PDA

View Full Version : Thought I'd start a WordPress security thread



Harold Mansfield
05-08-2017, 12:36 PM
I hear all the time from people who don't use WordPress, that WordPress isn't secure.
This is a little unfair since nothing that is on or connected to the web is completely secure. Just ask Target, Sony, Yahoo, and the (est) 4k businesses a day who are hacked.

Core WordPress is secure, and updated regularly to keep up with new threats. It's probably updated more than any other software I use including Windows and Android.

However, it runs on a plug in and theme architecture. Where as other software keeps you out of it's core architecture to protect you from yourself, WordPress has NO RESTRICTIONS in how you can customize it, configure it, or what a user can install. You are in complete control. If you don't know what you're doing with any software or device that gives you that much control, it becomes you who isn't secure. Not the software.

So I thought I'd share a few tips on how to better secure a WordPress website, and keep the thread going to help answer any concerns.



Keep it updated. Always run the latest version of whatever software you're using. AND read the darn updates to see what they fixed.
Keep the number of admins on your site to a minimum.
Delete the first admin account that you created. It's likely user ID 1, and that's the first place hackers and malicious bots look.
Don't use "Admin" as your user name. If you're using "Admin", create a new account. (You'll need a second email address to do this. You can change it later).
Don't use the same username/nickname that you use with other online accounts. You're just making it too easy.
Use strong, unrecognizable passwords (ask for elaboration on this if interested)
Use or create your business email address for your WordPress administrator account. Business site. Business email. Stop using free email accounts for business and don't use the same email address that you use for everything else. (This is a whole security rant in itself, but for another time).
Knowing a little HTML and CSS will save you from installing 30 plug ins to do what a little code could have done.
Stop installing 30 crap plug ins, and leaving them there even when you're not using them. Delete things you aren't using.
Make sure your theme doesn't create a comments area on every image upload.
Delete spam comments completely from your dashboard. Use a spam blocker like Akismet. If you need the pro version, pay for the pro version.
Don't click on suspect comment links out of curiosity.
Vet your themes and plug ins. Read the reviews. Check to see if others report issues. Look at how the developer handles support. Stop installing whatever just because it promises to do that one thing that you think you need right this second.
Keep plug ins updated. If you're using old plug ins or themes that haven't had an update in years, the developer has probably abandon it, and any hope of keeping it secure. Check with them. If there is no response, find a new solution and get it off of your site.
Stop using your Root for storage. If you need storage, buy storage. Where your website is hosted is not storage.
Delete the "read me" file from your installation.
Use iThemes Security (https://wordpress.org/plugins/better-wp-security/)Plug in. It may take a while to read and understand all of the settings, but at min you want to use the setting that hides /wp-admin and changes it's URL to a custom one that you set. Everyone knows where /wp-admin is.
Set back ups. Best case is doing it through your hosting dashboard and letting your host take and store your files and database backups. If your account doesn't come with back ups, change it.
Stop using the cheapest hosting available for your business website.


Cheap hosting is shared hosting. Shared hosting is used by amateurs who themselves are a security risk, which makes your site and any site anywhere near them at risk.

It also means a shared email server which is also crap. Ever had an IP address blacklisted? Use shared email servers, and you will.

I could talk about this one for days, but bottom line is good, secure hosting costs money. It's supposed to cost money. You don't need WordPress specific hosting that comes with a crap load of bloatware and monitoring software. Much of it is over priced junk which limits your access and control of your website. Just make sure it's Linux hosting, and not Windows hosting and take the time to learn something about running your own website.
Get an SSL/TLS. Some hosts offer free SSL's for WordPress sites now via Let's Encrypt. (https://letsencrypt.org/) and other open source SSL/TLS's. Give yours a call to see if they do. If not, pay the money and get one. This isn't optional anymore.



Most hacks are not personal. They are crimes of opportunity. If you walk around thinking you have nothing a hacker would want, you're an opportunity. If a hacker sees a weakness in how you secure your website, it's a good indication that they can probably access your other accounts just as easily.

Does anyone else have any tips that they can share, or have questions about anything I've posted above?
Feel free to ask, that's why we're here.

vangogh
05-09-2017, 10:23 AM
Good topic for a thread. There are a few things on your list I need to do, but I think I do pretty well with most. I think keeping the software (both WordPress and plugins) is the most important thing. WordPress itself is usually quick to update as soon as it learns about any attack. With plugins it depends on the author(s) of the plugin, which is why I agree with doing a little research before installing any and every plugin. Read the reviews. Scan the support forums. Check to see when the plugin was last activated. Do your due diligence.

Speaking of plugins. Yesterday I came across an article about a plugin that helps prevent spam registrations. It's called Stop Signup Spam (https://wptavern.com/new-wordpress-plugin-blocks-spam-user-registrations-using-stop-forum-spam-database) (The link takes you to the article). The plugin checks the Stop Forum Spam database and won't let anyone in the database register. I haven't used the plugin, but we check new registrations against the same database for signups here and it does a good job.


Most hacks are not personal. They are crimes of opportunity.

Yep. Most attacks occur on non-updated software. They take advantage of a whole that's already been fixed and seek out sites that haven't updated to include that fix. Make sure your software is updated. WordPress makes it easy. In fact you can set up WordPress itself to update automatically. Plugins you'll still need to login and press a couple of buttons to update.

cbscreative
05-09-2017, 12:16 PM
Great topic, Harold, but experience indicates most people still go blindly about their bad habits and never bother to even look at a topic like this. However, I think it will help a few in the community and any awareness effort serves a good purpose. We can't change human nature, "People won't pay a dime for prevention but they'll empty their pockets for a cure." No one wants to add complexity to their life but this is a case where not doing at least the basics can and probably will result in serious grief.

On your statement about WP not being secure, I do warn people that a default installation of WP is grossly insecure. You mentioned yourself the ID 1 and default "admin" account. I strongly second the advice to install iThemes Security and take time to configure it. The plugin does a good job of explaining the how and why of the settings. If someone finds it intimidating, they should find someone like either of us to install and configure iThemes. Without that, I say WP is insecure.

Harold Mansfield
05-09-2017, 01:34 PM
I also think hosts could do a better job with their one click install. They have the ability to adjust things like this. They already change database prefixes and add bloatware to the installation. However, it seems these days they're more interested in getting you dependent on Sitelock than providing any out of the box security to help people.

WordPress is for people who want full control. You need to take precautions and learn how to use it the same way you do with your Windows settings, Android settings, Google privacy settings, Facebook, setting up your router, and so on. This is normal, basic security stuff and we do it for EVERYTHING. Every software. Every device.

I think it's unfair to act as if we don't have to worry about security with anything else, so therefore WordPress is unsecured because we have to do a little more than just install it, set it and forget it.

Also, it's not a product that you pay for. It's an open source software that you use for free. Developers around the world help keep it updated and secure for free. I think they do a great job of updating it. Just as good or better than ANY other open source software, and even better than most paid software.

Compared to my ($700) Android phone which updates once a month. Windows? Maybe once every 2 months. iOS, what...every 6 months? Intel JUST fixed a security vulnerability that the knew about FOR 7 YEARS! Your phone's messaging has a security flaw that allows knowledgeable people, with the right equipment, to hijack your messages and reset your passwords. THEY KNOW this exists and has for years, and it STILL HASN'T BEEN FIXED! How much do you pay for that service with the ongoing security hole?

WordPress updates when ever a new vulnerability is found, regardless of the date. Sometimes within days of first reports. For free.

I'm sorry, but I think people are a little to hard on this thing that they are using for free and complaining that it's too inconvenient to learn how to use it in order to be a little safer.

You don't have to be a hard core developer to keep up with WordPress news and check the things you have installed against the vulnerability database: https://wpvulndb.com/

We're in a cyber war right now. We're getting hit left and right. New ways to exploit things, ALL things, are invented every day. Security is up to you, regardless of what you use. There is no easy button so we need to educate ourselves and start sharing what we know.

It's not good enough to just blame the tools anymore. More than half of security breaches are because someone opened a bad email or were tricked into opening an attachment. Software companies could put out patches every day, and you can spend thousands on hardware and you still can't stop that. The key to this is our education.

vangogh
05-09-2017, 02:30 PM
I think WordPress is pretty secure right out of the box. I think the install used to automatically set up the username as admin, but years ago switched to making you choose a username. Doesn't it also now default to secure password. You can change it but WordPress will give you instant feedback about how strong or weak the password is?

I used to get contacted a lot to help clean up an infected site and in all cases the site became infected because the software wasn't upgraded or because an abandoned plugin was allowed to remain active. It also cost those people a lot more money than it would have to hire me to keep an eye on their sites.

WordPress isn't 100% secure, but nothing ever is. If you do the minimum and keep it, plugins, and themes up to date you're probably safe against the most common attacks. If you go above and beyond the minimum like Harold suggests you should be safe against even more types of attacks.

Harold Mansfield
05-10-2017, 12:57 PM
I used to get contacted a lot to help clean up an infected site and in all cases the site became infected because the software wasn't upgraded or because an abandoned plugin was allowed to remain active. .

Yep. Almost every time.

There are a couple of hosts that just seem completely incapable of stopping even the most basic stuff, but almost every other time it's been human error. Not paying attention. Not keeping up with updates. Using poorly coded themes, and old plug ins.

The other big one is using the root for storage.

I've seen people spend thousands of dollars to fix issues that they caused trying to save $40.

vangogh
05-11-2017, 12:59 AM
I think most of the times I cleaned up after an attack it was human error. It's possible one was an insecure host, but it's usually not updating a plugin that leads to the initial attack. The worst part is if you miss even a single line of code in a single file, the whole attack can come back.

True about trying to save money causing problems too. I know I've cleaned up after someone who tried to save a few dollars on having code written or going for the least expensive software or something similar. It usually comes back to bite you. The cheapest option doesn't always turn out to be the least expensive one.