I once heard the quote, “Anyone can play basketball, but only a few can play in the NBA.” The same is true with WordPress developers. Anyone can figure out how to install a WordPress website onto a garden variety server. However, the amateurs are quickly separated from the pros when it comes to things like security hardening, third party plugin conflicts, multisite weirdness, and keeping the spam-bots out of your content. You can claim to be a pro all you want, but when the real world hits your site, your skills will be challenged in a way that will either prove (or dis-prove) your claim!
This week, my true test was in the security department. No matter how much security you put into your WordPress sites, you can never assume a plugin will not break that security, nor can you assume a third party plugin author had security in mind when they wrote their code. With almost 75-million WordPress websites out their (18.9% of all self-hosted websites on the Internet), there is a lot to be gained by hacking any WordPress installation. Most hackers go after those sites that do not update their code. I can only imagine the army of zombies (compromised sites used to attack visitors or launch attacks against other sites) these hackers can create from just a fraction of the total WordPress sites out their. But there is another group of hackers that are looking for something more precious – private or protected content. These guys are after the stuff you think is secure – your WordPress admin backend, internal company information, server access credentials, draft documents, membership lists, resumes, phone numbers, email addresses, etc. – anything you do not want the Internet to see!
So how do you keep these creeps out of your site? Well, if you understand how security professionals think, then you have to take a page from their playbook and assume the bad guys are already inside your code. What does that mean? It means that the hackers already known EVERYTHING about your site before you even load the code to your server. They already have access to every releases of WordPress source code every made! This means they already know all your out-of-the-box file names, folder names, and where all the goodies are kept (e.g. wp-config, uploads, wp-admin). They most likely know how your server is setup too, and what counter-measures your host will deploy to stop any attacks. So, before you have even un-zipped the WordPress installation code, hackers are three-steps ahead of you! Doesn’t seem fair, does it.
So to prevent yourself from being an easy target, you need to get ahead of the hackers and fast! You need to make your WordPress site a Day-Zero hard target by employing some simple, yet effective, defensive measures as follows:
1. Pre-Installation Thinking: Michiel Heijmans, renowned WordPress plugin developer and founder of Yoast, has an article on his SEO Blog called WordPress Security. Heijmans’ article gives you a great perspective on his view of WordPress Security that includes pre-installation thinking like picking a good host, the dangers of free themes and plugins, and a focus on replacing ALL defaults (including the database prefix). Heijmans article also introduces Sucuri, a globally recognized website security company that can audit your WordPress security measures, or help recover your site from a hack.
2. Optimization Thinking: Amit Agarwal, founder of Digital Inspiration, wrote another great security article called Optimize your WordPress Installation. Agarwal covers many of the tweaks you need to make to the out-of-the-box WordPress installation to keep it from becoming a target. Although he shares several of the same tips as Heijmans, Agarwal gives you a step-by-step guide to reducing the elements within your security profile that you probably didn’t realize were a potential threat (e.g. To many RSS Feeds). Not every step in this guide will be effective for every situation, but it will give you a fighting chance to make your site much tougher to crack.
3. Beyond Optimization Thinking: Kevin Muldoon from WPMUDEV has written an excellent article called WordPress Security: The Ultimate Guide. Unlike the first two guru’s, Muldoon gives you some insight into the world of WordPress hacking, resources for advance security reading, and challenges you on what should be common sense security (that many developers, to my surprise, often overlook). One of the more asymmetrical strategies this article provides is thoughts regarding backups as a fall back plan to any successful hack. If all your security efforts fail, it’s good to think that a simple backup could be a vital part of your recovery plan. Muldoon’s ultimate advice is, “If you fail to prepare, prepare to fail.”
This is obviously not an exhaustive list of WordPress security resources, but should be enough to make your site a much harder target. The key point to this post is to make you aware of just how vulnerable your WordPress website can be out-of-the-box, and how just a few security changes can make life so much better. Nobody wants to get hacked, and those that have been hacked certainly do not want to be hacked again!
When it came to criminals (like most hackers are), my father’s advice to me was, “Kyle, everyone hates guns until they get mugged!” The same can be true for WordPress security. Everyone hates thinking about security, until their site gets hacked! Then they can think about it enough. So, please don’t learn about security after the fact! Become a WordPress Development Pro by getting educated, getting disciplined, and most of all, become a hard-er target today.
And remember – WordPress security never ends!