Having used WordPress for a number of years now both as a platform of choice for client development and also the basis of our own site too we’ve had a few encounters with security problems on the site.
By security problems, we mean the site has been compromised in one way or the other ranging from a full takeover by a Turkish hacker (twice) to just having pages created and then hidden within the database that controls WordPress.
There’s generally four main reasons that this can happen to you:
- Core WordPress files being out of date and therefore exploitable by the hacking community
- Incorrect file permissions and poor hosting environment configuration
- Using a WordPress theme that’s not from the official repository or a trusted source
- Using a WordPress plugin that’s not been written in the most secure manner
The first two in this list are relatively easy to prevent. Keeping your WordPress core files updated and giving the wordpress core files the right permissions will prevent the majority of random attacks. Configuring your hosting environment correctly is a little harder to manage but if you host your site with a decent provider then you should have no issues on that front either.
A special mention goes to the actual theme you use on your site. If you google “Free WordPress Themes” you’ll find a ton of them all available for free and they can look great too. However, these free themes are often pre-hacked with all kinds of malicious code that will do you and your site no favours and most likely cause lots of issues you don’t need. There’s a great blog post that highlights the dodgy WordPress themes out there with some links to safe sites you can use if required too. If you use a theme then try and make sure it’s one that WordPress themselves have approved and is available from their theme repository or another safe source.
Which brings us on to WordPress plugins. The vast majority of plugins out there available from WordPress’s Plugin Directory or other resources are perfectly harmless but there are others that aren’t. This isn’t to say that they were intentionally created to be harmful, its more likely that they’ve been written by someone inexperienced and whilst they do the job they’re supposed to do they can offer an easy way for unscrupulous people to exploit your site.
What can you do to prevent issues?
Obviously it’s out of a lot of people’s skill-set to be able to rip apart a plugin and check that its not leaving your site vulnerable, so what can you do to prevent issues?
- Have a scheduled backup of both your WordPress site, it’s database and all your theme files and uploads is essential. If you’re not doing this already then go and get that sorted right now and then come back and read on.
If you’ve already done that or have just gone and done that, well done. Prevention might be better than the cure but having a decent backup will ensure that if your site is ever compromised you’ll be able to put it right again.
- Ensure you have some .htaccess rules in place that protect your wp-config.php file that contains your database access details.
- Keep the usage of plugins to a minimum, this will keep your exposure minimal too and try and stick with plugins that have been created by experienced members of the WordPress community.
- Install some WordPress security plugins.
WordPress security plugins seem to be appearing a lot now, likely because of the platforms huge popularity with something like 60 million websites being run on the platform as of June 2012.
We’ve been evaluating a number of plugins over the last few months and have now settled on a combination that cover all the bases. We won’t go in-depth on them here as you can read all about them on their respective sites:
This is a great plugin that stops numerous things from happening on your WordPress site from detecting sql injection, stopping file uploads (when not legitimate) and remote file execution as well as preventing directory traversal. It also actively emails you if configured to do so with any malicious queries that have been made.
This plugin covers a lot of areas that can be exploited and is best described as an active plugin. It constantly monitors your WordPress installation for the presence of non core files, it can scan your WordPress theme to check for exploits within the code (it does cost extra though), prevents bots and robots other than official search engine ones from scanning your site, login protection and much more. If you have a reasonably popular site then you’ll be amazed at how many times in day someone somewhere tries to login to your site illegally.
It has to be said that Wordfence may well cover the items that WordPress Firewall 2 does but we’ve not seen any specific documentation to ascertain this for sure. It is however a highly configurable and comprehensive solution that works very well and whilst the extended functionality of scanning theme files costs a bit extra what you get for free is extremely good and well worth installing to protect your site.
Have you ever had your WordPress Security put to the test and come out on the losing side? What have you done to prevent it happening again and do you now use any plugins to help protect your website?
Update 3rd August 2017
There’s a great blog post on the specifics of setting up and configuring WordPress security by Alex Grant at Best VPN that I’d recomend reading if all the options available are a bit overwhelming.