Do you use WordPress safely? Did you know that there are loads of ways that hackers can attack both your website and your computer using malware or malicious code?
Get a free WPMU DEV plugin, plus free weekly tips and resources for using WordPress.
In this post, we’ll took an in-depth look at all of the issues, and hopefully by the end of it you’ll be able to keep your WordPress website, and your computer, safe.
But let’s start with a fun look at some recent WordPress Security issues – guaranteed to brighten everyone’s morning :)
The WordPress community has been abuzz over the past few weeks about the BlogPress SEO plugin. This plugin purports to create a backlinking scheme, with a paid version that basically gets you inbound links. Both of these are bad for your SEO – Google hates them – but I guess there are people out there that go for them. ANYWAY, for some reason the plugin developer emailed Yoast and asked him to promote the plugin. Yoast had a dig around and discovered this piece of code:
This code emails your admin email address to the developer. Eh? Wtf? I know!!!!
Not only that, but another WordPress user, Mtekk, discovered that the plugin operated as a backdoor – it allows someone who knows you admin email to log in to your site without a password. Ouch!
I emailed John at Mtekk and asked him about security in the WordPress Plugin Directory:
The review process for plugins, at this time, is not very stringent—especially compared to WordPress.org theme repository. In theory a bad plugin like BlogPress SEO could be approved and in the repository. As far as I know, there is not group of people checking every line of code on each new plugin release. The main reason is the checking is prohibitively expensive time and resource wise.
One thing to be aware of is a malicious individual can get a plugin in the repository while containing no malicious code. Then on a future update, the author could add in a backdoor as seen in the BlogPress SEO plugin. There is no review process before a plugin author tags a new release in SVN. Once a release is tagged, the automated update mechanism in WordPress will distribute this bad update to the plugin users that click “update” in their dashboard.
This is a little worrying given that most of us safety-conscious people tend to stick to plugins from the WordPress Directory as we assume that since they have been given the nod by WordPress they must be free from malicious code.
I emailed WordPress to ask them about this and Otto got back to me. He said that any author can submit their plugin to the directory. The plugins aren’t run, just checked for spam – once they are approved the developer can get access to the repository. However, there is no approval on either the code or the code reviews so it is possible for malware to be inserted. He did make it clear that any plugin author who inserted malware or malicious code would have his/her plugins removed and be blocked from wordpress.org. It isn’t something that has been an issue in the past.
UPDATE: Otto posted this in the comments so I thought it would be worth adding it here:
It’s probably worth mentioning that if we are alerted to malware in the WordPress.org Plugin Directory, we can go in, remove the malware, and use the plugin distribution mechanism to let users update their plugins, removing the threat. Yet another reason to keep your plugins up-to-date.
In fact, Yoast did use the WordPress directory to go some way towards solving the BlogPress SEO issue.
However, what this does mean is that our 100% unshakeable inviolable faith in the WordPress Plugin Directory may be a little bit shaken, violable and a tiny bit misplaced.
Here’s a tip from John at Mtekk:
It all comes down to finding trustworthy plugin authors, and doing a little research on a plugin before installing it. These two tasks will go a long way in preventing issues.
Worried yet? Here’s another recent security issue with WordPress:
In April of this year, there was a mass hack of WordPress sites hosted on Network Solutions.
Basically, lots of people using WordPress had set their file permissions on their wp-config.php file to 755 (if you don’t know anything about file permissions I’ll tell you all about it in a moment). This meant that anyone was able to read them. A user at Network Solutions created a script to find all of those unprotected wp-config.php files with all of their lovely database login information. And that was that. Hundreds of WordPress sites were redirecting to websites containing malware.
The thought of my website taking my few visitors to a website that’ll infect them with malware makes me very sad :(
In order to make myself happy again, here’s my:
8 Security Tips and Tricks to Make Your WordPress Website a Safer Place
This is one of the most important things you can do. If you update your site then you are already miles ahead of other people who don’t. An update will close up any security loopholes – this is true for plugins, themes, and for WordPress itself. It really is important to take notice of that WordPress nag message – after all, updating only takes about 30 seconds. If you can’t be bothered with that then you really are lazy.
Get your File Permissions right
If you’re like me you think you’ve got all of your file permissions right. Then you check them and you realize they’re like this:
In order to get that nice table I installed a plugin called Bulletproof Security. This is a huge plugin which should take care of many of your security needs. It gives you loads of information about your site, protects you from hacking attempts, protects your all important htaccess and wp-config files, and even lets you turn on maintenance mode! Also, it’ll tell you, like me, if your permissions are wrong :)
In order to fix my file permissions I used FileZilla, which is my FTP client of choice (only because I’ve never really used any others – recommendations plz!). If you want to learn how to use FileZilla you can check out this guide right from WordPress.
Connect to your site using your FTP client, right click on the correct file or folder and select “File Permissions” like so:
This will open up a nice window like this where you can edit your file permissions:
Tip: Always make sure that your wp-config.php file is set to 750. This is recommended by the WordPress codex and is really important for sites using shared hosting. We really want to avoid any mass hacking attacks!
Backup your database
Backing up your database is an important part of any security procedures. If your WordPress website is hacked then you want to be able to restore in easily. There are plenty of blog posts out the made by exasperated people who’ve been hacked and who haven’t backed up their databases in month.
When it comes to backing up your database, there are two options:
1. Set up a Cron job using your GUI
Setting up a Cron job can be a bit daunting if you’re not used to playing around in your cPanel or Plesk. However, setting it up this way will mean you don’t have to use a plugin and can have the confidence in knowing that you’ve set it up yourself. Here’s a post from Sarah about how to set up a Cron job.
2. Use a plugin
Of course, there are WordPress Plugins for just about everything and there are plenty that you can use to backup your database.
Tip: Avoid using a Backup Plugin that only emails you your MySQL backup. Email accounts have a habit of getting hacked (I had a major email hacking incident earlier this year :( ) and if a hacker wants your email address think about everything they could get up to with your MySQL database. It’s unpleasant enough dealing with an email hack – don’t make it so that you have to deal with a website hack at the same time!
You could try a plugin like xCloner which will take care of all of that backing up for you. You can save it to a secure folder on your server, have it emailed to yourself (see above!) or have it sent to you via FTP.
Delete the admin user
The admin user is often the target of brute force attacks on site. Since the hacker already knows the username – admin – they can use a password generator to try to come up with the password for your site. If you are setting up a new WordPress site you can simply use a different name for the admin. If you have an existing installation, create a new user with administrator settings and delete the old admin username. It’s simple but it’ll improve your security!
Use a Security Plugin
There are loads of security plugins out there to help you close any loopholes in your WordPress website. Here are two that I’m a fan of:
Bulletproof Security: I showed you earlier how you can fix your file permissions with Bulletproof Security. It also protects you from injection hacking attempts and enables you to switch easily from different levels of .htaccess security.
Secure WordPress: Secure WordPress does many of those little things that you should deal with after a WordPress installation. Among other things it removes theme and plugin updater information for non-admins, removes the wp-version except in admin areas, and removes Really Simple Discovery.
Use AntiVirus and AntiMalware
No doubt you use both anti-virus and anti-malware on your computer. But do you use them on your WordPress website? Both of these plugins will help to keep your WordPress website secure:
AntiVirus: This provides a quick and simple check to ensure that your blog is protected against spam injections and exploits. Just activate and check to make sure that your WordPress website is secure.
Wp-Malwatch: This is another plugin which scans your website for malicious activity. It does this every day and posts to your dashboard to let you know if there are any problems.
Download Plugins & Themes from the Directory or another reputable site
I talked earlier about the BlogPress SEO plugin which not only emails the admin email address to the developer but also opens up a backdoor in your WordPress website. As we saw, it is possible for a developer to sneak in a piece of malware or suspicious code into the WordPress Directory, but Otto reported to me that he had never experienced it happening. In any case, BlogPress SEO was not in the WordPress Directory and it goes to show that it is still safer to get your plugins from there. Or, of course, you could get them from another reputable site (which tend to be premium sites) such as WPMU Dev, WP Plugins, Woo Themes, BuddyDress or Graph Paper Press.
Here are a few tips to help you out when looking for plugins or themes:
- Make sure that the download location is the same as the website that you are on. You can do this by hovering over the link – although be aware that a malicious website may use a cloaking script to hide the actual location of the theme so you may need to click on the link to see it. If it’s hosted location is different to the website location then avoid downloading it. If you want the theme you can use Google to find the original domain for the theme or plugin.
- Google it. A little bit of research can go a long way. If a plugin has been around for a little while you may find that someone else has already picked up on it as spam. Like so:
- Premium Themes and Plugins are a good way to avoid spammy plugins and themes. You will also find that premium versions will have a team of paid developers who will be constantly updating the plugins and themes for security loopholes so you can be more confident about remaining secure with them. On a recent plugin cull on a WordPress site I found a plugin that hadn’t been updated since 2008. Not good!
- Scan your themes. You can use a plugin called WordPress Theme Authenticity Checker which will scan any uploaded themes for problems. This is essential if you are uploading themes from everywhere and anywhere. The plugin will scan your theme for any malicious code.
Here’s a clean template:
And here’s one with code:
Actually, TemplateLite were pretty upfront about including external links (although base64_decode can be used to hide all manner of things).
Other template websites won’t be so upfront.
Tip: Only use plugins and themes that have been recently updated. There are loads of plugins in the directory that say that they are compatible up to WordPress 2.5 or 2.1 or 2.8 or whatever. They may still work with your WordPress installation but that doesn’t mean that they are secure. Choose plugins and themes that are updated regularly.
And last, but by no means least:
You would be surprised at how many people have totally lame passwords. They might use 123456 or abcdefg. Pretty dumb, right? I mean, if a password is as easy as that to remember then a hacker is going to be able to easily guess it and get access to your site. You could use a site like goodpassword.com to help you to generate your password, or you could come up with it yourself. This should be at least 8 characters, a mixture of numbers and letters, with at least one uppercase and one lowercase letter. You should use different secure passwords for your database, your website, your ftp – for everything you use.
Tip: Struggle to remember complicated passwords? I know I do. Rather than keeping them in a file or spreadsheet on your computer use the old fashioned method. Get out a pen and a piece of paper, write them down and keep them somewhere safe in your office. Remember, a hacker may be able to get into your computer but they can’t hack into your physical location (yet!!!!)
Had enough of security? Here are some extra resources to get you all filled up on WordPress security practices.
Here’s a pretty good presentation from thewebtrainer.com about how to secure your WordPress blog. Unfortunately the last few minutes seem to be missing but you can figure out what’s going on from the slides :)
And here’s some further reading for all you eager beavers:
- Smashing Magazine’s 10 useful WordPress Security Tweaks
- WordPrezzie’s WordPress Security Tips
- Sarah Gooding with 7 quick strategies to beef up your security
Got a favorite WordPress Security Tip, Tweak, Plugin or Hack? Let us know in the comments below!