WordPress Security

WordPress SecuritySecurity is one of the major purposes behind custom software development, alongside functionality, performance, interoperability, and support. Our clients mostly shop for new functionality for their WordPress powered websites. While security isn’t typically much of a selling point, it should not be just an afterthought. Security as a concept is part of almost every piece of software in use. Security requires continual attention from all parties, and separates amateur from professional developers. Installing WordPress themes and Plugins from unknown developers opens-up all sorts of security risks that all webmasters should be aware of.

When security problems arise, they tend to be major. So a little preparation can save a lot of fan cleaning! To use another cliché: Once bitten, twice shy. Security is a topic that evokes many stories and charged emotions. Everyone we know has had run-ins with security. For example, ourselves and a couple of our clients were hacked in the past by robots spidering for known vulnerabilities seeking to install malware.

What does the malware that typically affect websites do? It usually causes pop-ups containing scams or trojan horse software that seeks to charge you money, steal your contacts, steal your visitors’ information, or infect your personal computer. While these automated robots don’t usually cause irreparable damage to your website, they do rattle your nerves and waste a ton of your time doing clean-up work on your live website that your visitors and clients are looking at. The vast majority of these security breaches are bots rather than “black hat” hackers. These breaches are intended to go undetected for maximum exposure.

Security entails many measures, both practical and impractical. As the WordPress.org post Hardening WordPress suggests, security balances with convenience. Security can never be guaranteed. The one guarantee we can give someone on this topic is that complacency will usually bite. Everyone needs to take continual action to protect themselves from the evolving threats, and to figure out how to economically protect their particular set of software packages.

We all know that a chain is only as strong as its weakest link. To be secure you must apply common sense and best practices for every one  of your files on your hosting account. Continually improve upon measures, train your team on all the best practices, and stay very close to the IT professionals you know and trust. Know your hosting company as well as the developers of every piece of software you depend upon. Stay in tune with official and respected WordPress news sources. While WordPress’ popularity makes the platform lucrative to hackers, WordPress is also well monitored for security threats and gets patched quickly.

Here’s our list of WordPress security musts:

  • Use only Plugins and themes from trustworthy authors. Plugins and themes have full access to your database and the files on your hosting account. That means they can open-up security holes that can, for example, wipe your files and data, expose sensitive information about your users, or insert junk content into all sorts of files on your website. Security holes within Plugins and themes may be intentional or unintentional. The more popular Plugins and themes are more targeted by hackers due to their reach, so don’t mistake popularity for security.
  • Always use a different password on each and every website you use. Keep your passwords on paper and in a safe, secure place. If passwords are on your computer, they can be read one way or another. Think of file sharing, screen sharing, snooping, etc. Secure your email password most of all. If somebody has your email password, they can reset any of your other passwords! Never store your passwords in your email account and permanently delete any emails containing passwords.
  • Keep all software up to date. This includes WordPress core, themes, Plugins, your server software if you control any of it, and of course your personal computer software. Practically every minor “point” release fixes security issues.
  • Know who to call when something goes wrong. By the time a security breach is detected it’s usually completed its rogue tasks and it’s time for you to begin cleanup. Contact your web host so their security team can get started checking the server log files and hopefully block future attacks of the same pattern. Rollback to a clean copy of your website files first, then database if necessary, and always reset all suspect passwords immediately. When the cleanup is complete, always take the time to evaluate what went wrong.
  • Keep at least daily backups on one or more services. Most web hosts nowadays offer automatic backups for website files and databases, sometimes even stored in offsite bins with long-term storage going back many months. If your host doesn’t offer automatic backups, consider finding one that does and/or paying for a backup service such as VaultPress by the good folks at AUTOMATTIC. Having a backup system that isn’t ready for a quick restore procedure means more time spent connecting systems or manually transferring files when time really matters.
  • Enable SSL (https://) for the ‘wp-admin’ folder and login page. Enabling this will ensure that your WordPress password can’t be sniffed by others on the local network you are using, such as a hotel or coffee shop WiFi Internet connection. The code lines to add into your wp-config.php file to enable SSL is define('FORCE_SSL_LOGIN', true); and define('FORCE_SSL_ADMIN', true); Some shared hosts offer shared SSL certificates for free, or you can purchase a certificate for your subdomain. On a related note, if you use FTP be sure to use SFTP (SSH wrapper) or FTPS (TLS authenticator) instead of standard FTP.
  • Report all issues you find to the vendor. Good software vendors take security reports very seriously. Just because you have found something doesn’t mean they already know about it, or they shouldn’t hear that it affected you. You might have uncovered a recent bug and you might just save the day helping to get it patched before it affects other users. Popular websites generally catch the vulnerabilities more quickly due to their URLs being better traveled.
  • Use different hosting accounts for each website. Never have more than one website running on a single web hosting service account unless you completely trust every user of every website on that account. When websites are served from the same hosting account, the server software does not distinguish the “jail” among your own websites. Even if separate FTP accounts are used, web scripts can talk across file folders unless the operating system has each website “jailed” as they commonly do between different web hosting accounts.
  • A WordPress multi-site architecture might be an unnecessary risk unless you really know what you are doing, you have a major purpose for using this feature, and/or you trust every user privilege potentially spreading across all websites on the network should any security holes potentially exist.

The following modifications are NOT generally recommended, being that they can seriously break front end and back end functionality. Nonetheless, they are commonly discussed within the development community as security concepts through obscurity.

  • Change the wp-admin and ‘wp-includes’ folder names.
  • Install an .htaccess directory security for the ‘wp-admin’ folder.
  • Change your database table prefix from ‘wp_’ to something else.
  • Set all file permissions to read only (644). This may not be possible on shared hosts.
  • Enable ‘WP_HTTP_BLOCK_EXTERNAL’ in the wp-config file to prevent outbound HTTP requests.

And finally, points for other plugin developers or those who are evaluating plugin code. Most of these points are from the book Professional WordPress Plugin Development:

  • Ensure legitimate users cannot produce unexpected behavior anywhere, such as browser refresh form resubmissions.
  • Use current_user_can(‘capability’) to test to ensure the user logged in has permissions associated with each task.
  • Use nonces (one time action tokens) to prevent Cross-Site Request Forgery (CSRF), or hidden malware logic the user is unknowingly executing with their session credentials.
  • Validate data entered by ensuring it meets the intended format (number, alphanumeric, size, content type, etc).
  • Sanitize data that is to be outputted into any input form fields, web page, file or into the database. Functions include PHP’s functions: intval() ctype_*(), preg_match(), array_map(), or WordPress’ functions: absint(), sanitize_*(), wp_strip_all_tags(), is_email(), force_balance_tags(), wp_kses(), esc_*(). Asterisk (*) denotes multiple functions exist.
  • When doing redirects use wp_redirect() to sanitize URL before redirection.
  • Use $wpdb database object methods for all database reads and writes.

Thank you for taking the time to read this post. Note that we really appreciate feedback about what we’ve written as well as what topics you’d like us to discuss in future posts so please do let us know.