WordPress blog (self-hosted)
If you opt for a self-hosted WordPress blog, there are a few things that you should know prior to installation. Perhaps you’ve read self-hosting your WordPress site in ten easy steps (or the equivalent of such)? Did you notice any mention of how to secure your new blog? Probably not. Self-hosted WordPress blogs are a dime-a-dozen when launched for the sole purpose of blackhat-affiliate marketing.
During the summer of 2012, SophosLabs intercepted a major malware campaign. Because many WordPress admins did not secure their sites, malicious hackers were able to surreptitiously place malicious code from the Blackhole exploit kit on vulnerable sites. They used two major stealth modes to infect the sites:
- Malicious iFrames
[pullquote]WordPress admins, listen up. Your lazy WordPress no-security practices are a strong factor in propagating these types of attacks…[/pullquote]
Whether the hackers gained access through weak passwords; vulnerabilities in the WordPress core, plugins, themes; or via script injections – all compromised sites were insecure and actually invited these hacks. WordPress admins, listen up. Your lazy WordPress no-security practices are a strong factor in propagating these types of attacks…
If you are clueless about the WordPress core, plug-ins, themes, MyPhpAdmin, and regular WordPress site maintenance and security; you would be doing the web a favor by selecting WordPress.com to host your blog (it’s free). If you are serious about learning more about hardening and securing a WordPress blog – this blog post is meant for you.
Running a self-hosted WordPress blog comes with a list of responsibilities. It is not like you can merely install it and be done with it. Your first priority should be to familiarize yourself with the WordPress CMS (Content Management System) platform, along with the pros and cons of self-hosting.
You should also be technically savvy and aware of the various ways to harden a WordPress installation. You will be responsible for technical maintenance (backend configuration; backups; blog security; logs; spam filtering; and core upgrades/plug-in updates). Your choice on how you secure (or no-secure) your site makes you directly responsible to the web community as a whole.
Hosting your blog
In the past I have been the victim of two WordPress hacks. At the time of the first hack, I was on a managed VPS. All maintenance and administrative tasks (including software updates) was administered by the hosting provider. In my case, the software was rarely updated.
[pullquote]Take the time to find a reputable and reliable hosting service – do your research first.[/pullquote]
Take the time to find a reputable and reliable hosting service – do your research first. You don’t want to end up on a server that is easily compromised, is slow to update software, has bad tech support, or has too much down time. The fact that hackers and cybercriminals favor targeting WordPress is for the same reason they favor exploiting Microsoft Windows – it’s popular!
WordPress.org recommends Bluehost, Dreamhost,or Laughing Squid. I’ve had great success hosting the majority of my blogs at Namecheap. You should look for the following five features in a potential hosting provider:
- Server reliability of 99.99% uptime
- cPanel hosting
- 24/7 customer support
- Money-back guarantee
- Awesome hosting reviews
There are hundreds of thousands of web hosts out there, the vast majority of which meet the WordPress minimum requirements, and choosing one from the crowd can be a chore. Just like flowers need the right environment to grow, WordPress works best when it’s in a rich hosting environment. —WordPress.org
Securing your blog
[pullquote]Hosting a no-secure blog is equivalent to graduating from the Edith Bunker school of driving.[/pullquote]
From the moment that you install a WordPress blog, you should be thinking about security. Forget about all those ads and profits that you hope to gain from publishing the viral top 10. SEO, building reputation, and page rank take time. If your blog gets blacklisted before it even gets off the ground – you only have yourself to blame. Hosting a no-secure blog is equivalent to graduating from the Edith Bunker school of driving. If you only know how to press a softaculous automation button and you don’t know the why behind the process – it’s time to dump Edith Bunker and go to a real driving school. Seriously. Do you get my gist?
I have seen a lot of site admins downplay the importance of updating CMS software and hardening company WordPress blogs. This is especially prevalent with small businesses and start-ups that rely solely on development teams to schedule site updates and releases.
I’ve also seen many home businesses slap together self-hosted WordPress blogs (because they noticed that cPanel had a Fantastico, Softaculous or an Installatron autoinstaller), and they think that all they have to do is populate their blog with posts, widgets and plugins. Sadly, they never really do their security homework. It is the responsibility of every site admin to maintain a secure site, that is free from malware links and other code nasties.
Six months ago I wrote the Top 10 Security Mistakes That Self-Hosted WordPress Blogs Make over at the AntJanus blog. Since the information is still applicable and I am not a gal who likes to reinvent the wheel, I am going to post these WordPress security bytes here.
[pullquote]According to Forbes, one out of every 6 websites on the Internet is powered by WordPress (nearly 60 million in all), with 100,000 more popping up each day.[/pullquote]
According to Forbes, one out of every 6 websites on the Internet is powered by WordPress (nearly 60 million in all), with 100,000 more popping up each day. WordPress.com currently hosts over 62.5 million blogs. As of this writing, WordPress stats did not include the number of self-hosted blogs, but rest assured there are many of us! I’ve been using WordPress since Gold days and it only gets better with each release.
The top 10 mistakes
1- Managing a WordPress site from a friend’s/public computer or insecure/public Wi-Fi
You should always login to your site via a secure connection. You never know what could be lurking on someone else’s computer; from keyloggers to password-stealing Trojans, take your pick. The same goes for logging in on an unsecured Wi-Fi connection.
2- The use of weak passwords
Last March (2012) when 30,000 WordPress blogs became infected with rogue anti-virus, many of the blogs had weak administrative passwords, were outdated, or had vulnerable plugins. Forget about using weak passwords , and don’t ever use the same password across multiple sites!
How long would an online attacker using a password cracker at 1,000 guesses per second take to figure your password out? Let’s take a look at how effective your password is at GRC:
If your password is 5 characters long and uses:
Just numbers, the time to “crack” = 1.85 minutes (Example: 123456
The full alphabet but doesn’t mix upper and lowercase, the time to “crack” = 3.43 hours (Example: alpha).
The full alphabet and numbers 0 through 9 but doesn’t mix upper and lowercase, the time to “crack” = 17.28 hours (Example: alp12).
The full alphabet and numbers with mixed case, time to “crack” = 1.54 weeks (Example: Alp12).
You should also change your cPanel (control panel), WordPress, and FTP passwords on a regular basis.
Use a combination of uppercase, lowercase, numbers and symbols
If we combine the alphabet, numbers, mixed case and use 6 characters instead of 5, the time to “crack” jumps to 1.84 years (Example: Alph12).
If we go to 8 characters and throw in symbols like # % & *, the time to “crack” jumps to 2.13 thousand centuries (Example: Alph12*!). –The Cocoon Blog
3- Ignoring login attempt activity.
By default, WordPress enables unlimited login attempts. I recommend that you limit failed login attempts to a maximum of 5 and use the Limit Login Attempts plugin.
4- Downloading themes from strange places
Make sure that the current theme you are using has been downloaded from a reputable source (such as WordPress.org).
Early last summer theme exploits such as Uploadify (in older versions of WordPress), and a zero day vulnerability found in Timthumb.php led to exploits and bad-boy automated scripts.
Unless you play musical themes, there is no reason to keep more than one theme in your theme directory. Copy the themes that you are not using to a back-up and only upload it when you you are replacing a current working theme. Note: Since I have installed Wordfence on a few sites, I do keep the default twentyeleven theme handy now. Wordfence sends an alert if any themes are modified.
5- Failure to update software and plugins
Always update WordPress to the latest version and keep all plugins and themes up to date. Deactivated plugins can still pose a threat if they are not kept up to date. Delete plugins that are unnecessary or that you no longer use.
You can scan your site at Sitecheck.Sucuri.net to see if your wordpress installation is outdated or hosting malware.
Last June I emailed Sophos about a malicious exploit that was affecting massive websites, to which Chet Wisniewski responded:
Unfortunately we are seeing hundreds of these per hour… In fact a similar domain is what inspired my post earlier today… We are currently tracking over 32,000 URLs a day pointing at garbage on the net. Most of them seem to be unpatched WordPress sites that are being hit.
6- Failure to back-up
This is a big one! The first thing I do when I create a new WordPress site (after I have secured it) and have the look and feel that I want – is to download a copy so that I can run a duplicate locally. I tend to call this backup my core copy.
The best plugin that I have found is BackWPup. This simple plugin provides you with all the options necessary to automatically backup your blog with absolutely no hassles.
7- Using the default admin account
This is a big no-no! Obscure the admin account by renaming it. Go to Users. Change the admin email address to an address that you will not be using. Then, create a new user and set the role to administrator. Log out and login (a few times) as the new account, and once you are sure that the new account is working correctly, go ahead and delete the admin account (and don’t forget to select the radio button that attributes all posts and links to the new admin account that you just created).
8- Not moving the WP-Config file to the directory above your WordPress install
WordPress will look one directory past the default location. CHMOD 0640.
9- Keeping the same old keys year after year…
A secret key makes your site harder to hack and access harder to crack by adding random elements to the password. You can use the online generator to create new keys and just copy and replace the old keys in the WP-Config.php file.
10- Failure to harden the security of your WordPress site
There are a number of awesome security plugins that can utilize to harden your WordPress blog. One of my all time favorites is Better WP Security. It is really an amazing plugin that manages to accomplish quite a bit toward hardening any WordPress site.
The only problem that I’ve run into with this particular plugin is #8: Your WordPress admin area is available 24/7. Do you really update 24 hours a day?
It seems that everytime I enable #8 I end up locking myself out of the backend and have to manually edit a file on my webserver to get myself back in again.
Better WP Security [Plug-in]
- You are enforcing strong passwords for all users.
- Your WordPress header is revealing as little information as possible.
- Non-administrators cannot see available updates.
- The admin user has been removed.
- The user with id 1 has been removed.
- Your table prefix is EEE_
- You have scheduled regular backups of your WordPress database.
- Your WordPress admin area is available 24/7. Do you really update 24 hours a day?
- You are blocking known bad hosts and agents with HackRepair.com’s blacklist…
- Your login area is protected from brute force attacks.
- Your WordPress admin area is hidden.
- Your .htaccess file is fully secured.
- Your installation is actively blocking attackers trying to scan your site for vulnerabilities.
- Your installation is actively looking for changed files.
- Your installation does not accept long URLs.
- You are not allowing users to edit theme and plugin files from the WordPress backend.
- Better WP Security is allowed to write to wp-config.php and .htaccess.
- wp-config.php and .htacess are not writeable.
- Version information is obscured to all non admin users.
- You have renamed the wp-content directory of your site.
- You are requiring a secure connection for logins and the admin area.
[pullquote]The above list is not a silver bullet or cure-all.[/pullquote]
The above list is not a silver bullet or cure-all; it takes constant vigilance (logging, spam filtering, tweaking, and awareness of potential exploits) – to stay one step ahead of the bad guys.
Note: I am currently testing: Wordfence: I have this installed on a few WordPress blogs now. It is quite an impressive plugin and allows file change comparisons. File alerts are awesome too. I just received an alert on two plug-in updates that need to be resolved today. I also purchased the premium version for one site so that I could scan the public facing side for vulnerabilities.
Some people were offended
WordPress admins, listen up. Your lazy WordPress no-security practices are a strong factor in propagating these types of attacks; If you are clueless about the WordPress core; If your blog gets blacklisted before it even gets off the ground – you only have yourself to blame.
In the real world of WordPress self-hosted sites – there is a high % of site admins that do not admin the site at all. It’s just there to generate $$$’s, and unfortunately in many cases, the unattended CMS platform ends up with something like the Blackhole Exploit Kit – which progresses to attack any vulnerable system that lands at the infected blog.
It also affects the web community as a whole. If a person installs a self-hosted blog, I strongly believe that they better be up to par on securing it and responsible enough not to expose their “no-security” blunders to the rest of us.
I perceive it like this: I’m driving down the freeway at 65mph and the truck in front of me has a bunch of sheetrock that is not secured. The sheetrock flies off the truck and hits my Jeep full force and causes a pile-up, including fatalities.
Because the person in the sheetrock truck was too lazy to secure the load – the “victims” from the accident have serious injuries and even death. What could have prevented this type of scenario?
I’m always questioning the “why.” Why did that sheetrock kill and injure innocent drivers? Why do those “no-secure” WordPress sites infect people who simply visit their blog?
Perhaps the initial gist was lost in the translation? Clueless, lazy & blame was directed at site admins who could give a care about WordPress security and not at site admins who sincerely try to secure their WordPress blogs. I could get hacked tomorrow and so could you – but, at least we tried to harden it 🙂
In the end, it’s really all about taking digital “responsibility” and helping to make the global webspace safe for all 🙂
Originally posted at the Experts-Exchange Tech News Blog on 19.03.2013.
Do you have any WordPress (self-hosted) security advice to add? Please post a comment and share your tips with the community!