WordPress Security

WordPress owes much of its success to the fact that it is and easy to use application and, thanks to its five minute installation, easy to get up and running. Just about anyone who can patiently sit through a few clicks of the mouse can begin publishing via WordPress in a matter of minutes.

With over 9.7 million active installations of WordPress and 32 of the Technorati Top 100 blogs of 2009 using the application for either self-hosted blogs or blogs hosted on WordPress.com, it is easy to say that WordPress is by far the most popular blogging system in existence.

Real Security Threats

Even though it is the choice of so many bloggers, WordPress is not without its problems. These problems generally surround the security of the application itself. Over the years, blogs running WordPress have been the targets of multiple attacks designed to deface the web site, interrupt service, or steal sensitive data.

According to the National Vulnerability Database, WordPress went from 2 known vulnerabilities in 1988 to 5,733 in 2009. In the first month of 2010, 377 vulnerabilities were already discovered. These came months after a recent update of the software that dealt with specific vulnerabilities found in the previous version of the software.

Unfortunately, most people who install WordPress don't give security a second thought. Many of them are under the impression that since they don’t house financial information or sensitive user information, their blog is not a target for attack. This, however, was disproved by recent attacks where blogs were infected with a worm that created a hidden administrator account on the blog. Additionally, the attack inserted spam and malicious links into postings hosted on the blog. Did this attack result in a Denial of Service or data theft, no. But that was its intent. By infecting a large number of sites, the chances that unsuspecting visitors would fall for their spam or malicious links made everyday blogs a perfect target for this campaign.

This link injection attack not only made the cyber criminals a good chunk of money, but it seriously hurt the infected blog’s search engine position because once the spiders found the spam and malicious links, these sites were flagged by Google and the others.

Protecting WordPress

The one thing that any publisher using WordPress needs to do to secure their site is to update their software whenever one is available. Fortunately, WordPress has made this easy to do through the dashboard by simply clicking on the WordPress 2.x.x update is available link found at the top of the page.

Keeping WordPress up-to-date is a start, and while it may be the most effective step you take in securing your blog, it is not the only one. To secure WordPress, it is also recommended that you:

• Change the default administrator name. WordPress automatically calls the administrator admin. If an attacker knows that you are using WordPress, then they already have 50% of your user credentials. Changing this to something obscure doubles the amount of work an attacker may have to do. Odds are they will move on to another site.
• Use a strong password. While this may seem like a obvious step, it was recently found that out of the 32 million + passwords exposed in an attack against the RockYou social network, 123456, 12345, and 123456789 were the most popular. The rest of the top twenty weren’t any stronger. Strong passwords make it difficult for brute force attacks to be successful. Using a combination of upper case letters, lower case letters, numbers, and symbols without any frequently used words is considered to be the most secure.
• Be careful with plug-ins. Plug-ins are great because the enhance the functionality of your blog. However, like any software, they can contain vulnerabilities. Keep plug-ins updated. As soon as there is an update available, make sure it is installed. Also, only install plug-ins from trusted developers. Anyone can release a plug-in that makes great claims but really opens a hole to be exploited.
• Remove mentions of WordPress. Most people may feel guilty about removing the Powered by WordPress tag from their blog, but this is about securing your blog and your visitors. Remove the WordPress version meta data from your theme, remove any links back to WordPress from your blog, and add the line: to the functions.php file. The latter helps hide your WordPress version from being displayed in your pages.
• Protect your directories. Web hosts often allow for the ability to browse a site’s directories as a default configuration. Unfortunately, this also allows someone to see the contents of these directories. Adding: Options All -Indexes to the .htaccess file (on an Apache hosted web site) disables this.
  Also, you can take an even further step by Whitelisting the IP addresses that are able to access the wp-admin directory by adding the lines:

  AuthUserFile /dev/null
  AuthGroupFile /dev/null
  AuthName "WordPress Admin Access Control"
  AuthType Basic
  
  order deny,allow
  deny from all
  # allow address 1
  allow from xx.xx.xx.xx
  # allow address 2
  allow from xx.xx.xx.xx
  
  

  
  This should be added to the .htaccess file found in /wp-admin/ folder. Substitute your IP address(es) for the x’s and this will block access from any IP address not identified.
• Use a Web Application Firewall. Firewalls are used to secure networks and individual computers, so why not use them to protect web applications as well? Web Application Firewalls (WAF) protect web applications from known, and unknown, vulnerabilities. Deploying a web application firewall on the server that hosts your WordPress, or any other web application, installation helps protect your site against vulnerabilities found in plug-ins, software that has not been updated, and zero-day attacks. You can ask your hosting provider if they offer web application security as a service. If not, point them to this article.

(Special thanks to wpbeginner.com for the code found in Protect Your Admin folder in WordPress by Limiting Access in .htaccess)

After reading this, many people may second guess their decision to install WordPress. However, that is not the intent of this warning. WordPress powers millions of blogs, and those that take security seriously run for years without any incident. Failure to protect any web application will result in the site being attacked. WordPress is no more susceptible than Joomla!, Moodle, MediaWiki, Drupal, or even a standard HTML powered site. Although its popularity does make it a bigger target, smart WordPress administrators will rise to these challenges and continue to provide blogs with great content in an environment that has been hardened against attack.

Related Articles:

Why Web Application Security?
What is Cross-Site Scripting (XSS)?
Senior bureaucrats lax on BlackBerry security