Securing WordPress Part Three: WordPress says… - Blogging, Small Business, Web Design & Hosting Tips - A Small Orange

Securing WordPress Part Three: WordPress says…

Because WordPress is often installed from Fantastico, lots of people never make it to the actual WordPress site. WordPress has some fantastic information on their site, fantastic information that a lot of people never even see. One of the most important pages on the whole site is:

For our third installment in the series, we are going to introduce you to the fact that this page exists, and explain a little bit about some of the things they’re talking about that we feel might be less than obvious or thoroughly understandable to our clients.

“Hardening”, when being talked about relative to computers and software, means the process by which you make a system more secure. When we get new servers, we harden them – we install firewalls, change settings, turn off options we feel are a risk, add options that will help security. suhosin is called the “hardened PHP project” as it is designed to address potential security issues inherent in PHP. When you get a new computer and you install anti-virus, you are hardening your computer. Hardening is not one thing, or even one specific series of things – it is anything done to take a system or software or module or service to address potential security issues, anything done that takes the default install and makes it more secure.

Default installs of almost anything are usually insecure in some way. Default installations are designed to give you all the functionality you might need, with lots of things turned on you may never use. Some process of hardening usually should be gone through before software is opened up to use. On shared hosting, that doesn’t tend to happen – people see the Fantastico button, push it, and poof, it runs. Since it runs and can be used out of the box, no one thinks beyond the functions they want and much like a child on Christmas morning, they just want to play with it now.

In most cases, this will work, especially since we’re aware that shared hosting clients are not generally concerned with security as it pertains to their installs, and its part of our responsibility to mitigate that “misunderstanding” in any way we can. We can tell people to upgrade their stuff until we’re blue in the face, but we also have to function within the reality that 60% of you won’t ever bother, and some don’t even really understand the software they are running to understand it is supposed to be upgraded.

Presumably, you want to know more about becoming one of the other 40%, so let’s get to it and start with some of WordPress’s specific advice to you on your WordPress installation.

Make sure the computers you use to post to WordPress are free of spyware, malware, adware, and virus infections; and are running secure, stable versions of your applications. For example, none of the following makes the slightest difference if there is a keylogger on your PC.

We have said it before and we will say it again: The number 1 thing that you can do to secure your site is secure your computer. You are generally the weak link in the scenario of security. You are the crack in the wall, the most vulnerable unprotected spot in the armor, the monkey wrench thrown into the well oiled machine.

Your host can install security, scan for exploits, patch web servers all day long, and if we give you the login and your computer is going rogue, what we did means nothing. The WordPress developers can write their coded poetry until it rhymes and gets you coffee, but if you have Malware that eats WordPress installations for lunch, nothing they can do will matter.

You should never go on the Internet naked.

We have clients who get infected, and infect their sites, and explain that they scan for viruses every single weekend, so how could they be infected? When we ask if they have constant firewall protection, they say no – but they scan responsibly every single week! Folks, this is like leaving your door unlocked and being super impressed the cops got there fast to tell you that your Plasma TV was stolen. It’s ludicrous – lock the door.

We hosts and developers don’t live in a vacuum – we watch security alerts, we see which direction the hackers are moving, we look at what we need to do to mitigate what they’re trying to do. We’re doing a fairly good job and its much harder these days to actually hack a server because we all are working together – and together, sharing information, we’re becoming tougher adversaries.

You folks, though, don’t even think you’re in a war – you’re easy pickings, and the exploiters focus is shifting en masse to take advantage of the fact that you don’t realize all this stuff.

Realize this stuff.

Keep up to date with the latest WP version: The WordPress developers do not maintain security patches for older WordPress versions. Once a new version has been released or the vulnerability has been fixed then the information required to exploit the vulnerability is almost certainly in the public domain making any old versions more open to attack by a simple script kiddie.

Do not email me and tell me you didn’t upgrade because a plugin you ADORE won’t work on the latest version of the software. I don’t care. The hackers don’t care, and I don’t care. Upgrade. All the time. Check every day if you have to while you drink your morning coffee. WordPress has evolved so that upgrading is now a single button click and, most of the time, takes less than 60 seconds. There are no excuses. Do you know how we always seem to know to tweet about the latest vulnerability? Ever wonder how we find out so fast?

Because everyone tells everyone else.

There is no super secret sys admin list where we all get briefings and everyone agrees to keep it on the down low so that the hackers don’t find out. It’s public. It’s in our news forums. It’s Twittered. It’s blogged about. It’s blown wide open, far and wide. It’s published with step by step instructions, generally, on what the hole is and how it was able to be exploited because we need that information to secure it, and that’s usually done in multiple places – the more popular the software, the more people will know. Software developers are usually given the courtesy of getting the report first by the person that found the hole, and a day or two to come up with a patch and take responsibility, but within days, it’s everywhere.

If you don’t address a vulnerability that is public by upgrading, you have a target on your site’s back. Period. It’s a matter of time before they find you – and if hackers didn’t know about the vulnerability, we all just told them by trying to get the word out – so if they didn’t know, they do by the time we do.

Again, they all know that a huge portion of you don’t bother with upgrades, so it’ll begin being used in days. Again, you’re the weak link here. If you don’t upgrade, the developers staying up to patch something until 3 am means nothing.


The webserver running WordPress, the database with the WordPress data, PHP and any other scripting/programming language used for plugins or helper apps could have vulnerabilities. Therefore, make sure you are running secure, stable versions of your web server, database, scripting interpreter, or make sure you are using a trusted host that takes care of these things for you.

I think I took care of my position on this one on Friday. 🙂

Next in the series we’ll address some other things they recommend – there’s a lot.

One of the things we want to get across in this series is not just recommendations, but why these things are recommended and when applicable, exactly how to do them so that you can implement them. Some recommendations you won’t need to worry about because our set up makes the scenario impossible (for example, what happened at Network Solutions with WordPress installations could not have happened here because of configuration choices we have made that they did not), and some should be put into place on any WordPress installation anywhere. We want you to understand how to put these into place but, more importantly, why you should and what the risk is if you don’t.

Comments are closed.