Securing WordPress

Posted by on May 8, 2013 in Blog, Security

Securing WordPress

From the National Republican Congressional Committee to Washington State’s Courts and LivingSocial, we’re seeing increasing cyberattacks on websites in the news, so we thought it’d be a good time to go over some common problems and potential solutions.  While there are always going to be internal threats and 0-day attacks, the following are some standard techniques to help keep you ahead of the curve.

If you’ve already been hacked, contact us immediately!   It’s going to take much more than these pointers to fix.

Updating WordPress

Even Google goes out of their way to stress the importance from time to time.

“Matt Cutts of Google confirmed the new notifications via Twitter saying, “we’re kicking off a fresh run to inform webmasters with out-of-date/insecure versions of WordPress.”

WordPress blogs are known to be targets for hackers and Google is aware of  this.  If you keep your WordPress blog updated to the latest security patches, a hack is less likely to happen.” Read More

Login to WordPress and if an update is needed, you’ll see a warning on your dashboard. Don’t ignore these! Ensuring your install, plugins, and themes are up-to-date helps protect your site from an ever growing list of threats.

Some things to keep in mind:

  • BACKUP FIRST. Always. No excuses.
  • Compatibility issues
    Check to see if your theme and plugins have been tested with the latest version of WordPress. Sometimes new functionality breaks older versions, so you’ll need to update everything. This is part of what makes security an on-going issue, not a one-time fix.
  • Hacked themes/plugins
    This time we’re using ‘hack’ in the classical sense. Often coders, either because they’re smart or lazy, will modify an existing theme. A smart coder does this to save time and reuse good code. They’ll follow the Codex guidelines and create a child theme (or plugin) to make sure updates won’t wipe out their changes. A lazy coder simply modifies the existing files. You won’t find out until the next update, when your site gets hosed.

 Secure Passwords

Hopefully, you’re already using a complex passphrase that’s easy for you to remember, and a Multi-factor Authentication solution. But if not, you might want to start by reviewing these accounts:

  • WordPress users
    Pretty straightforward here: anyone who can even contribute content should be using a strong password. And preferably a second factor. We like Duo Push for convenience.
  • FTP accounts
    Log into your hosting provider’s account and check that FTP access is secure with a strong password as well. These days, everyone is so focused on the content management (CMS) side that it’s easy to forget the FTP accounts.
  • Shell accounts
    Your host may also give you shell access. This is like the command prompt in Windows. It’s crucial this account is protected by a strong password. Generally, we add Google Authenticator as the second factor. While we’re still on the hosting provider….
  • Web Host accounts
    These guys can override the other two, and can probably make changes to the domain. This effects your website, but also your email routing.