the attitude to have for the foreseeable future.
If you have questions on any of the above sections – maybe I should re-explain something or draw a diagram or two, let me know in the comments.
In the interest of full disclosure, some of the links contained in this post will provide me a modest commission, but not enough to sway my views. I believe in all these listed products, services and companies mentioned in this post.
Continue reading Beginner’s Guide to Securing Your WordPress Website …