4 Simple Ways to Secure (and Maintain) Your WordPress Website

With the wind in my face and long stretches of open road before me, life is very good when I’m on my Harley.

I ride a lot, and as freeing as it can be, a good rider is always keenly aware of the high risks of being on a motorcycle. A good rider plans — as much as he or she can — for all kinds of contingencies.

The key to being a safe rider is the acceptance of risk.

I have to consider a lot of variables, but ultimately I’ve decided that I want to ride, and I’ve accepted that there will always be a certain level of risk to that activity.

Running a website is not unlike motorcycle riding when it comes to risk acceptance and overall risk management.

A Responsibility to Your Audience

Though WordPress allows a site creator to go a step above what most website software offers regarding security, it is still Internet based software, and there are inherent risks for you, your data, and your users.

The security of visitors on your site should be a priority, ensuring their visit is free from harmful content. Your website does you no good if it’s harming visitors, or your reputation.

Just like hopping on a bike, you need to be taking a strategic approach to WordPress risk management.

Here are four simple risk reduction approaches you should consider and implement …

1. Clean Your Garage

The paint on a Harley-Davidson is engineered to last 50 plus years — even in extreme heat or cold.

It isn’t designed to withstand that ladder currently leaning up against your garage wall falling on it. Before I brought my precious bike home, I decided to pick up a few things and create a proper parking spot.

We’re extremely fortunate as WordPress users. The WordPress core team does a great job of cleaning up and optimizing the WordPress core on an ongoing basis.

They are committed to the identification and patching of security vulernabilites. Anytime you see a minor release (3.2.x), it’s for bug fixes and security patches.

Here’s a few things to consider with each WordPress update:

Update your core: The most important advice I can give anyone who manages websites is to ensure they are updating their software. When you’re done updating, check everything again, and update some more!

One of the biggest contributors to malware attacks is running outdated software. In fact, it accounts for more than 70% of all the cases we see at Sucuri. This includes various web based software titles, not just WordPress. There are various ways to accomplish this, and it usually takes mere minutes to update the WordPress core.

Have you tried the automatic update feature in WordPress? It works great, and is conveniently located within your WordPress admin panel.

Update themes and plugins: Everything is working just fine, why should I touch plugins? The same reason you’d updating any other software — even more so with themes and plugins — because they don’t necessarily go through the same vetting and testing as WordPress core (unless you’re using StudioPress themes and plugins).

Remove disabled plugins and inactive themes: In August of 2011, there was a public disclosure that the popular TimThumb script included in popular WordPress plugins and themes was vulnerable. Within days we were seeing attackers exploiting the vulnerability with everything from SEO spam to website redirects to infecting every single PHP file on the server with nonsense characters.

As we started to see more and more of these cases we came to realize that most site owners didn’t even realize the script (and resulting malware) was on their server. In other cases, site owners were disabling the vulnerable plugin or theme, but were leaving it on the server. This vulnerability didn’t mind that the theme or plugin wasn’t enabled in WordPress. Attackers started scanning sites looking for Tim Thumb and when they found it, they would arbitrarily execute PHP on the server. When a plugin or theme is inactive, WordPress does not load it.

However, it is still accessible and executable on the web server. This is one of the most overlooked vulnerabilities on a WordPress install and one of the first avenues hackers cruise when looking for ways to exploit a site. If you aren’t using the plugin or theme, remove it from your site! That goes for all software really, if you’re not using it, remove it from the server. There is no sense in storing it there if it’s not being leveraged.

There’s nothing worse than leaving it there, forgetting about it, then getting infected through something that you don’t even need. In the end, by removing all unneeded software, files, and data from your server, you’re reducing your risk of future vulnerabilities being exploited, and it’s less you have to update or maintain.

Update your server: If you’re being held accountable, your web host should be as well. Are they keeping the server software update? Are you running the latest web server software? If you’re not sure, ask them! If that doesn’t net the results you’re looking for, you can scan your site at Sucuri and it will tell you.

2. Close Your Garage Door

As obvious as this may sound, one of the things I seriously considered when buying my bike was the state of my own home.

Where was I going to park my new ride? How would I ensure that it would be protected when I was away from it?

How does this apply to WordPress?

Making sure your local infrastructure is as safe as possible is the starting point for most everything you will do online.

Here are a few areas that will help reduce your risk from the beginning:

Keep your computer up-to-date: Ensure you’re patching or installing updates regularly. Automatic Updates are good. Most OS vendors are patching security issues often, it’s important to stay updated.

Install an anti-virus solution: AV solutions don’t only protect you from computer viruses, they are also helpful to detect malicious software that may try to attack your web properties.

Software firewalls: Yes, they are still relevant.

Safe Browsing: Just because your website is a super ninja doesn’t mean others are too. Most desktop viruses and malware these days are passed via infected websites. If it doesn’t look right, it probably isn’t. If you’re a Firefox user check out the NoScript Extension, It allows you to manage the scripts being loaded by websites so that the latest drive-by doesn’t catch you with a funny pop-up.

3. Don’t Leave Your Keys in the Ignition

I was having a great day at the office a few days back.

When I left to head home, I realized that my bike’s key was in the ignition — in the on position — which had drained my battery. I was lucky though.

What if someone with malicious intent realized the key to my ride was sitting in the ignition? I’d be dealing with my insurance company right now.

The simplest forms of authentication use some type of keying mechanism. This is one of the quickest ways for attackers to gain access to your site, and ride off into the sunset.

Let me ask you this, are your passwords strong enough to ward off an attack long enough to disinterest an attacker?

Did you know that the most stolen password in 2011 was “password”?

Here are the top 5 worst passwords:

  1. Password
  2. 123456
  3. 12345678
  4. qwerty
  5. abc123

Hackers aren’t sitting around all afternoon randomly typing passwords. They automate attacks using a technique called the dictionary attack. They create a large list of common passwords and automate an attack trying each one until they find what they’re looking for.

Here are a few things to help you fight password attacks:

Change your passwords often: The longer you use the same password, the more time you’re giving hackers to try and crack it. If you change it frequently, you shorten the window of attack.

Don’t share passwords: Passwords are like toothbrushes, you should keep them to yourself. And discard them, and get a new one, if they have been used by others.

Don’t write your passwords down: This is as bad as me leaving my key in my bike. Anyone can take it, and run with it. Alternatively look at using a password management tool like KeePass or LastPass

Use Passphrases: Passphrases are basically long passwords, something with a meaning. For example: F0urScoR3&s3v3NYeAr$aG0Now – this passphrase is pretty complex, but you’ll see that it contains 3-4 words, uppercase, lowercase, numbers and symbols. I am fond of Abraham Lincoln and the Gettysburg Address so this would be fairly easy for me to remember. You don’t have to go crazy like the example, but the idea is to use a more complex set of characters that would be very difficult to guess.

4. Find a Good Mechanic

I don’t trust my bike with just anyone.

I have poured my heart into upgrading, and customizing it. I have spent countless hours architecting the ride, the look, the feel. Sound familiar?

In a lot of ways I approach my websites the same way, and when choosing a web host I research considerably before giving over the keys to the kingdom. Anytime you install a plugin or let a designer make changes to your site, you are handing them the keys to your kingdom. Your hosting provider always has the keys to your kingdom.

Do your research, get recommendations, and choose wisely. Here’s a few things to consider when using thrid-party offerings:

Plugins: Not all plugins are created equally. Unintentionally, an inexperienced plugin designer can open up all kinds of security vulnerabilities in your site or simply tank its performance. Read the reviews of plugins you select and try and stick to ones that have shown a history of updating and evolving their code on a regular basis.

Designers: The WordPress design community has grown significantly and there are lots of great resources to choose from. Make sure and get recommendations for a qualified designer and consider having them implement their design on top of a reputable framework like Genesis. A framework really helps to keep your designer in design and configuration mode versus coding. Unless a designer is an experienced WordPress developer as well, coding can often lead to security and performance issues.  Even if they are an experienced WordPress designer, it doesn’t hurt to stress to them that security is important and ask them to keep it in mind by adhereing to some of the advice in this post as well as the basics of WordPress hardening from the Codex .

Hosting: Most hosting platforms are designed to be everything to everyone. If you select a hosting provider that specializes in WordPress and is proactive in its approaches to security, your chances of having performance, operational, or security issues will lessen. Copyblogger Media’s Synthesis Managed WordPress Hosting, for example, combines a minimalist, locked down stack with proactive PHP scanning software to prevent hackers from accessing its customer’s sites, or even gaining information about them. It’s also safe to say that the folks at Copyblogger understand WordPress, SEO, and hosting and integrate that knowledge into their customer support.

I hope this helps in your travels down the WordPress highway.

As you can see, a few simple plans can go a long way in heading off disaster, and bringing you peace-of-mind.

Comments

  1. good security tips. TimThumb was a disaster. One of my themes also had this file but i did not notice. Fortunately, my web hosting provider intimated me.

    Also, good titles and headings :P

  2. Excellent article, especially pointing ppl to update and use virus-scanners (“Close Your Garage Door”).

  3. Hi Dre
    Thanks for an interesting read.
    I remember the TimThumb alert and finding out that it wasn’t enough to just disable it – it had to be removed.

    What about security plugins?
    I use a few to limit login attempts, that sort of thing.

    Do you think that security plugins should be part of any WordPress install?

    • Thanks, Keith!

      Everyone has different requirements. If you’re doing the right thing, in most cases, your risk will be pretty low. If there’s a specific security “thing” that a plugin can do for you, sure, install it. Having it be a part of a WordPress install? Not sure that makes sense. WordPress in itself is fine, and when an issue occurs, it’s patched faster than any other platform in the open source CMS world. The issue stems from users not understanding the risk of being online, and not following some simple best practices.

      Here are a couple plugins that may help:

      Sucuri SiteCheck Malware Scanner:
      http://wordpress.org/extend/plugins/sucuri-scanner/

      BulletProof Security
      http://wordpress.org/extend/plugins/bulletproof-security/

      • Thanks for your thoughts and the links Dre.

      • just starting and noticed the article. I’m a total rookie. I keep get spam linked back from my blogs, would these fix that or some other plugin? Trying to get started on the cheap as well.

        • Hi Brian, you should give Akismet a go. It is free, and installed with WordPress. It does a pretty good job of helping manage spam comments.

          • Thanks Dre. Although not free any longer business sites. Mine is more blog oriented with a little Amazon/Google stuff built in. I’ll also check out your tools to see if it’s a fit. Great stuff here.

          • Brian, because of the Akismet pricing as well, I’ve switched from Akismet to the relatively new MP Spam Be Gone for a lot of my smaller sites, mostly as a test to see how it performs, and after almost 3 months, it’s performing beautifully.

            http://wordpress.org/extend/plugins/mp-spam-be-gone/

            Next step is to try it on one of the larger sites, see how it does there.

  4. Excellent write, the whole of the interwebs could benefit from a little security-mindedness. An essential part of every WordPress install for me focuses on security and always enabling the service of my fine friends over at cloudflare.

  5. Very informative post. As I begin to blog more and more and get even more serious about this endeavor, content like this is going to be quite valuable. Thank you!

  6. As far as I know, my site is protected in all the ways you suggested. I think the most important message in your article (at least for me) was about plugins and they not being created equal. It’s so easy to add a plugin to your blog, but it can create a whole crisis if it’s not written well. Great post Dre. Thank you!

  7. Very good tips! In addition, I will suggest using a 2-factor sign in plugin like Google Authenticator, Second Factor or Duo Two-Factor Authentication. It protects from brute force login attempts.

    • Thanks, Mezanul. 2-factor is definiely a good way to reduce brute force attacks at wp-admin/login. Apache can assist there as well with IP filtering or adding a 2nd login requirement.

    • Thx Mazanul. Second Factor seems a great plugin. I had no idea about it. Might write a post about it on my site.

  8. Great article. The Houston WordPress Meetup for February focused on security and it was very helpful.

    I also had a client blindsided by TimThumb, which was installed on an inactive theme. I hadn’t realized that inactive themes and plugins could still pose a security risk. She ended up using Sucuri and has been very happy with them.

  9. Thanks for the great read Dre! Very helpful tips for everyone running a WordPress site.
    I would also suggest to use a plugin that limits the number of login attempts, Login Lockdown is pretty neat: http://wordpress.org/extend/plugins/login-lockdown

    I recently was also made aware of the fact that the default WordPress database table prefix (wp_) of the famous one-click-install is a security issue. What’s your position on that?

    • Thanks for the kind words :)

      I have been a long time fan of Login LockDown. The issue there that is pushing me away from recommending it is that it hasn’t been updated since 2009 and is officially compatible up to 2.8.4. That’s not something I can get behind :(

      Table prefix, this comes up all the time. Is it a huge security issue? No. Is it targeted occasionally? Yes.

      It’s obscure to think that changing it will solve the worlds problems. The reason I say that is because it’s in the open already inside your environment. If an attacker gains access to your server, they will have the table prefix no matter what you change it to.

      My recommendation there is if you’re installing a fresh WordPress instance, change it, it doesn’t hurt. I don’t see the reward over risk changing it on a live site. You may do more harm than good.

      Cheers!

  10. Thanks for your tips,
    I just found a malware on my site http://sitecheck.sucuri.net/results/www.legalizacijagradnje.com, and now wonder how this could have happened since we run legitimate business with legitimate studiopress web design?! And finally how to get rid off the malware without paying the price which is higher than the cost of the theme itself?
    thanks for your help.
    M

    • Maroje, the issue is not likely StudioPress related. The typical entry point for this type of malware is outdated software in the environment. First thing to do is ensure that all WordPress installs, plugins, and themes are updated on all the sites in your hosting account.

      As far as cleaning it, it’s hard to answer that without seeing the environment. A good place to start would be checking your PHP files for encoded eval(base64) code. This is typically what is used to hide the malicious iFrame.

      Beyond that, you may consider replacing your WordPress core files, plugins, and themes with a fresh copy. This won’t account for backdoors not found in those directories, but will replace any files that have been infected with a known good source.

      Hope this helps!

      • Problem solved. However all my plugins were up to date as well as the WP platform. From the beginning. Malware obviously came through one of the two plugins I used. I still don’t know whether it was sexy bookmarks or w3 cache. One of them permitted or supported this malware. Now they are both killed and files are cleaned. So for everyone keep an eye on the above mentioned plugins.
        regards,
        M

  11. One of the reasons I switched to Genesis was support on my old theme had all but disappeared and there was always a question if the latest WordPress updates were compatible.
    I am glad I’m with Studiopress now.

  12. Thanks for this very informative and easy to understand information!

  13. Where were you with this post LAST week when I was one of “THOSE” that didn’t know that those unused themes and plugins sitting in my wordpress install could hurt anyone.. ??? YIKES! Lesson learned.. I’m cleaning and dusting every nook and cranny and have changed all my passwords..

  14. Great write up! I have been a dreamweaver user for so long, I soak up any useful write ups like this on wordpress, thanks!!

  15. Just a few days ago I received an email from my host stating that they found an outdated timthumb.php on my site. They patched it to an updated and secure version. This is what they wrote:

    “Any timthumb.php file below version 1.35, but above version 1.09 is considered vulnerable, unless patched. To prevent being compromised, we advise you update all instances of timthumb.php to version 2.0, or patch the existing vulnerable files.”

    Is this true? Or, should I get rid of any plugins or themes that uses timthumb?

    Thanks for the very informative article. Been thinking about site security more since I received the message from my host. Great timing….

  16. Good point on the removal of redundant plugins, thanks.

  17. Great tips! Especially regarding passwords. We can’t encourage that enough to our customers. May I add that I also encourage my customers to backup their own sites? If a hosting company doesn’t keep backups beyond a few days, it’s possible for a site to be hacked, go unnoticed, and the hosting company will keep backing up, overwriting what used to be a clean backup. As a designer, I keep a backup of their site the day we go live, but after that, since they do their own updates, my version will not be current and could be used to fall back on, but isn’t ideal. If they use a plug-in such as BackupBuddy which is really easy to use, it adds another comfort layer, I think.

    • Holly, thank you!

      Keeping regular backups beyond what your host does is good practice. It’s great to easily access your backups whenever needed.

      Thanks for the note!

  18. Thanks for that post Dre,

    I’m a WordPress Newb and chose Genesis as my starting point and I love it! I do the password thing already, and I think my server is up to the task. I do have a few disabled themes and plugins though (rephrase that to “Did” after reading this).

    As a side note: look at my “about” page to see my 85 FLTC :)

  19. Hi Dre, would it make sense to combine several blogs into a single multisite network from a security perspective? It would help reduce the number of security holes overall right?

    • Hi David, it makes sense from a management perspective overall to combine wherever possible IMO.

      Whether it’s better from a security perspective, not sure, that depends on who’s managing it I think. I will say that it will take less time to get everything patched, and updated :)

  20. Good tips. About 2 weeks ago i moved to synthesis hosting and very glad i did this.

    I’m always staying on top of updating my plugins by checking them daily when doing other things in the dashboard. Now if i can only get my mom to learn how to not click on those phishing emails, she’d be a safe woman online.

    I’ve tweeted this to my followers because they got to know that security for there blog’s is there number 1 thing to do on there to-do- list.

  21. Awesome tips. One of the best things I’ve done lately is to start using 1Password. My Gmail account got hacked a few months back, and that kind of freaked me out, then one of my wordpress sites got hacked. After I switched to 1Password, and a few other adjustments, everything has been fine :)

  22. Yes, security is very important. I find alot of people are lazy when it comes to passwords and use obvious words as passwords. Some people even use the same passwords of all sites. Also I think staying uptodate with software is very important, but I don’t link it when there is a bug in the software and it interupts your work so its best to check reviews before updating.

    • Thanks for your points!

      Best way to upgrade is to not do it in production, period! It should always be tested with as much of the production environment as possible. I like to set up a sub domain that reflects the production site, and I do upgrades there first. This minimizes the risk of your prod environment exploding during upgrade.

  23. TimThumb was really a nightmare, I had to face it at one of my blogs and wasted a lot of time. I agree a little pro-activeness might have saved me that time..

  24. Great article – I saw the headline and knew I wanted to read it. I flew by the author and started reading the content. As I was reading it, I thought to myself, “This has to be an article/post by Dre.” Sure enough… there you were at the end (and at the beginning when I scrolled back up!)

    Thanks for sharing the message of security! I have been a client of Sucuri for a while and you have saved my butt before!

    Thanks!
    Paul.

  25. TimThumb was something to loose sleep over. Literary, I had clients calling me in middle of night up because of sites that were down :)

    Nice article. You summed up all the points nicely with great analogy. But I would suggest one thing, to use security plugins. There are few standard security plugins that I use for all my WP sites – login Lockdown, Firewall and WPScan. They are all lifesavers.

    If anyone can point out more then let me know.

  26. Thanks for sharing!! Never ever take this for granted anymore!
    I learnt my lesson the hard way, weak password and TimThumb were the problems, hackers injected scripts into my wordpress index page, all my sites were affected by malward.

    Many thanks for the tips

  27. Good security tips, I’d never heard of LastPass until reading this article.

    there is also a list of the 20 most commonly used passwords, but anyone with common sense would avoid these.

    the paid version of wordpress costs $99 a year. do you think this is justified. sure , you can add plugins and all of that good stuff but having your own website costs a lot less than that per year, and you can customize in any way you’d like.

    • Hi Dan, thanks!

      To clarify, I believe you’re talking about WordPress.com. This is a good solution for some, but still does not offer the flexibility of a self-hosted installation of WordPress.

  28. Thanks for this post. I followed the tips and found a malware link hidden in a text/js file thanks to Sucuri ! If you are reading this and you haven’t checked scanned your site already – do so immediately, it just takes a few seconds! Last but not least, lol, HUGE thanks to Sucuri !

  29. Thanks for your timely tips on security.. also as you pointed out …delete those Plugins and themes you are not using.. Wish there was a plugin to update everything all at once..For Password Security I use RoboForm..

  30. I’d also add that if you hire any one to set up your blog and website, make absolutely sure you not only own the content, but also own the site. It’s unfortunate there are people out there who will purchase domains on a client’s behalf only to hold it hostage at a later date.

    • I have seen this happen quite a bit unfortunately. Ownership should never be a question. If it’s your site, you should have the keys, not your designer/developer.

  31. What about setting up security specifically for studiopress themes? I see that security is a big part of your themes, but what else should I be doing? It would be nice if you have a step by step video showing how to make your studiopress website bulletproof. Yes I do follow a ton of steps on my regular WordPress sites to keep it secure, but with all the security you guys have already, I probably don’t have to set up security the same way I do with the twenty eleven theme.

    • The StudioPress team does a really good job of ensuring the code is as secure as possible. The best steps to take is to 1. keep everything up to date, and 2. don’t keep anything on the server that you’re not using and that you may forget about.

  32. See here for password strength vs being able to remember it.
    http://xkcd.com/936/

  33. oops, i just changed my password…;-)
    thank you for your usefuls words!
    maria from italy

  34. These are great tips and while I was going through, I was doing a mental list where I checked off almost all of these. Though, I do want to know more about the designer part. If you could help me understand more about that and maybe incorporate anything using my website/blog, that would be fantastic!

    Thanks!
    @SportsNotions
    sportsnotions.wordpress.com

  35. Oh Boy!

    I have, in spirit of the word followed every word of these excellent tips you have mentioned here. However, it was shocking to find about timthumb. I need to update my own awareness about it.

    Thank you so much for such a brilliant post. Very impressive.

  36. I’m glad I found this post. Been trying to solve my problems for a couple weeks.

    When I scan my site it keeps saying my WP is updated, though it’s not. The Sucuri plugin scan also shows that WP is updated.

    Also it’s blacklisted by the Opera browser. How can I get rid of that?

  37. Thank you for this post – useful security checklist to tickoff and glad to see we are following almost all of the recommendations already.

    Would like to see WordPress implement a double factor authentication like Google has.

  38. Great post Dre. You rock.

  39. Nice post, and one I can definitely identify with as a motorcyclist and running several WordPress sites after previously having hosted versions. Despite occasionally being more work and effort, I love the fact I can control my data etc, and I’m learning all the time…

    Although I’m probably a better motorcyclist than I’ll ever be a developer…

  40. Great article, I had no idea that deactivated plugins and themes could still provide a backdoor! I had closer to a dozen that I deleted rather than just keep deactivated in case I need them again.

  41. I could not have written this better myself. I’m creating a link back on my own site in respect as well, http://hackrepair.com/blog/hackrepair-com-security-tips-and-hack-notes

    Suffice it to say, “if you leave your spare key on the concrete under the fake rock near your front door do you really think you are fooling anyone…”