I have been blogging with WordPress since 2007. It’s a fantastic platform with a huge variety of plugins and themes which allow for a fantastic experience for you and your readers. However, if you follow poor security practices, it can all turn to custard pretty quick. In this article I will take a look at some of the main causes of WordPress security issues and how to lock your blog down to avoid such issues.
So, what’s the problem?
In a complex CMS environment like WordPress, where end users are running software on a range of different sever environments, with a range of different themes and plugins, and 3rd party software there are going to be vulnerabilities. When unsavoury types find a means to gain access to your site using these, you are going to have problems. To avoid these problems it is essential that you keep your core WordPress install, all plugins and all themes updated.
If you have a vulnerable WordPress install, hackers can:
- Execute arbitrary code on your site
- Inject arbitrary web script or HTML and edit your posts
- Cause a denial of service (crash, CPU & Bandwidth)
- Inject and execute SQL commands
- Allow remote attackers to obtain sensitive data such as passwords
- Redirect users to arbitrary web sites and conduct phishing attacks
- Persistent cross-site request forgery (CSRF)
- Create hidden posts on your site only viewable to search engines creating a link network directed at the hackers site
- Embed a backdoor, to gain future access to your site even after vulnerabilities are patched
- Embed encrypted code in your php core and theme files
What are the main causes?
As mentioned above, the primary root cause is outdated software, i.e. Your core WordPress install, plugins, and theme files. This is why we are seeing a range of WordPress related services that essentially make it much easier to keep your software updated… WP remote, and InfitniteWP being two great, and free options for this.
Some other common causes are:
- Downloading themes from untrusted sources, these often have backdoors encrypted into the theme files
- Accessing your WordPress site from an infected computer
- Having a weak password attached to the main admin account
Where to find out more about these vulnerabilities?
There are currently 30 known vulnerabilities in the core system files of WordPress 3.X, and if your WordPress has not been updated to the most recent version, you may be venerable. To see a list of the known WordPress vulnerabilities view the list provided by Secunia, or if you want to follow the main development of WordPress, and get instant updates about any critical patches, subscribe to the WordPress development blog.
Tips to lock down your blog:
- Back up your site regularly – Ensure you know how to rebuild the site at any time
- Keep the WordPress core system updated
- Keep all themes and plugins updated
- Avoid using themes from untrusted sources, they often have backdoors encrypted into them, this is particularly common with pirated premium themes found on file locker sites like Mediafire and RadidShare.
- Use a strong password and don’t use it on other sites
- Ensure the computer you are using to access the WordPress site on is malware and virus free
- Monitor your server and user statistics, and investigate suspicious activity
- Deny access to theme and plugin folder directories with a blank index.html file
- Remove your WordPress version from your meta description
- Protect your WordPress wp-admin folder using your htaccess file
There are also some great plugins that help enhance the security of your WordPress install. The best options which I have personally used on sites include:
We’ve just published an infographic on WordPress Security, head on over and check it out.