Blogging Wordpress Security

Published on January 22nd, 2013 | by Rob Zazueta

3

Don’t Get Hacked – WordPress Security Tips to Keep Your Blog Safe

A few weeks ago, a friend of mine tried accessing her WordPress blog via her smartphone only to find that it mysteriously redirected her to a Russian website. When she tried accessing the site through her desktop web browser, however, it came up just fine. She called me to help figure out what was going on, so I dug into the code for the template she was using and discovered someone had exploited a WordPress security vulnerability. They added code that redirected mobile visitors to the foreign site.

It was a reasonably quick and easy hack to fix, and I immediately changed the passwords used to access both the WordPress site,  as well as the server credentials used to upload code, but it left me feeling uneasy about the security of that WordPress install for a while.

So, when I saw that Dre Armeda from online security firm, Sucuri, was delivering a talk about WordPress security at the recent New Media Expo, I made sure I was in the front row, notebook in hand.

It turns out that keeping your WordPress installation secure – whether your site is hosted on WordPress.com or installed locally through WordPress.org – is not difficult, but you need to stay on top of it. There’s nothing inherently insecure about WordPress – certainly no more than any other web application – but following these tips, culled both from Armeda’s talk, as well as my own experience managing WordPress sites and other online systems, can reduce the chances that you’ll be unpleasantly surprised by a hack.

  • Change passwords frequently – Armeda likens passwords to toothbrushes – you should choose a good one, change it often and not share it with anyone. Changing your password monthly or quarterly is good practice for anything that requires a password. Select something that can’t be found in the dictionary and liberally pepper it with numbers and non-alphabetic symbols like #@$ or %. Armeda also recommends taking advantage of a password manger like LastPass, which can handle much of the heavy lifting of changing and maintaining multiple secure passwords for you.

  • Wordpress plug-ins - WordPress SecurityKeep both WordPress and its plugins updated – It seems that every time I log in to the admin console for WordPress, there’s another prompt to either update WordPress itself,  or one of the plugins I’ve installed. It only takes a few minutes, but I’ve been tempted to put it off. Like me, you’ll need to fight this temptation. Try to log in as the admin user at least once a week to make sure everything is up-to-date. Often, these updates fix security vulnerabilities that could leave your site open to hackers. Since the code that runs WordPress and its plugins is open for the world to see, it often doesn’t take long for some nefarious coder to find and exploit a security hole. Keeping everything up-to-date helps keep your site safe.
  • Delete unused plugins - I often install two or three plugins for a specific feature – such as SEO, social sharing or contact forms – before I settle on one I plan to use. Simply deactivating the plugins you’re not using isn’t enough – the code is still on your server and, if it has some weakness in it, can be exploited. Make sure you hit the “Delete” link on these plugins to remove them from your server completely.
  • Never use the “admin” account to create content – WordPress and its plugins are only one point of possible infection. The computer and browser you use to access them can also be a weakness. Some pieces of malware sniff for passwords and then share them with other bad guys in the Internet. Since the “admin” account on WordPress has access to the entire install, having that password get out could be disastrous. To limit the risk, set up a separate user with the “Editor” or “Author” role in your WordPress installation and only use that account when you’re creating new blog posts or commenting. You should only use the “admin” account when you’re performing administrative functions.
  • Keep your antivirus software up-to-date and scan your computer frequently - If you don’t currently have antivirus software installed on your computer (i.e., Norton, Avast, Trend Micros, etc.), stop what you’re doing (ok, finish reading this post then do it) and get it installed immediately. And when your antivirus needs an update, allow it. Do a thorough scan of your machine at least once a month to keep it clean of the kind of malware that can open you to a whole variety of security issues.

It’s important to understand that nothing can guarantee 100% WordPress security. But, staying on top of software updates, changing your passwords frequently and limiting your risk to exposure for a security breach can get you more than 98% of the way there.

© 2013, VerticalResponse Blog. All rights reserved. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited.

Tags: , , , , , , , , ,


About the Author

is an Evangelist at VerticalResponse.



3 Responses to Don’t Get Hacked – WordPress Security Tips to Keep Your Blog Safe

  1. Yusuf Yesil says:

    I totally agree with you. I also think the hosting is one of the key points. We were using one of the major companies shared hosting service and many of our websites were getting hacked. Even the non-writable by owner .htaccess was hacked to redirect the website. We don’t have any problems right now after switching to dedicated hosting service, we can arrange the security level and there is no unexpected situations.

  2. Rob Zazueta says:

    Hello, Tamanna. I don’t have any direct experience with any of the plugins you mentioned. However, doing a cursory review of each of them, they all seem to approach WordPress security from different angles.

    The Better WP Security plugin seems to handle a lot of the more common causes of WordPress hacks, so it seems to me like the best all around fit. However, I’m somewhat enamored of the idea that Wordfence compares my site’s files against the current core WordPress code at WordPress.org. So long as you have not modified any of the WordPress core code on your site, that would be a great late warning detection system since many WordPress hacks write strings of Javascript into your files in order to propagate themselves and deliver spammy ads to your site’s visitors.

    I appreciate you bringing these to my attention – I’m definitely going to try them out now.

    Rob Z.

  3. Tamanna says:

    Thanks for the great TIPS. I would like to know which security plugin is better? Bulletproof Security or Better WP Security or Wordfence?

Back to Top ↑