Christian Szell: Is it safe?
Babe: Yes, it’s safe, it’s very safe, it’s so safe you wouldn’t believe it.
Christian Szell: Is it safe?
Babe: No. It’s not safe, it’s… very dangerous, be careful.
—Laurence Olivier and Dustin Hoffman in “Marathon Man”
Upfront, you need to know: You’re not safe; you’re not secure. Running a website is an inherently insecure operation. However, you can radically reduce your risk.
Much has been written about web and WordPress security. If you’re responsible for a website and have read none of it, your site is probably insecure. It’ll stay that way until you take your security responsibilities seriously.
Rather than repeat the volumes of excellent advice, we’ll link to some of the best sources, and briefly recap the basics. The following is (as is often the case at Transom) WordPress-centric.
Don’t Invite The Vampires In
Bad-bots need a way into your site to do their damage; don’t give them one. Security starts with the computer you’re using, then your Internet connection, then how you access your site. These secure steps are easy for everyone:
- Do make sure the computer you’re using is secure and free from viruses, malware, and keyboard-capturing spyware.
- Do run the latest version of your computer’s OS (e.g, Mac, Win); it’s usually the most secure.
- Do run the latest version of your web browsers: ditto.
- Do make sure the Internet connection you’re using is secure: if Wi-Fi, then preferably set to WPA2 (Wi-Fi Protected Access II).
- Do use strong passwords (Random Password Generator and the Password Generator Tool) or pass-phrases (Passphrase Generator).
- Don’t login from public Wi-Fi hotspots, if possible: too easy for packet-sniffers to intercept what you send over the Internet and grab your credentials (i.e., username/password).
- Don’t login from public computers: duh.
- Don’t login as Administrator for anything but admin tasks. Create a separate Editor or Author user for you to write, edit, or comment on your site.
- Don’t reuse passwords: 8-million LinkedIn passwords were published on the web in 2012. Evil-doers now know them all. So anywhere you use that same password, the bod-bots already know half of your username/password login credentials — they’re as good as in.
- Don’t make the username of your admin user be “admin”: too easy for bots to guess; when they do, they’re, again, halfway in.
- Do run the latest version of WordPress: it’s almost never insecure, and when it is, patches are released w/in hours.
- Do run the latest version of your plugins and themes: like WP updates, it just takes a single button-click to keep you safe.
- Do delete any themes and plugins you’re not using; just because they’re not activated doesn’t mean they’re not security risks.
- Do know the difference between a backup and a copy: A copy is on the same server, and might not do much good if your server’s compromised. A backup is kept on a different server (or your home computer’s hard drive).
- Do regular backups of your database, theme files, and uploads (images, audio, etc.). Popular, free backup plugins: BackWPup and WP-DBManager.
- Do consider these excellent for-pay backup & easy-restore solutions: BackupBuddy – the premiere WordPress backup plugin ($75/yr) and VaultPress – WordPress Backup and Security ($15/mo. — what Transom uses).
- Do regular security scans of your site; some popular, free security plugins:
- Do use these free security assistants: Sucuri SiteCheck and Google Webmaster Tools.
- Do consider these excellent for-pay security services: Sucuri Security and VaultPress.
- Do some reading:
- “Hardening WordPress”, WordPress Codex
- “Top 10 WordPress Security Myths”, @ProBlogger
- The WordPress Security Checklist (e-book)
- WordPress Security 101 (slides), Manifest Creative
- “How Apple and Amazon Security Flaws Led to My Epic Hacking”, Wired
- “Good to Know: A guide to staying safe and secure online”, Google
For the More Technical:
- Don’t name your WordPress database tables with the default prefix “wp_”.
- Don’t publish your version of WordPress in your web metatags.
- Do use SALT keys in your WordPress config file.
- Do use SFTP (Secure File Transfer Protocol) when accessing your web files, not FTP.
- Do some more reading:
How You Got Hacked
Odds are the bad-bots found their way in thru:
Path 1: A vulnerability on the shared server that hosts your web files. Once it got in, it infected other sites on the same server, including yours.
(If you pay less than $50/month for webhosting, you’re likely sharing a server: one computer running webserver software and sharing resources — RAM memory, disk space, CPU, etc. — for many clients and many sites, versus a more expensive VPS — virtual private server — or a dedicated server.)
Path 2: A vulnerability in one of the scripts your site runs. For instance, it might be an old version of one of your WordPress plugins. It had a flaw. The flaw was found and fixed in an update. But you were still running the old fatally flawed version, weren’t you?
A website is no simple proposition, it’s a computer whose files are purposely opened up to everyone on the entire Internet. When you view a webpage, you’re viewing someone’s computer files.
So how do you keep open access for everyone, and, at the same time, closed to bad-bots? To accomplish this miracle, people write security-conscious rigorously tested code, then after releasing it, they keep testing and improving, but…
There Will Be Flaws. The point is to find them and fix them fast.
Chad Feldheimer: I thought you might be worried… about the security… of your shit.
—Brad Pitt in “Burn After Reading”
However they got in, once the bots gained access, they probably planted additional openings at your site for their future access/attacks — a.k.a., your site might still be full of holes.
You gotta hunt down and destroy all these bot-installed files and database entries. Until then, your site’s still wide open, and re-infection is close to a certainty.
Take Me Back To Pre-Hack
To restore a hacked site, what you need is a pre-hacked version of your database, your theme files, and a fresh copy of WordPress. If you don’t have a backup of all your uploaded files (images, audio, etc.), you can get by with manually inspecting your folder: /wp-content/uploads for suspicious files — anything that ends in “.php” is probably malicious. Then you need to read a few of the fine restoring-WP tutorials. Start here: “Help I think I’ve been hacked”.
With clean copies of everything, you can often restore a site in fifteen minutes.
What, no backup copies? “If you fail to prepare, prepare to fail.”
If you don’t have backups, you will lose your work. If you don’t update your software, whether it’s your home computer’s files, or your site’s files (WordPress, Drupal, plugins etc.), then “Darling, you’re exposed.”
Marylin Rexroth: Can I trust you?
Miles Massey: Yes, you can trust me.
Miles Massey: [Marylin grabs the Massey prenup and tears it] Darling, you’re exposed!
Marylin Rexroth: A sitting duck.
—Catherine Zeta-Jones and George Clooney in “Intolerable Cruelty”
All software programs fill security holes by issuing patches. You get these patches by updating to the latest version. This is true of WordPress, the plugins people write for it, and the operating system (e.g., Win, Mac) running on the computer you’re using right now.
Without these security patches: You’ve Got Holes. Luckily, most good software, like WordPress, makes updating just a few button-clicks every week or so.
WordPress Wasn’t Your Problem
Your site was hacked. Your site runs on WordPress. But it is unlikely the attacker gained access thru WordPress. As of this writing WordPress has no known vulnerabilities. So says the Securi Team. So says the Common Vulnerabilities and Exposures list.
Not bad for the software that runs 17% of the top 1M sites.
WordPress has had problems. Being popular makes it (and other CMSes: Drupal, Joomla, etc.) a big target for socially maladjusted hackers. Even when the invasion comes from outside WordPress, bad-bots know WordPress’ structure, so it’s easier to infect .
But most problems come not from the core WordPress code, but from plugins written for it. The WordPress community can’t restrict what you put on your site, nor in your plugins folder. You, however, can be much more diligent about checking out plugins before letting them loose into your files (and maybe the files of others on your shared server).
Open-Source May Be Your Solution
The open-source community is essentially a gigantic geek army devoted to secure, purposeful, world-changing code. Most of the web runs on the open-source FreeBSD and Linux operating systems using the open-source Apache webserver software.
WordPress is by far the most popular web-publishing platform for self-hosted sites. But before even a single line of code is released to the public, it’s tested on the 60M websites hosted by the private company Automattic/WordPress.com.
A live look at activity across WordPress.com
Before and after releases, this code is scrutinized by legions of volunteer open-source programmers, plugin and theme authors, and documentation writers. When a security hole is found, it’s plugged, usually, within hours: As an example, read this article (by WP’s O.G., Matt Mullenweg — as in Automattic) on “The TimThumb Saga”, about when the TimThumb image processor — used by many WordPress plugins and themes — had a huge security hole.
WordPress often goes months without a single known vulnerability. Now compare that to proprietary projects like Windows and even Mac OS X. Those rarely go a day without security holes; and patches often take weeks. In many cases, even the largest companies have trouble competing with the security, flexibility, and features found in open-source software.
They Are Out to Get You
For the wide-awake worried, here’s some solutions to help you sleep…
Limit Login Attempts: Cracking your login credentials (i.e., guessing your username/password) is probably not how you’ll get hacked. But these plugins close that route by limiting the number of tries someone has to login: Login Security Solution and Limit Login Attempts.
Intrusion Detection Systems: This sends a notice whenever any file has been added, deleted, or modified: WordPress File Monitor Plus.
Email Updates: If you’re not often in your admin Dashboard, consider this tool, which sends an email whenever WP or one of your plugins has a new version: Update Notifications.
Blacklist Badbots: If you know wtf you’re doing, or can hire someone that does, consider this blacklist for your
.htaccess file — it blocks out bad-bots before they even get a peek inside your site: 5G Blacklist 2013.
(Some sites may need a few changes to the above 5G Blacklist, and a recent WordPress version required several 5G edits.)
WordPress helps you every step of the way, with secure well-tested code, vigilant vulnerability monitoring, instant information, and quick fixes when holes are found. But if you manage a website, you are the one responsible for your site’s security.
WordPress Security 101
Slides from a presentation by Manifest Creative at a Montana WordPress meetup:
Security Guard image from Apple Insider.
Badbot is part of the Popbot Universe, owned by ThreeA Production “The World’s Coolest Toy Company.”