(Reading time: 6 – 9 minutes)
Once you’ve been blogging a while, and your website has grown, your responsibilities start to grow. When you’re starting out, getting hacked isn’t that big of a deal: you don’t have much to lose. Once you have months or years worth of content, getting hacked turns into a Big Deal. Preventing malicious hackers from destroying your website requires understanding a bit about how WordPress works, and implementing a few more advanced security techniques.
[Updated: 1/15/2010, Bandit Defense screenshot.]
Understanding WordPress
WordPress is a little bit like an Automat diner
WordPress is a collection of PHP scripts emitting HTML web pages that are stored in a MySQL database. This sounds more complicated than it really is. You can think of the WordPress system as a sort of “automat” of information, allowing your readers to pick and choose articles according to taste and interest. The “food” is your posts and pages in the MySQL database (kitchen), and PHP corresponds to the “doors” and serving apparatus.
Diners don’t have much need to know how the automat works… but the automat owner needs to know a little bit about all the pieces fit together: how to grease the hinges, fix the locks, etc. And of course, the larger the automat, the more menu items, the more service required.
Similarly, as your WordPress-based website grows in breadth and depth, you should learn a little more about how it all works. Every capability you add to WordPress is a small increase in your security overhead.
Fortunately, WordPress is not a difficult system to understand, and all the source code is free and open, anyone can learn it and use it.
Learning to recognize fishy PHP code is not difficult, nor is watching out for database exploits. Fortunately, there are also plugins to help you with many of these more advanced security tasks.
Setting up a security system
First, if you haven’t installed your basic security apparatus, you should do that right now. Here’s “More WordPress Simple Security: 5 Plugins to help you lock out unwanted visitors.”
Second, put security on your checklist of regular WordPress maintenance tasks.
Third, do all the little things that may or may not help, but certainly don’t hurt. For example, here’s some great tips from Lost In Search:
- Remove WordPress version information.
- Lock down plugin directory listings using dummy
index.htmlfiles or the .htaccess Apache directiveOptions -Indexes. - Add security keys to wp-config.
- Turn off remote publishing if you aren’t using it.
You should read the article for yourself and implement these and the other suggestions.
Next, read this rest of this article…
Vetting themes and plugins
Themes and plugins are great places to hide malicious code!
Here’s the easiest way to minimize risk of malicious code in WordPress themes and plugins: delete every theme and plugin you are not actively using on your blog.
Other actions you can take to increase WordPress security:
- Test all new themes and plugins in a sandbox installation first, before deploying to a production server. This can be a dummy blog on your hosting account, or a localhost installation. Watch for bogus network traffic. On Windows, I like to use the Fiddler HTTP debugging program, which shows me all the network traffic to and from my computer.
- Use plugins and themes from reputable developers. Being hosted at WordPress.org is not enough. Read the comments and reviews on each plugin and theme before activating. For more information read “WordPress Plugins — How to choose plugins you need, and plugins to avoid.” Many of these considerations for choosing plugins also apply to choosing themes (watch for an upcoming article).
- Read the source code for each theme and plugin you choose to install. Really. If you have technical inclination at all, it’s not that difficult. You don’t need to understand every line, but with a surprisingly modest amount of work, as explained below, you can easily sniff out fishy code for more thorough investigation.
When you develop enough traffic to outsource more of the maintenance work, ensure that whoever you hire has the skills to audit your theme and plugin source.
Digging really deep!
For advanced readers with a little time to dig, investigate these techniques.
How to spot malicious code in WordPress
As noted above, malicious code can be inserted into both WordPress themes and functions.
Here’s a great article on tracking down malicious code in WordPress on a Linux box. Most of this can be done on a Windows PC as well, provided you have Cygwin installed.
The upshot: look for base64 encoding in any theme or plugin you download!
Scan your WordPress directories with Google
Here’s a little tip from Bandit Defense: Scan your WordPress installation directly, using Google. The proof is in the pudding as they say, and if Google can see it, Bad Guys can see it too.
Here’s an example, do a Google search with your URL instead of website-in-a-weekend.net using the following pattern:
site:website-in-a-weekend.net intitle:"index of" inurl:"wp-content/plugins"
I left my URL in as an example because I know you’re going to look at my installation anyway!
Bandit Defense has a Part 2 article which is worth reading as well.
[Update: 1/15/2010: Bandit Defense is down! Hat tip Average Joe.]
Ah... er... Let's focus on the message, the messenger is AWOL.
Subscribe to WordPress related blogs
Many websites and blogs are dedicated to WordPress, here’s a couple:
- The official WordPress.org blog reports on security issues as they arise. This blog is worth following to get general WordPress updates as well.
- The “security evangelists” at Blog Security are paying attention to WordPress security issues, so you should pay attention to them.
I went looking for dedicated WordPress security blogs on Google, didn’t find any… perhaps that’s an opportunity for a motivated reader!
Summary
Security is more properly viewed as a process, not a problem. Good security is a set of habits that let you build experience, which in turn increases your intuition when “something’s not right here.” Remember, the Bad Guys get a large charge out of compromising your web site. It’s what they live for! Good security is an arms race… you have to play whether you want to or not.
Would you like more? Send me a letter...
{ 3 comments }
Hey… I’m going back through a year of Website In A Weekend articles, updating and checking everything for inclusion in the Website In A Weekend eCourse.
If you find any errors or omissions, please leave a comment. I’ll get it handled.
Thanks – Dr W.
Dr Wordpress!´s last blog ..Top 3 Social Media Bookmarking Services – Don’t leave home without them
Hi, Just saw this: “Scan your WordPress directories with Google. Here’s a little tip from Bandit Defense: Scan your WordPress installation directly, using Google. The proof is in the pudding as they say, and if Google can see it, Bad Guys can see it too.”
Went to the site and saw this message:
“huh…
the website is down.
don’t know why yet.
something to do with a recent wordpress upgrade?
I don’t have time to fix it before defcon,
so it will remain down for a bit.”
Now, I’m not sure if this is related, but it sure questions
whether they know what thier talking about!
Man, the irony… I gotta put a little blurb in the article, maybe take a screen shot.
Thanks a bunch for pointing this out.
Dr Wordpress!´s last blog ..Website In A Weekend: Thursday evening – Get into the gate
Comments on this entry are closed.
{ 2 trackbacks }