Need a WordPress website this weekend? Start here...

Advanced WordPress Security Tips

July 20, 2009 By

(Reading time: 6 – 9 minutes)

Once you’ve been blogging a while, and your website has grown, your responsibilities start to grow. When you’re starting out, getting hacked isn’t that big of a deal: you don’t have much to lose. Once you have months or years worth of content, getting hacked turns into a Big Deal. Preventing malicious hackers from destroying your website requires understanding a bit about how WordPress works, and implementing a few more advanced security techniques.

[Updated: 1/15/2010, Bandit Defense screenshot.]

Understanding WordPress

WordPress is a little bit like an Automat diner

WordPress is a little bit like an Automat diner

WordPress is not an especially complicated system to understand, provided you understand just a little bit about the underlying technology.

WordPress is a collection of PHP scripts emitting HTML web pages that are stored in a MySQL database. This sounds more complicated than it really is. You can think of the WordPress system as a sort of “automat” of information, allowing your readers to pick and choose articles according to taste and interest. The “food” is your posts and pages in the MySQL database (kitchen), and PHP corresponds to the “doors” and serving apparatus.

Diners don’t have much need to know how the automat works… but the automat owner needs to know a little bit about all the pieces fit together: how to grease the hinges, fix the locks, etc. And of course, the larger the automat, the more menu items, the more service required.

Similarly, as your WordPress-based website grows in breadth and depth, you should learn a little more about how it all works. Every capability you add to WordPress is a small increase in your security overhead.

Fortunately, WordPress is not a difficult system to understand, and all the source code is free and open, anyone can learn it and use it.

Learning to recognize fishy PHP code is not difficult, nor is watching out for database exploits. Fortunately, there are also plugins to help you with many of these more advanced security tasks.

Setting up a security system

First, if you haven’t installed your basic security apparatus, you should do that right now. Here’s “More WordPress Simple Security: 5 Plugins to help you lock out unwanted visitors.”

Second, put security on your checklist of regular WordPress maintenance tasks.

Third, do all the little things that may or may not help, but certainly don’t hurt. For example, here’s some great tips from Lost In Search:

  1. Remove WordPress version information.
  2. Lock down plugin directory listings using dummy index.html files or the .htaccess Apache directive Options -Indexes.
  3. Add security keys to wp-config.
  4. Turn off remote publishing if you aren’t using it.

You should read the article for yourself and implement these and the other suggestions.

Next, read this rest of this article…

Vetting themes and plugins

Themes and plugins are great places to hide malicious code!

Here’s the easiest way to minimize risk of malicious code in WordPress themes and plugins: delete every theme and plugin you are not actively using on your blog.

Other actions you can take to increase WordPress security:

  1. Test all new themes and plugins in a sandbox installation first, before deploying to a production server. This can be a dummy blog on your hosting account, or a localhost installation. Watch for bogus network traffic. On Windows, I like to use the Fiddler HTTP debugging program, which shows me all the network traffic to and from my computer.
  2. Use plugins and themes from reputable developers. Being hosted at WordPress.org is not enough. Read the comments and reviews on each plugin and theme before activating. For more information read “WordPress Plugins — How to choose plugins you need, and plugins to avoid.” Many of these considerations for choosing plugins also apply to choosing themes (watch for an upcoming article).
  3. Read the source code for each theme and plugin you choose to install. Really. If you have technical inclination at all, it’s not that difficult. You don’t need to understand every line, but with a surprisingly modest amount of work, as explained below, you can easily sniff out fishy code for more thorough investigation.

When you develop enough traffic to outsource more of the maintenance work, ensure that whoever you hire has the skills to audit your theme and plugin source.

Digging really deep!

For advanced readers with a little time to dig, investigate these techniques.

How to spot malicious code in WordPress

As noted above, malicious code can be inserted into both WordPress themes and functions.

Here’s a great article on tracking down malicious code in WordPress on a Linux box. Most of this can be done on a Windows PC as well, provided you have Cygwin installed.

The upshot: look for base64 encoding in any theme or plugin you download!

Scan your WordPress directories with Google

Here’s a little tip from Bandit Defense: Scan your WordPress installation directly, using Google. The proof is in the pudding as they say, and if Google can see it, Bad Guys can see it too.

Here’s an example, do a Google search with your URL instead of website-in-a-weekend.net using the following pattern: 

site:website-in-a-weekend.net  intitle:"index of" inurl:"wp-content/plugins"

I left my URL in as an example because I know you’re going to look at my installation anyway!

Bandit Defense has a Part 2 article which is worth reading as well.

[Update: 1/15/2010: Bandit Defense is down! Hat tip Average Joe.]

Bandit Defense is down

Ah... er... Let's focus on the message, the messenger is AWOL.

Subscribe to WordPress related blogs

Many websites and blogs are dedicated to WordPress, here’s a couple:

  1. The official WordPress.org blog reports on security issues as they arise. This blog is worth following to get general WordPress updates as well.
  2. The “security evangelists” at Blog Security are paying attention to WordPress security issues, so you should pay attention to them.

I went looking for dedicated WordPress security blogs on Google, didn’t find any… perhaps that’s an opportunity for a motivated reader!

Summary

Security is more properly viewed as a process, not a problem. Good security is a set of habits that let you build experience, which in turn increases your intuition when “something’s not right here.” Remember, the Bad Guys get a large charge out of compromising your web site. It’s what they live for! Good security is an arms race… you have to play whether you want to or not.

Filed Under: Website security Tagged With: ,

More WordPress Simple Security: 5 Plugins to help you lock out unwanted visitors

July 3, 2009 By

(Reading time: 7 – 12 minutes)

Do a quick search on “WordPress Security Plugins” you are going to get a boatload of results, most of which aren’t going to tell you too much more than what you can read in the plugin’s documentation. Seriously, check this out: 57 security wordpress plugins. WTF? Seriously, go check that out. If it serves your needs, cool. If not, come back and we’ll dig into what, where, how, why and all that other happy horsepuckey you really need to learn at some point.

Some are complicated. Some make you jump through hoops as well. What we’re really looking for is plugins that are simple to use and understand, yet powerful enough to catch our blunders and any script kiddies who come knocking.

Hey! You're in the middle of the Website In A Weekend eCourse. Learn how to create and operate a complete WordPress-based website in a single weekend. Start here: Website In A Weekend: Friday Evening - Off to the Races. (If you already have a blog... "audit" the eCourse... you'll find plenty to do.)

By the way, if you don’t already know, anyone that wants into your blog bad enough, will probably find a way in. We can’t do anything about people like that. But they’re few and far between unless you’re in the easy/fast money businesses of sex/drugs/gambling. You know, easy money stuff the state wants to tax. But you’re not… so no worries.

I’m going to take a slightly different stance here and expose myself… ah… I mean, I’m going to list and discuss only the plugins I find useful here on Website In A Weekend… which means if any of these plugins have a security flaw, Website In A Weekend goes up in smoke! Anything for my readers!

Let’s get started.

WP Security Scan

Michael Torbert’s WP Security Scan is absolutely the first security plugin you should install. Go install it right now in fact. I’ll wait.

Here’s how WP Security Scan helps protect your blog:

  1. Helps prevent SQL injection attacks by warning about default WordPress database table prefix. Even if you don’t fix your database table prefix on your current blog, you will be sure to specify a custom prefix on your next WordPress installation.
  2. Flags incorrect and dangerous file system permissions. Once you fix your permissions correctly, the plugin lists the corrected as well.
  3. Provides a way to evaluate your password strength, and suggests very strong passwords if your imagination for random letters, numbers and punctuation runs dry.
  4. Checks for appropriate .htaccess files where you need them. This is big deal, which is little discussed.

Every item in the list above is very simple. There is no reason NOT to get WP Security Scan installed immediately

BlueTrait Event Viewer

The BlueTrait Event Viewer (BTEV) implements custom login and email functions to keep track of what’s happening at a lower level on your WordPress blog. BTEV is slightly more complex than the other plugins discussed here, so you may want install it after you master the others first.

BTEV is really useful when you need to find out the following:

  1. Who registered, from where, and when. If you’re getting a lot of bogus registrations, this will help.
  2. Who is currently logged in, useful for checking for malicious users.
  3. If you write plugins, there is an advanced feature that logs PHP events. This is fantastic, so much easier than dealing with server logs.

BETV works by monitoring all of the following WordPress actions: password_reset, delete_user, wp_login, lostpassword_post, profile_update, add_attachment, wp_logout, user_register, switch_theme, and activation/deactivation of other plugins.

Saving the best for last: BETV provides an RSS feed… subscribe to your event feed, and you’ll be on top of breaking security issues immediately. RSS feeds are critically important when you’re operating more than one WordPress installation.

Login LockDown

Login LockDown rains contempt on spammers

Login LockDown rains contempt on spammers

Have you ever tried to log into a website where you had forgotten perhaps your username, or your password, or both?

Then been locked out for “Too many retries.”

That’s the kind of pain and suffering you want to visit on spammers, and other jerks who rob your bandwidth with stupid linkbaiting schemes offering… well… I won’t dignify what they purport to offer by putting it into words. Let’s just say, when you’re clickthrough rates are less than 1/100,000… you have to resort to massive spam.

The WordPress Login LockDown plugin from Bad Neighborhood SEO helps rain contempt on spammers and scammers by preventing them from using brute force attacks to compromise your login security. Actually, they can still brute force attack you, but they get three tries (you set this number) before you send them off for an hour to cool their jets.

Install Login Lockdown to escalate your security quickly and easily. It’s super simple to set up and operate. Just using the default parameters should be enough for most people.

SI Captcha

SI Captcha even looks good!

SI Captcha even looks good!

Those little boxes where you type in numbers or letters which are twisted or distorted are called “captcha” boxes. The letters and numbers used to be very easy to read… it turns out that image analysis algorithms can figure out plain old text really fast. Naturally, spammers and scammers are always up on the latest techniques.

But captcha is a proven technology. Users don’t mind it too much, provided the letters and numbers are easy enough to read.

And SI Captcha really nails it. Check out the screen shot. This captcha box even looks good!

Installation is simple. Operation is simple: choose whether you want captcha shown on comments, or on registration, or both. That’s about it. This captcha plugin plays well with AWeber Super Simple too, so you can ask people to sign up for your AWeber newsletter at the same time they register.

[Updated 1/17/2009] links:

Redirection and Drain Hole

Redirection and Drain Hole are incredibly useful plugins, and very powerful as well. This review is going to focus on just a couple of the capabilities of each.

Drain Hole allows you to set up your download archive outside your web directory. This means that you can provide files, movies, images, whatever you want, from a location that’s not directly accessible to your web server… which means it’s not directly accessible by casual web surfers. Once you set up a “drain hole,” you provide a link people must use to access the files, and you can monitor the traffic. Using Drain Hole is an excellent “next step” in securing your content. Read more about setting up your first Drain Hole for securing downloadable content.

Redirection is so powerful, it would require a 5000 word article to fully explain how to use all the capabilities. The compelling security reason you need Redirection is for monitoring your HTTP 404 Error logs. The HTTP 404 Error means the web server could not find the page asked for by the browser, so it returns error code 404, and possibly an explanatory web page to help the reader. Here’s a screenshot showing some of the features of Redirection:

Redirection has powerful HTTP 404 Error monitoring

Redirection has powerful HTTP 404 Error monitoring

The default installation of Redirection provides specific 404-related features that benefit you:

  1. You can easily ban spammers because each 404 error is logged with page/url requested, domain name and IP address.
  2. Redirection’s RSS feed for the 404 module allows to monitor several different blogs from the convenience of a single RSS reader, which saves you massive amounts of time.
  3. You’re alerted to bad plugins because ou can see, by name, which plugins have security compromises. For example, Website In A Weekend periodically gets a string of requests for the “Wordspew” plugin. Doing a search for the Wordspew plugin led to information warning about security risks.

Redirection has more powerful features, many of which will be discussed in future articles. Make sure to subscribe so you won’t miss any information.

Previous lessonNext Lesson
WordPress Simple Security — Replace the “admin” account How to Add favicon.ico to WordPress For Professional Appearance

A message from our “Sponsor”

Long time Website In A Weekend readers know I rarely miss a chance to flog my current musical obsession or marketing book-du-jour… so you’re not done yet!

Check this out: for about a $1.35 (what it cost me), you can get a good condition, used copy of Benjamin Suarez’s 7 Steps to Freedom II: How to Escape the American Rat Race

This book is worth far, far more more than $1.35.

Put Suarez’s advice to work, it will save you time and make you money. But the key is work…

What he does is lay out the entire business operation for producing and distributing consumer products marketing by direct mail. He lays out every single procedure. All 70 procedures. It’s work.

But here’s the cool thing: you don’t have to be a direct mail marketer to benefit from this book! The principles of product selection, consumer testing, advertising, all of it translates right straight to the internet. If you wondered where all these internet “Big Boys” learned their chops, big hunks of it are right out of this book. Get your “7 Steps to Freedom” now! (For $1.35.)

Filed Under: Website security Tagged With: , , ,
« Older Posts