Securing Wordpress

Over 75 million websites. That’s a larger number than the population of some countries. WordPress is a dominant choice for creating a blog, content management system, or full-blown e-commerce site. It has a vibrant developer and user community. Unfortunately, it also has a dark side – frequent and widespread successful hacking attempts. With some effort, many of these attacks can be prevented. I’m going to provide helpful information and when possible link to tutorials to further explain the implementation.

SECURITY CONCERNS

There are specific concerns that need to be addressed when hosting a website using the WordPress platform. Its popularity is both an advantage and disadvantage. A strong developer community offers security patches quickly. However, the shear number of websites that use the WordPress platform make it a prime target for a large-scale attack. There are many third party plugins for the platform, but many of them have potential security flaws hackers may exploit. A default WordPress installation is very similar to others. This fact enables hackers to write one script that can potentially affect thousands of sites.

Securing any system requires careful planning and resources. While there is not a system that can be considered 100% impregnable, usually the more effort and resources invested, the more difficult it is to exploit. There are three major security subjects to be addressed: 1) preventing issues, 2) monitoring the system, and 3) the ability to restore the system in the event of a breach.

PREVENTION

The main goal of a security plan is to prevent attacks. Prevention involves more than the hardware and software of the system; it also involves processes and personnel. The choice of hosting provider may limit security options or introduce vulnerabilities. Other items concerning prevention are firewalls, operating system configuration, and the installation and configuration of WordPress.

The first step in the security plan is looking at the processes involved with the system and ensuring there are no weaknesses that could lead to an issue. Specific processes involving WordPress are plugin/theme installation, upgrading, registration, authentication, and backup.

Do some research on your themes and plugins. Most of the time its all to easy to find that specific plugin we need through a Google search and install it. Next thing you know your outbound email server is busy at work queuing up messages you are not intending to send. It’s not just free plugins that are an issue either. Stick to well-known sites for paid plugins and look at the ratings. Do a search for concerns about the plugin in general. If you are a programmer, or have access to one, have them take a look at the code for flaws. This site offers some information on WordPress plugin and theme vulnerabilities. Some things to be cautious of:

• Themes and plugins that write files – especially ones that try and use directories that are not specific
• Plugins that allow code execution from dynamic content
• Themes and plugins someone else besides the author have modified
• Themes/Plugins with little or no ratings or downloads

WordPress has an active community and updates come on a regular basis. There are many WordPress sites that are major versions behind. They don’t benefit from the security patching the community has written and can be exploited easily. Automated updates are a challenge if you have adjusted the file permissions to a secure level. The web server should not be able to write to the core file directories. It takes monitoring and testing to keep WordPress up to date. There are some things that help:

• Check your site on a daily basis for updates
• Review and test functionality before upgrading
• Any file permissions changed should be returned to the original setting before the update
• A full backup should be performed before the update
• Monitor logs after the update for issues
• Review the vulnerabilities list

Registration is a risk as subscriber accounts can be upgraded to higher privileges. Hackers also may want to acquire the information(such as email addresses) that your site requires during registration. If you wish to enable registration, this is done in the settings section. It’s a great idea to use a two-step process where the new user is emailed an activation link. This cuts down on the creation of spam accounts. Using a custom registration URL and CAPTCHA on the initial form will also help. Several plugins claim to reduce registration spam and make it more secure. Check some out here.

Authentication involves verifying users on your site. Typically this is done with only a username and password. Some hacking attempts will submit thousands of username and passwords to a site using common values (sometimes called a dictionary attack). There are different ways to protect against this intrusion. First, do not use standard usernames or common passwords for administrator accounts. “admin” and “wordpress” should be avoided. There are some plugins such as “All in One Security” that will analyze your usernames and tell you if one should be changed. Second, use a plugin that will limit the amount of login attempts over a short period of time and lock them out if they go beyond the settings. Lastly, if possible, use a two-step security process.Checkout these plugins that can help secure authentication.

There are some nice tweaks you can use to make WordPress a bit more difficult to hack. In most cases, theWordPress file-editing tool can be disabled. If you are customizing a theme or creating your own plugins, it’s better to take the time and setup a development/test environment. Edit the files there and then copy them into place after testing. During the WordPress installation you also have an opportunity to change the table prefix in the database. This step can help prevent some scripted hacking attempts and involves changing a text field from the standard wp_ to something of your choice.

Daily backups of the database and site files should be performed. Both database exports and site files will be copied to off-server storage. Restoration of an existing backup should be checked on a monthly basis. If you are creating plugins or themes, use a versioning system such as GIT.

A well-known hosting provider that matches the security plan is a critical part of the security plan. Caution should be used with shared installations or services. When the staff is knowledgeable and confident with maintaining a secure hosting environment, an outside monitoring service should be used as confirmation known vulnerabilities are not present. Stay clear of free hosting services.

MONITORING

While the servers are running, periodic checks should be performed using internal and external monitoring systems. Make sure that the alert mechanism is setup and tested. Alerts should go to the person that can take action.

INTERNAL MONITORING

The following tools can be used on the server to identify potential problems:

• Malware/Virus Scanners
• Network Monitoring
• Activity Monitoring

EXTERNAL MONITORING

Third party monitoring is highly recommended. Especially if you are running a complex site that would be negatively affected by finding its way on a blacklist or you retain personal information about your site users.

SiteLock monitoring provides the following features:

• Blacklist monitoring
• SSL monitoring
• Version monitoring
• SQL injection testing
• Cross-site scripting testing
• Network vulnerability testing
• Malware testing and removal

RECOVERY

It should be assumed that there is the possibility of the site being breached. Recovery involves archiving the breached files or data, analysis and patching of the issue, and re-installation of a clean site.

A simple archive script can be created to take a snapshot of the WordPress installation and data. Once run, these items can be brought offline and safely examined for the cause of the breach. If needed a third party may be utilized to analyze the breach. If a script is beyond access or skill, you can manually accomplish the same result using FTP and database backup software.

Patches to software will follow the standard development process. Functionality will be tested to ensure the site functions for standard use and prevents the breach that occurred. Infrastructure changes will also undergo testing in the same manner. The changes will be logged in a security database for reference.

A reinstallation or deployment process should be documented and followed. There are several options if you have identified where the breach has occurred you can safely replace the WordPress core, plugin, or theme files.

More on WordPress hacks:

• Pharma Attack
• SoakSoak
• XMLRPC
• TimThumb