WordPress is increasing in popularity as both a blogging tool and as a full-featured website. Security concerns for this popular web platform have increased along with the popularity.
WORDPRESS USERS
Within WordPress is a list of users that can do different things on your WordPress site. Each user is assigned a “role”, the most powerful being Administrator. Here is what we recommend regarding WordPress users:
Limit the number of folks that have the Administrator role (you really only need one). Use this user for changing settings, managing software within WordPress and managing users. Do not use this user for creating or maintaining content. Give this user a non-guessable name, definitely *not* “admin”.
Create a user for yourself and give it the role of Editor. Use this account to do all of your content creation and editing. the reason for using this user is that sometimes WordPress, or one of its plugins, will show the name of the author who created the content. Giving your users fewer permissions may save your site if a hacker guesses your username and password.
Create no user called “admin”. If you have an “admin” user, make a new user, give it the Administrator role and then delete the “admin” user. When you delete the “admin” user WordPress gives you the opportunity to assign an author from your user list for all of the content that “admin” had created. Assign the “admin” content to a non-Administrative user.
PASSWORDS
Passwords for your website can no longer be super-convenient, as they were in the past. Simple words, or names, have become easy to crack by sophisticated and brute-force attacks. The passwords you use for your WordPress site should include the following characteristics:
Be at least (!) twelve characters long. For every character that you add to the length of your password you increase it’s strength exponentially.
Contain at least one UPPERCASE letter
Contain at least one numeral (0 – 9)
Contain at least one punctuation character (ex. ~!@#$%^&,*+.=;:<>?)
Put on your creativity hat and feel free to make your passwords easy to remember but difficult to crack. HINT: Adding repeating characters at the beginning and ending of a password are not only easy to remember, but help to increase complexity. For example, a fairly secure password such as “!Secure4Me” can be made much more secure by repeating a few characters at the beginning and ending, such as “!!!Secure4Meee”
MANAGE YOUR PLUGINS
Delete Unused Plugins
Stick with well supported and popular plugins. You may want to start with the plugins that we have found useful on our recommended plugins page. Using popular plugins increases the likelyhood that others will find flaws in them and come up with solutions.
Update your plugins. Be careful here as you want to make certain that the version of the plugin works with the version of WordPress that you have installed. Each plugin has a plugin page or an author page somewhere (usually on WordPress.org) that tells you the versions of WordPress that are supported.
UPDATE WORDPRESS
WordPress is ever-evolving, adding features and fixing bugs. WordPress updates also include fixes for security holes. Be a bit careful here as the newest version of WordPress may not be compatible with the plugins that you have installed. We recommend that you take a look at your plugins *first* to see if they are compatible (or have an updated version that is compatible) with the version of WordPress that you are updating to. You can update WordPress from within the WordPress admin screens (log in as your administrative user).
BACKUP OFFSITE
Dreamhost backs up your WordPress filesystem and database on a daily basis, but they only keep those backups for so long. What hapens if you accidently delete or change something on your site and don’t notice it for a while? To protect from that we recommend installing a WordPress plugin that allows you to create your own backups that you can keep as long as you like. We recommend a plugin that backs up both the database and the filesystem. A good plugin that we recommend is called BackWPup. BackWPup allows you to schedule backups of both the filesystem and the database and has the added bonus of sending that backup offsite in case your Dreamhost account becomes completely ruined.
BackWPup can send your backups to an e-mail address, an FTP site, Dropbox, Amazon S3, SugarSync, Google Storage, Microsoft Azure or a Rackspace Cloud account. We recommend that you do a full backup once per week and send it off-site. Use the .zip format for the backup file since it is compatible with all hosting environments.
GENERAL PRECAUTIONS
There are a few general rules you can follow to ensure that your WordPress software remains secure:
Keep your themes and plugins updated – Outdated software is the number one cause of malware infections, regardless of any software platform.
Only download WordPress software from reputable sources (WordPress.org), or developers.
Only use plugins and themes that are being actively developed and have good, trusted reviews. If a plugin has not been updated in over a year look for an alternative. Do your homework!
Keep an eye on WordPress security news to see if there are any issues with the plugins or themes you are using. Sucuri.net is a good place to go.
Do not simply disable unused plugins and themes, remove any software that you’re not actively using. Just because it’s not active doesn’t mean it’s not vulnerable
(List originally appeared in: http://blog.sucuri.net/2011/08/timthumb-php-security-vulnerability-just-the-tip-of-the-iceberg.html)
WORDPRESS SPECIFIC SOFTWARE
More security software is emerging to monitor websites for vulnerabilities and some good WordPress plugins have now been introduced to help you maintain your site.
Sucuri WordPress Check
While this is not a plugin here is a script that was created to enable you to check for some WordPress issues. Read about some WordPress security issues and review and download the script here. This is a bit complicated to install and run, but provides a good deal of information.
WebsiteDefender WordPress Security
WebsiteDefender WordPress Security is put out by WebsiteDefender.com. There are a number of WordPress specific plugins maintained by this company, but this one has a very nice “agent” that you can install and have communicate with the WebsiteDefender.com security server for automated scans of vulnerabilities. This plugin provides a very nice visual interface and has easy to follow instructions on securing your site.
I also install two additional plugins that add a few more features; WP Security Scan and Secure WordPress.
FILESYSTEM LEVEL PRECAUTIONS
On most hosting systems, the display_error PHP configuration directive is enabled. This means that untrusted sources can see detailed web application environment error messages which might include sensitive information that can be used to create an attack. Hiding this information gives attackers less avenues to use.
You can disable display_errors from through your php.ini file or in an .htaccess file (in Apache web server environments).
Add these variables to any of these files. For best security use the php.ini file, but you may not have access to that file in a shared hosting environment (in Dreamhost shared accounts you have to go through some shenanigans to create your own php.ini file that you can edit, see Dreamhost note below). If you do not have access to a php.ini file then try adding the lines below to the .htaccess file in the root of your site. Don’t have a .htaccess file? Then make one (separate discussion there), or edit your wp-config.php file:
php.ini
display_errors = ‘off’
log_errors = ‘on’
.htaccess
php_flag display_errors off
php_flag log_errors on
# BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress
Set file permissions on .htaccess to 740 (rwxr—–).
wp-config.php
/** netCorps – Added to turn off php error reporting **/
error_reporting(0);
ini_set(‘display_errors’,’off’);
Set file permissions on wp-config.php to 640 (rw-r—–). Other files too?
Dreamhost PHP Settings – Use a phprc file
The easiest setup to make is a phprc file that will be used by all the sites hosted under a user instead of a php.ini file. The advantage is anything set in both phprc and php.ini will use the phprc values, while everything else uses the values set in the system php.ini. It’s an easy way to change what you want and ignore the rest. You can use different phprcs for each domain, or use a phprc to test out new configurations.
Start by making the folders for the custom settings file. You can do this using the shell or an FTP program. In your user’s home directory /home/username/ make a new folder .php. This folder name starts with a ‘.’ or dot, and if you’re using an FTP program you may need to turn on “view hidden files and folders” to see it after you make it. Inside that make another folder 5.3. The shell command for all that is:
mkdir -p ~/.php/5.3
Inside all those folders, /home/username/.php/5.3/, make a new text file called phprc. Make sure that’s the exact name, with no file extension. This phprc file is where you will put all your custom PHP settings. Insert the following lines into your phprc file:
display_errors = ‘off’
log_errors = ‘on’
You may also want to bump up the memory used by WordPress (especially for backup operations). Insert the following lines into your phprc file:
memory_limit = 128M
Make sure to have the spaces in there.
(For more see the Dreamhost Wiki on this subject)