PDA

View Full Version : 4 Little Known Ways to Achieve Better WordPress Security



Harold Mansfield
12-16-2015, 01:20 PM
If you do use WordPress and are concerned about security, it's not actually rocket science. Just like with any website, knowing how to use your tools and a little common sense can save you from a world of hurt and inconvenience.

Anything can be hacked. Generally the annoyance hacks or infiltration, no matter how the website is built, is the fault of the website administrator's lack of knowledge or really cheap shared hosting plans from company's with terrible security and who only offer safety at an additional charge.

This past year I've had more people call me with hacked websites than any year before. I've seen some nasty hacks, viruses, and just straight out take overs that could have mostly been avoided.

9 times out of 10 they are annoyance hacks of opportunity that could have been completely avoided with a little due diligence...
keeping your software updated,
not using "admin" as your username,
not using easy to guess passwords,
not having 13 administrators on one site,
not using your server for storage,
not keeping old plug ins that you aren't using,
not installing things that you have no idea how to use or not properly vetting where they come from,
not using the cheapest hosting plan available for your most important marketing asset, and so on and so on.

The following article offers some common sense, a little bit of knowledge and a few things that anyone who runs a WordPress website can implement, many times in just a few minutes.



While it is true that strong passwords and proper permissions on a WordPress site can help provide good security there are a few little known methods of enhancing your WordPress security, while maintaining both sides of the security vs. usability equation.

https://ithemes.com/2015/12/16/4-little-known-ways-to-achieve-better-wordpress-security/

Business Attorney
12-18-2015, 10:28 AM
not keeping old plug ins that you aren't using

I would add "not keeping old themes that you aren't using". Themes are also one of those items that come under Harold's warning of "not properly vetting where they come from."

A lot of the phishing email spam I get contains a link to a file buried in an unused theme on some innocent website that then redirects to a phishing site.

Harold Mansfield
12-18-2015, 11:31 AM
I would add "not keeping old themes that you aren't using". Themes are also one of those items that come under Harold's warning of "not properly vetting where they come from."

A lot of the phishing email spam I get contains a link to a file buried in an unused theme on some innocent website that then redirects to a phishing site.

Good point. The only themes other than the one I'm using that I keep are WordPress default themes. There are 4 or 5 of them that now come with WordPress, but you only need one additional theme installed. Just in case there's a problem with your current theme such as it doesn't play well with an update, WordPress will need something to default to and it looks for one of the default themes to do that.

Brian Altenhofel
12-18-2015, 11:40 AM
A deny-by-default server configuration (even just through .htaccess) will also go a long way. Only explicitly allow the required PHP entry point files to be executed by the webserver, and deny everything else.

And the webserver (and PHP, if using fastcgi/fpm) daemons should never run as the same user that owns your PHP files and should never have write-access to the folders containing your PHP files.

Harold Mansfield
12-18-2015, 11:48 AM
A deny-by-default server configuration (even just through .htaccess) will also go a long way. Only explicitly allow the required PHP entry point files to be executed by the webserver, and deny everything else.

And the webserver (and PHP, if using fastcgi/fpm) daemons should never run as the same user that owns your PHP files and should never have write-access to the folders containing your PHP files.

There are security plug ins that take help you care of this, as well as newer security options in WordPress. But it really all comes down to the site administrator knowing what they are doing. Most don't.

WordPress has gotten an unfortunate reputation for being easy and that anyone can run it and people thereby associate that to mean the web is easy. It's easier than hand coding HTML files, but you still have to learn a few things.
Most people don't know or learn anything about basic website security at all, whether it be WordPress or just HTML files.

And cheap hosting companies suck and don't seem to care anymore. They're just offering the basics. You don't get security support AT ALL. If you don't know, they don't tell you and when something happens..first of all it's your fault no matter what it is...then they want to up-sell you more security products. But that's another conversation.