WordPress blog (self-hosted)
If you opt for a self-hosted WordPress blog, there are a few things that you should know prior to installation. Perhaps you’ve read self-hosting your WordPress site in ten easy steps (or the equivalent of such)? Did you notice any mention of how to secure your new blog? Probably not. Self-hosted WordPress blogs are a dime-a-dozen when launched for the sole purpose of blackhat-affiliate marketing.
During the summer of 2012, SophosLabs intercepted a major malware campaign. Because many WordPress admins did not secure their sites, malicious hackers were able to surreptitiously place malicious code from the Blackhole exploit kit on vulnerable sites. They used two major stealth modes to infect the sites:
- Drive-by-downloads
- Malicious iFrames
[pullquote]WordPress admins, listen up. Your lazy WordPress no-security practices are a strong factor in propagating these types of attacks…[/pullquote]
Whether the hackers gained access through weak passwords; vulnerabilities in the WordPress core, plugins, themes; or via script injections – all compromised sites were insecure and actually invited these hacks. WordPress admins, listen up. Your lazy WordPress no-security practices are a strong factor in propagating these types of attacks…
If you are clueless about the WordPress core, plug-ins, themes, MyPhpAdmin, and regular WordPress site maintenance and security; you would be doing the web a favor by selecting WordPress.com to host your blog (it’s free). If you are serious about learning more about hardening and securing a WordPress blog – this blog post is meant for you.
Running a self-hosted WordPress blog comes with a list of responsibilities. It is not like you can merely install it and be done with it. Your first priority should be to familiarize yourself with the WordPress CMS (Content Management System) platform, along with the pros and cons of self-hosting.
You should also be technically savvy and aware of the various ways to harden a WordPress installation. You will be responsible for technical maintenance (backend configuration; backups; blog security; logs; spam filtering; and core upgrades/plug-in updates). Your choice on how you secure (or no-secure) your site makes you directly responsible to the web community as a whole.
Hosting your blog
In the past I have been the victim of two WordPress hacks. At the time of the first hack, I was on a managed VPS. All maintenance and administrative tasks (including software updates) was administered by the hosting provider. In my case, the software was rarely updated.
[pullquote]Take the time to find a reputable and reliable hosting service – do your research first.[/pullquote]
Take the time to find a reputable and reliable hosting service – do your research first. You don’t want to end up on a server that is easily compromised, is slow to update software, has bad tech support, or has too much down time. The fact that hackers and cybercriminals favor targeting WordPress is for the same reason they favor exploiting Microsoft Windows – it’s popular!
WordPress.org recommends Bluehost, Dreamhost,or Laughing Squid. I’ve had great success hosting the majority of my blogs at Namecheap. You should look for the following five features in a potential hosting provider:
- Server reliability of 99.99% uptime
- cPanel hosting
- 24/7 customer support
- Money-back guarantee
- Awesome hosting reviews
There are hundreds of thousands of web hosts out there, the vast majority of which meet the WordPress minimum requirements, and choosing one from the crowd can be a chore. Just like flowers need the right environment to grow, WordPress works best when it’s in a rich hosting environment. —WordPress.org
Securing your blog
[pullquote]Hosting a no-secure blog is equivalent to graduating from the Edith Bunker school of driving.[/pullquote]
From the moment that you install a WordPress blog, you should be thinking about security. Forget about all those ads and profits that you hope to gain from publishing the viral top 10. SEO, building reputation, and page rank take time. If your blog gets blacklisted before it even gets off the ground – you only have yourself to blame. Hosting a no-secure blog is equivalent to graduating from the Edith Bunker school of driving. If you only know how to press a softaculous automation button and you don’t know the why behind the process – it’s time to dump Edith Bunker and go to a real driving school. Seriously. Do you get my gist?
I have seen a lot of site admins downplay the importance of updating CMS software and hardening company WordPress blogs. This is especially prevalent with small businesses and start-ups that rely solely on development teams to schedule site updates and releases.
I’ve also seen many home businesses slap together self-hosted WordPress blogs (because they noticed that cPanel had a Fantastico, Softaculous or an Installatron autoinstaller), and they think that all they have to do is populate their blog with posts, widgets and plugins. Sadly, they never really do their security homework. It is the responsibility of every site admin to maintain a secure site, that is free from malware links and other code nasties.
Security Mistakes
Six months ago I wrote the Top 10 Security Mistakes That Self-Hosted WordPress Blogs Make over at the AntJanus blog. Since the information is still applicable and I am not a gal who likes to reinvent the wheel, I am going to post these WordPress security bytes here.
[pullquote]According to Forbes, one out of every 6 websites on the Internet is powered by WordPress (nearly 60 million in all), with 100,000 more popping up each day.[/pullquote]
According to Forbes, one out of every 6 websites on the Internet is powered by WordPress (nearly 60 million in all), with 100,000 more popping up each day. WordPress.com currently hosts over 62.5 million blogs. As of this writing, WordPress stats did not include the number of self-hosted blogs, but rest assured there are many of us! I’ve been using WordPress since Gold days and it only gets better with each release.
The top 10 mistakes
1- Managing a WordPress site from a friend’s/public computer or insecure/public Wi-Fi
You should always login to your site via a secure connection. You never know what could be lurking on someone else’s computer; from keyloggers to password-stealing Trojans, take your pick. The same goes for logging in on an unsecured Wi-Fi connection.
2- The use of weak passwords
Last March (2012) when 30,000 WordPress blogs became infected with rogue anti-virus, many of the blogs had weak administrative passwords, were outdated, or had vulnerable plugins. Forget about using weak passwords [123456], and don’t ever use the same password across multiple sites!
How long would an online attacker using a password cracker at 1,000 guesses per second take to figure your password out? Let’s take a look at how effective your password is at GRC:
If your password is 5 characters long and uses:
Just numbers, the time to “crack” = 1.85 minutes (Example: 123456
The full alphabet but doesn’t mix upper and lowercase, the time to “crack” = 3.43 hours (Example: alpha).
The full alphabet and numbers 0 through 9 but doesn’t mix upper and lowercase, the time to “crack” = 17.28 hours (Example: alp12).
The full alphabet and numbers with mixed case, time to “crack” = 1.54 weeks (Example: Alp12).
You should also change your cPanel (control panel), WordPress, and FTP passwords on a regular basis.
Use a combination of uppercase, lowercase, numbers and symbols
If we combine the alphabet, numbers, mixed case and use 6 characters instead of 5, the time to “crack” jumps to 1.84 years (Example: Alph12).
If we go to 8 characters and throw in symbols like # % & *, the time to “crack” jumps to 2.13 thousand centuries (Example: Alph12*!). –The Cocoon Blog
3- Ignoring login attempt activity.
By default, WordPress enables unlimited login attempts. I recommend that you limit failed login attempts to a maximum of 5 and use the Limit Login Attempts plugin.
4- Downloading themes from strange places
Make sure that the current theme you are using has been downloaded from a reputable source (such as WordPress.org).
Early last summer theme exploits such as Uploadify (in older versions of WordPress), and a zero day vulnerability found in Timthumb.php led to exploits and bad-boy automated scripts.
Unless you play musical themes, there is no reason to keep more than one theme in your theme directory. Copy the themes that you are not using to a back-up and only upload it when you you are replacing a current working theme. Note: Since I have installed Wordfence on a few sites, I do keep the default twentyeleven theme handy now. Wordfence sends an alert if any themes are modified.
5- Failure to update software and plugins
Always update WordPress to the latest version and keep all plugins and themes up to date. Deactivated plugins can still pose a threat if they are not kept up to date. Delete plugins that are unnecessary or that you no longer use.
You can scan your site at Sitecheck.Sucuri.net to see if your wordpress installation is outdated or hosting malware.
Last June I emailed Sophos about a malicious exploit that was affecting massive websites, to which Chet Wisniewski responded:
Unfortunately we are seeing hundreds of these per hour… In fact a similar domain is what inspired my post earlier today… We are currently tracking over 32,000 URLs a day pointing at garbage on the net. Most of them seem to be unpatched WordPress sites that are being hit.
6- Failure to back-up
This is a big one! The first thing I do when I create a new WordPress site (after I have secured it) and have the look and feel that I want – is to download a copy so that I can run a duplicate locally. I tend to call this backup my core copy.
The best plugin that I have found is BackWPup. This simple plugin provides you with all the options necessary to automatically backup your blog with absolutely no hassles.
7- Using the default admin account
This is a big no-no! Obscure the admin account by renaming it. Go to Users. Change the admin email address to an address that you will not be using. Then, create a new user and set the role to administrator. Log out and login (a few times) as the new account, and once you are sure that the new account is working correctly, go ahead and delete the admin account (and don’t forget to select the radio button that attributes all posts and links to the new admin account that you just created).
8- Not moving the WP-Config file to the directory above your WordPress install
WordPress will look one directory past the default location. CHMOD 0640.
9- Keeping the same old keys year after year…
A secret key makes your site harder to hack and access harder to crack by adding random elements to the password. You can use the online generator to create new keys and just copy and replace the old keys in the WP-Config.php file.
10- Failure to harden the security of your WordPress site
There are a number of awesome security plugins that can utilize to harden your WordPress blog. One of my all time favorites is Better WP Security. It is really an amazing plugin that manages to accomplish quite a bit toward hardening any WordPress site.
The only problem that I’ve run into with this particular plugin is #8: Your WordPress admin area is available 24/7. Do you really update 24 hours a day?
It seems that everytime I enable #8 I end up locking myself out of the backend and have to manually edit a file on my webserver to get myself back in again.
Better WP Security [Plug-in]
- You are enforcing strong passwords for all users.
- Your WordPress header is revealing as little information as possible.
- Non-administrators cannot see available updates.
- The admin user has been removed.
- The user with id 1 has been removed.
- Your table prefix is EEE_
- You have scheduled regular backups of your WordPress database.
- Your WordPress admin area is available 24/7. Do you really update 24 hours a day?
- You are blocking known bad hosts and agents with HackRepair.com’s blacklist…
- Your login area is protected from brute force attacks.
- Your WordPress admin area is hidden.
- Your .htaccess file is fully secured.
- Your installation is actively blocking attackers trying to scan your site for vulnerabilities.
- Your installation is actively looking for changed files.
- Your installation does not accept long URLs.
- You are not allowing users to edit theme and plugin files from the WordPress backend.
- Better WP Security is allowed to write to wp-config.php and .htaccess.
- wp-config.php and .htacess are not writeable.
- Version information is obscured to all non admin users.
- You have renamed the wp-content directory of your site.
- You are requiring a secure connection for logins and the admin area.
[pullquote]The above list is not a silver bullet or cure-all.[/pullquote]
The above list is not a silver bullet or cure-all; it takes constant vigilance (logging, spam filtering, tweaking, and awareness of potential exploits) – to stay one step ahead of the bad guys.
Note: I am currently testing: Wordfence: I have this installed on a few WordPress blogs now. It is quite an impressive plugin and allows file change comparisons. File alerts are awesome too. I just received an alert on two plug-in updates that need to be resolved today. I also purchased the premium version for one site so that I could scan the public facing side for vulnerabilities.
Update 03.20.2013]
Some people were offended
WordPress admins, listen up. Your lazy WordPress no-security practices are a strong factor in propagating these types of attacks; If you are clueless about the WordPress core; If your blog gets blacklisted before it even gets off the ground – you only have yourself to blame.
In the real world of WordPress self-hosted sites – there is a high % of site admins that do not admin the site at all. It’s just there to generate $$$’s, and unfortunately in many cases, the unattended CMS platform ends up with something like the Blackhole Exploit Kit – which progresses to attack any vulnerable system that lands at the infected blog.
It also affects the web community as a whole. If a person installs a self-hosted blog, I strongly believe that they better be up to par on securing it and responsible enough not to expose their “no-security” blunders to the rest of us.
I perceive it like this: I’m driving down the freeway at 65mph and the truck in front of me has a bunch of sheetrock that is not secured. The sheetrock flies off the truck and hits my Jeep full force and causes a pile-up, including fatalities.
Because the person in the sheetrock truck was too lazy to secure the load – the “victims” from the accident have serious injuries and even death. What could have prevented this type of scenario?
I’m always questioning the “why.” Why did that sheetrock kill and injure innocent drivers? Why do those “no-secure” WordPress sites infect people who simply visit their blog?
Perhaps the initial gist was lost in the translation? Clueless, lazy & blame was directed at site admins who could give a care about WordPress security and not at site admins who sincerely try to secure their WordPress blogs. I could get hacked tomorrow and so could you – but, at least we tried to harden it 🙂
In the end, it’s really all about taking digital “responsibility” and helping to make the global webspace safe for all 🙂
Originally posted at the Experts-Exchange Tech News Blog on 19.03.2013.
Do you have any WordPress (self-hosted) security advice to add? Please post a comment and share your tips with the community!
Opera Problem says
Hey there just wanted to give you a quick heads up. The text in your article seem
to be running off the screen in Opera. I’m not sure if this is
a format issue or something to do with internet browser compatibility but I figured I’d post to let you know.
The design look great though! Hope you get the problem solved soon.
Cheers
uhx116 says
I wanted wordpress.com, but then i would have to agree that they own my content, i would have to display no ads even if i pay for keeping the blog (which you have to pay directly or indirectly, there’s no free lunch there, they’ll be running ads on your blog if you don’t pay 30$ to remove them and if you’re VIP blog, you can run ads, you have to give them a 50% cut though, that can mean thousands of dollars a month), they have virtually no customization and few plugins.
If you want a blog that will not look or behave as you want it and that will most likely produce no ad revenue or half of it with some luck, go to wordpress.com, otherwise, go to wordpress.org
Seems simple right? WRONG!
Seriously, read this post, although i know how to code and have some knowledge of security, who, in their right mind, would want to have so much work with the damn blog and then have it hacked anyway?
Why do I say this? Simple, with those cms’s like wordpress.com, you actually have a team taking care of stuff and patching up vulnerabilities, something you cannot do by yourself no matter how much time you have in your hands because you’re just one person. Maybe you like to sift through all possible vulnerabilities and all lines of code of wordpress trying to spot vulnerabilities and taking care of every other thing, if you like that kind of work, fine, do it, most people don’t want to do it though, and i can hardly blame them.
Ask yourself, why do i want a blog? To spend more time taking care of it than actually writing new and interesting content? To have to make a crash course in apache, mysql, php, html and css?
Seriously, i understand the reason why you’re concerned that people don’t try to protect themselves better but maybe you know a lot about protecting yourself and maybe you like it and maybe you worked hard for it, but you have to put yourself on the other side of the fence too, i completely understand all people that don’t feel like these issues should be their responsability, and sincerely, in my humble opinion, there are good cms’s out there, but people are lacking a really awesome cms to fit the needs of basic or non tech savvy without hurting functionality and customization, it’s possible, i know it is.
teksquisite says
Interesting response = thank you. Yes, I did work hard on my WP sites – but have managed to automate quite a bit of the work. Perhaps for the people who self-host and are not tech-savvy, a “managed” self-hosted blog could become one option? Like, for example: Let’s say you want a VPS – but you don’t want to go through the pain of all that installation and securing it. So, you could get a “managed VPS” for maybe double what you are paying for an “unmanaged VPS.”
There are CMS management services available – perhaps I should have mentioned those. I will perhaps do a late 2013 self-hosted WP blog later this year. You brought up many great points & I appreciate it. If you have more ideas, please post back 🙂
Thanks again,
/Bev
Hello,
Excellent post! Thanks for sharing very informative and useful information. I personally built a blog and learnt from an online tutorial. For any novice like myself I would like to share an online tutorial which is very instructive. Give http://www.simplewebsitetutorials.com look, where they give guidelines about WordPress blog creation.
Thanks Bryant!
An excellent piece, very constructive and spot on. It never ceases to amaze me how little attention people pay to these issues, even people who should know better. I have a contact who is running a multi million dollar business via a self hosted wordpress site, it is an SEO related paid info site so they are at least vaguely tech aware. The other week he had an issue with his host who had issues with the server it was running on and wanted to know if there was anything I could do. The response to send me the backup was ‘what backup’!!!!!!!
I personally think that something like a backup should be an default include in wordpress, even if you turn it off at least it would make you think, well maybe….
Thanks Andrew! I agree with the back-up issue. Too may companies do not take that seriously. With all the resources that are available to automate this process -WP Plugins: BackWPUp, WP-DB, BackUpWordpress, WP Online, etc, I can’t imagine anyone who would not backup! There is also http://vaultpress.com/ if configuring your own back-up is not feasible 🙂