Wordpress Security Tips
Apr 8th, 2009 by Richard
Andrew at dnw.com had his Wordpress hacked recently. I noticed it at around 5am EST and tried to contact Andrew to let him know, without success. Ultimately, my buddy Elliot was able to get the news to him.
Wondering how I noticed dnw.com was hacked? I got the same warning in Firefox that a lot of other people did. So I fired up a my ethereal packet sniffer to see what was going on. I did a capture, and bingo, there was a .cn domain trying to run a script to do some nasty stuff. 
We use Wordpress ourselves and install it for clients, so we’ve seen and done a lot with Wordpress over the years.
Here’s my best tips on security for Wordpress. If you’re serious about not getting hacked, please consider every tip on this list as required, not optional.
Update your Wordpress
Update Wordpress and plugins regularly. I use SVN to automate the process, but you can do it manually if you want to. If you have 100’s or 1000’s of Wordpress blogs, use Wordpress MU so that you don’t have 100’s of instances of Wordpress to update.
If you follow the rest of my tips, updating your Wordpress often doesn’t matter that much, to be honest. If you missed an update but you secured your files, directories and login access, then that latest injection bug won’t effect you anyways.
Login Security Tips
Use https (i.e. SSL) to log into the Wordpress control panel. You’re already doing this right? You don’t need to buy a SSL cert to do this, just use a self signed SSL certificate!
Use strong passwords and change them regularly. For example, H&&73r$r0cK$ is strong, p4ssw0rd is not. And don’t even think about using your wife’s name, your dog’s name, or your favourite drink as passwords.
Do not use the admin username as the Administrator of Wordpress. Instead, create a new username that is hard to guess, assign that user the Administrator Role and change your admin username to the Role of Author or Contributor. Then continue to use your admin username to post to your Wordpress and only use your new username when you need to perform Administrator functions. Then if someone gets your admin password, they will be wasting their time because they won’t get Administrator access if they log in as the admin username anyways. Sneaky heh?
If you are not allowing user registration on your site (for comments or contributions) then you should also protect your wp-admin directory with an .htaccess file. This will stop anyone from being able to reach the control panel, even if they did know the login credentials for the Administrator user.
Server Security Tips
Hide your directory contents from prying eyes by disallowing directory browsing. To do this, add -Indexes to the Options line in your Apache config file (or .htaccess file). If you don’t do this, then people can get a full directory listing of your /wp-content/plugins or /wp-content/themes and with that info, they can see if you have a buggy plugin or theme installed which they could then exploit and try to hack into your blog. Yep, people really do that.
Change file ownerships to your server/cpanel username, instead of nobody, www-data etc. The default install of Wordpress normally uses the web server user as the owner of files. This means that if there is a hole discovered in the Wordpress code, then it is unlikely that you would be exploited.
Change your directory permissions to 775 and file permissions to 644 using chmod or your sftp/scp client. By doing this, you make your Wordpress files readable by the web but not writable. So again, if a hole is found in the Wordpress code, it is unlikely that you will be exploited since your files are readable only.
[NOTE: The downside of changing your file ownership and permissions is that modification of your theme files or .htaccess will need to be done through sftp/scp and will no longer work from the Wordpress control panel. But security is more important than convenience, right?]
When uploading and changing your files use a secure tool such as sftp, scp or ssh. Standard ftp is not secure because it is not encrypted. Someone in your office could be packet sniffing your traffic, your ISP could be doing it, and even your hosting company could be doing it. So use secure tools with encryption like sftp and scp or ssh for shell access.
Advanced Security
If you have the technical expertise yourself or have a server admin, then you should install mod_security for Apache. This tool performs two very important functions that everyone can benefit from.
- Automatic blocking/drops of any suspicious or unusual traffic to your web server. That means if someone is trying to hack or flood your Apache, mod_security is going to block or limit the attack.
- Sophisticated logging allows you to receive alerts about unusual traffic in real time. In other words, if someone exploited your Wordpress and modified your index.php file, you would get an email you about it - in real time. If you missed the email and needed to check your logs to see how the hacker got into your site, you can see detailed logs to see what happened so that you can fix the hole and stop it from happening again. Nifty!
Questions? Need more details? Fire away in the Comments below!
There are some more security tips from wordpress.org here
Share
Great tips, any advice to those of us who get lost with all the technical requirements, are there any recomended companies to contact to have them implement your suggestions…thanks
@Don
Your hosting company should do these for you. The better ones will do it as part of your hosting plan, others will charge you a fee for tech support to do it for you.
Very nice article - and helpful, too. Maybe you can provide some more information on using/creating self signed SSL certs?
@Elliot
Here’s how to do it from the command line with ssh:
http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#selfcert
Here’s how to do it with Cpanel:
http://www.cpanel.net/support/docs/11//whm/ssl_tls_generate.html
Nice list!
Definitely have to take this security stuff seriously because you never know.
Doing data backups is also a must for anybody who runs a web site.
My suggestion? Do NOT use wordpress. Also I like to use wireshark these days. Who uses ethereal anymore since the project became wireshark in 2006?
@conchbubby
Wordpress is the most popular CMS out there, used by millions, and some of the biggest blogs are powered by it. What’s better? Typepad? Blogger? Drupal? ha!
Ethereal works fine for me …
Just because something is popular does not mean it is the best. Wordpress is known to have a lot of security flaws. Some of which have not been remedied in a timely fashion. Your argument that millions use it and some of the biggest blogging sites run it does not really say much. Do you have any other points to make that would seem more valid then that one? Have you ever looked at anything other then wordpress? Do you use wordpress because of the millions of huge blogging sites you claim use it? Why don’t you write an article explaining why wordpress is better then everything else?
Ethereal is 3 years old and no longer under development. I find it difficult to understand how someone that seems concerned with security would use software that is no longer receiving security updates. Since ethereal is now wireshark I would think you would use that. Not only would you be taking advantage of new features but also security updates. I am sure wireshark would work just as fine for you as ethereal has.
We can debate this over and over, but I’ll say the following:.
1. If you read my post closely, you’ll see that I said that updating wordpress is not as important as securing it. *Most* people do not secure their wordpress, and just use the default settings.
2. Just because there is a newer, prettier piece of something doesn’t mean I need to upgrade to it. Ethereal works just fine for me.
I find your responses rather weak. You are avoiding my questions. I think I will find something better to spend my time reading.