WordPress Security

WordPress Security Essentials Class in Boulder

June 27th, 2010 | No Comments | Filed in WordPress Security

Please join me for this class on WordPress Security Essentials, Tuesday, July 13, 2010, at the new Boulder Digital Arts studio. Use discount code BDA-Instructor-2010 to receive 10% off the class.

WordPress is an easy, powerful way to build and maintain a website.  This flexible, highly customizable content management system (CMS) is ideal for blogs, small business websites, online art galleries, and more.

However, due to its popularity, WordPress is vulnerable to attack. Do you know what vulnerabilities your site has? Do you know how  to harden your WordPress install to prevent an attack? If your WordPress site is hacked, do you know how to recover quickly? If not, this class is for you. We will cover everything you need to know to make your WordPress site more secure, including:

  • Creating and implementing strong usernames and passwords
  • Changing the WordPress table prefix
  • Encrypting WordPress cookies
  • Locking down and moving your wp-config.php file (which contains your WP database username and password)
  • Limiting what search engine spiders can index
  • Installing must-have security plugins
  • Scheduling backups
  • Using correct file permissions
  • Keeping WordPress up to date
  • Recovering from a hack (restoring the database and files)
  • Using caution when installing plugins
  • and More!

This class is appropriate for WordPress users as well as WordPress developers. We will cover basic precautions that any level user can employ as well as more detailed technical tips.

Please visit Boulder Digital Arts for more information and to register.

Do you upgrade all of your clients sites every time a new version of WordPress comes out?

December 5th, 2009 | 1 Comment | Filed in Answers to Your Questions, WordPress Security

Q: If you develop websites with WordPress for clients, what do you do about upgrading their sites? Do you upgrade all of your clients sites every time a new version of WordPress comes out? Do you only upgrade when there’s a security risk? Do you tell your clients before you start that you will be upgrading their sites periodically, and there will be an additional charge each time you do it? Do you have a fixed price for upgrading, or do you charge by the hour? Sometimes it only takes a few minutes, but if a plugin doesn’t work with the upgrade, yikes, it could take a long time.

On another note, if you have a client who wants a static site and they will not be updating the content very often, do you still develop their site in WordPress? It seems like there are less things to worry about with a straight html site, because you don’t have to update the software or deal with security issues. Are there times when you think Dreamweaver (or another html editor) is more appropriate than WordPress?

Because of the security risk of PHP and MySQL, I think we need to be sure to explain to clients before setting up their WordPress sites that the WordPress application must be regularly updated. PHP risks are only going to increase over time, and the only way to protect websites is to keep up with the WordPress updates. The one-click update is great, but when 2.9 comes out, there will be many plugins that won’t work and that’s going to make updating a headache.

Here’s what I recommend:

1. Make sure the client understands the security risks of using a PHP web application.

Make sure YOU understand the security risks and how vulnerable PHP is to attack. Its popularity in web applications is making it more so. This includes other CMSs as well – Drupal and Joomla – as well as proprietary ones. If a client’s site gets hacked and it goes unnoticed for a time and the Google bots detect weird stuff coming out of the site (malicious code, etc.), then the site could be kicked off the search engine.

2. Make sure your client understands that in order to avoid having their site hacked, the WordPress version must be kept up to date.

This may take a few minutes once every 6 months or a couple hours if you’re having to deal with plugin issues. You can put this in your contract with the client to perform necessary security updates and estimate the number of hours (or minutes) each year for this based on the complexity of their site. All computer and website applications should be kept updated, and WordPress is no exception.

3. Choose your plugins wisely.

Try to write your own get_posts or wp_query queries (see http://codex.wordpress.org/Template_Tags/get_posts and http://codex.wordpress.org/Function_Reference/WP_Query) rather than use plugins whose developers do not keep their plugins up to date. Most of the more popular plugins are updated in anticipation of the new release of WordPress. Find plugin developers you can trust and be sure to make a contribution to their plugins.

4. Be sure to include in the cost of site development implementing various “hardening” or security steps.

Please see: Assesing the Security Risk of Using WordPress as a CMS for links to good articles on how to secure your WordPress install.

5. Understand the client’s needs.

Does the client need a CMS? Will creating a 4-page brochure site using Dreamweaver (and Contribute) meet their needs and goals in terms of interactivity, search engine optimization, ongoing updates, etc.? A site with more than 12-15 pages often becomes difficult to manage in flat file layout.

Having continually fresh content or being able to use various online marketing or e-commerce strategies necessitates having some sort of dynamic CMS. If the client just wants a blog but really doesn’t have the budget or desire to keep their WordPress version updated, perhaps WordPress.com or Blogger would be better solutions for them. The client’s needs and online business goals should drive their website solution. Assessing the overall cost benefit of any solution is important.

6. Backup before clicking that update button!

Backup the database and the contents of the wp-content folder and any other folders you may have created (such as an images folder in the root). You might also want to back up the entire FTP directory just in case you need to revert to the older version of WordPress for some reason (such as an incompatible plugin that you need time to troubleshoot or substitute).

I’ve been using WordPress for 2.5 years, and it wasn’t until this past summer that I realized the security issues. In 2008, Joomla!, WordPress, and Drupal all made the top ten chart of known software vulnerabilities, mostly because of their growing popularity and the inherent vulnerability of PHP and MySQL.  Hacks are more likely to increase than decrease, but the WordPress development teams seem to be quick to respond to known vulnerabilities with updates.

WordPress is very fun to work with, and it’s definitely a buzz kill to have to deal with security issues. But, as responsible “web developers,” we need to consider the risks and take the necessary precautions, including, YES — updating every time there is a security update.

Please let me know how you handle this with your clients by commenting below. Thanks!

7 Things to Keep in Mind When Assessing the Security Risk of Using WordPress as a CMS

November 25th, 2009 | No Comments | Filed in WordPress Security

The other night, I was part of a panel discussion at Boulder Digital Arts about WordPress. We had three panelists: me, Bethany Siegler of UniqueThink.com, and Doulgas Wray of MacWebGuru.com.

In the middle of the presentation, someone asked:

A programmer friend of mine suggested that I should use a lesser known CMS because WordPress is so popular and therefore vulnerable to attack. What do you think?

Like true WordPress evangelists, Bethany, Douglas, and I immediately rallied in support of WordPress citing that the responsiveness of the WordPress developers to patch security risks and practical security precautions would help thwart or enable you to recover from potential attacks. Yet, thinking about it later, if malicious code was injected into your site that could, in turn, cause Google to remove your site entirely from the search engine, and that would indeed be difficult to recover from.

So, what’s a web developer, blogger, or business owner to do? Should we avoid WordPress because of its vulnerability? Should we reassess our content management needs and perhaps choose a more “obscure” CMS if it meets our needs? After a lot of ruminating on these questions and doing several Google searches, I have this more thoughtful and less cavalier response to the question above:

1) All PHP web content management systems are vulnerable to attack.

This includes Joomla!, Drupal, WordPress and others. However, these three made the top 10 list on IBM’s X-Force® 2008 Trend Statistics. Vulnerabilities are getting more numerous, and we are getting less safe on the Internet. What these three applications have in common is that they are all written in PHP and use MySQL database. The real problem is with SQL injections in which malicious code can be inserted into your database that could wreak havoc on your site.

It does not appear that WordPress is any more inherently vulnerable to attack than other popular CMS platforms running on PHP. In fact, WordPress has actually made great strides in its security causing it to fall off the list for the 2009 Trend Mid-Year Statistics. WordPress is more vulnerable because of it’s popularity: a successful WordPress hack is great bang for the buck, so to speak. The lesson here is that you SHOULD be concerned about security and doing what you can to secure your site.

2) The stability of the CMS and the cost involved in upgrading are important risk factors.

While WordPress showed up on the IBM’s X-Force Trend Statistics for the first time (along with Drupal and Joomla!) in 2008, in the first half of 2009, WordPress practically dropped off the charts with less than a handful of vulnerability disclosures in the first half of this year. Many WordPress websites came under attack late this past summer, yet, the sites that were attacked were running older versions of the software, and the current version of WordPress at the time of the attacks was not vulnerable. WordPress has made it easier to update it’s software and does regularly update its software and is a stable product due to its large amount of support.

Keep in mind that there is a correlation between the sheer volume of use and the number of vulnerabilities reported. Custom-built web applications are also attacked and exploited even though the vulnerabilities in these applications are not reported and tracked by public vulnerability databases such as @RISK, CVE or BugTraq. That’s where we have to really look at how responsive the WordPress community is to addressing security risks and coming out with timely security patches that are EASY to implement.

If a security update is going to be time consuming, difficult, or costly to implement, then it’s less likely that you will do it. If you’re running a more obscure CMS or one that doesn’t have a robust support community, will you have access to timely updates and will it be easy for you to perform these updates?

3) 3rd party plugins expose users to risks.

While we may have confidence in the WordPress developers to create a secure application, there are no formal regulations or oversight for WordPress plugin developers. ANYONE can develop and promote a plugin. These plugins may have security vulnerabilities and likely many of them do. While people call me the “plugin queen,” I try to limit my plugin use to those plugins that have a reputable developer behind them who regularly update their plugins.

According to some, no person should be engaged to write web applications unless they can pass the GSSP Secure Software Programming exam that covers the essential security skills and knowledge that developers need to produce more secure applications. But, as we all know, in the open source environment, the plugins we are using with WordPress are being developed by many people who know little about programming in general, much less about secure software programming specifically.

Be discerning in choosing plugins and perhaps use the SEO WordPress Firewall plugin to add another layer of protection to your site.

4) Risk assessment needs to include ongoing technical support and technical relevancy, not just risk of hack.

Businesses need to asses the type of ongoing support they can expect for their website software as well as the dedication to developing the software to keep up with current website technologies and trends. Perhaps going with a more “obscure” solution feels safer because it’s not making the headlines for hacks, but is it any more hack proof than other solutions? And, how long will this software be around? What happens if the developer goes out of business, or, if you developed it in house, you lose the employees who know how it works? Does it have enough community support to have some longevity?

Things change, but we don’t necessarily want to have to change our entire web software solution every two years.

5) Remember the basics: security through obscurity, appropriate file permissions, and strong passwords.

One of the best ways to prevent a WordPress-specific attack is to NOT broadcast that you use WordPress for your website, not use “admin” as your administrator user name, and create strong passwords.

6) Stay updated.

While these tips and hacks make a lot of sense, I’m not sure if hackers can’t get past them to discover what CMS and version you’re running, and therefore keeping your WordPress version continually updated with the latest security patches is very important.

7) Regularly monitor your website.

How will you now you’ve been hacked? Do you check all of your sites daily? Today’s hackers usually won’t host the malware on the infected website, they’ll install redirect code on an infected, legitimate website. An anti-virus scan of your webserver or website will rarely detect this redirect code.

  • Check all the links from your site to external sites and for any changes made to your site (comparing file modification date, for example). Hackers do install scripts to check for the browser/user agents being used and some exploits don’t show up in certain browsers and others will only show if the site is indexed by Google to have high ranked sites point to their site. You can use the W3C Link Checker to find all of the links from your site to other sites. The Broken Link Checker Plugin is also handy for checking links on your posts and pages.
  • There are some website security scanners out there. I would be interested to know what people are using. If you’re not using scanning software, then you need to at least routinely check your site in different browsers for any suspicious looking links, code or activity.
  • You can also set up Google Alerts to email you if any strange words are being index from your site (http://www.blogstorm.co.uk/how-to-use-google-alerts-to-find-out-if-your-site-gets-hacked/).
  • The SEO WordPress Firewall plugin and Limit Login Attempts plugin will notify you of some attempts to hack your site. Douglas Wray also recommends Bluetrait Event Viewer.

The takeaways:

  • Vulnerabilities to PHP and MySQL run websites are out there and are trending towards increasing.
  • Take the necessary precautions to protect your site, this includes choosing plugins carefully, performing regular backups, regularly scanning your website for hacks, using strong usernames and passwords, and obscuring the fact you’re using WordPress
  • Pick your CMS carefully — WordPress does have strong support and implements patches quickly. If you decide to not use WordPress, then do a careful risk assessment of whatever tool you decide to use both in terms of security vulnerabilities, ease of updates, and long-term support and viability. Remember, all PHP applications are vulnerable as well as others, including good ol’ HTML pages that might use contact forms, iframes, scripts, etc.
  • Are you part of the problem? See this great web security post on Smashing Magazine: http://www.smashingmagazine.com/2010/01/14/web-security-primer-are-you-part-of-the-problem/

What do you recommend?

The WordPress community is dedicated to WordPress and its continued growth. But most used = most vulnerable. We use vulnerable products every day with Microsoft and Apple at or near the top of the list of exploited software. Yet, we take it quite personally when it’s OUR website that gets hacked, and our Google rankings that go down the drain.

Discussing these security concerns is important. We shouldn’t take anything for granted. We do need to take appropriate steps on a regular basis since PHP and MySQL are vulnerable and hackers are going to continue to exploit that vulnerability with increasing force. With this in mind:

  • Would any of you choose ANOTHER CMS over WordPress because of security concerns? If so, which one? What makes it more secure?
  • What do you do beyond the “12 Essential Security Tips” and Hardening WordPress recommendations mentioned above to keep your WordPress install secure?
  • How do you spot a hack quickly? Do you use some sort of scanning software?
  • Has your WordPress install been hacked and did it effect your Google Rankings?
  • Any other comments?

I appreciate the comments and feedback from more seasoned web professionals. :-)