The Montréal WordPress community held an event this month on WordPress security. The event had a talk followed by a “show and tell” segment. This is the companion article for that talk.
This is an important topic for everyone. Not just for WordPress experts. So it’s great to have a chance to teach the community about it.
The goal of the talk was to give everyone an overview of WordPress security. That includes basic concepts and some recommendations. The recommendations themselves target WordPress users of all skill levels. If you’re an advanced WordPress user, you might not learn as much.
Slides
Don’t like reading? Just want the slides? Here you go!
For everyone else, let’s get to it!
Concepts
Before we get to the recommendations, let’s go over some core concepts around security. This will help you put a lot of the recommendations into perspective.
Attack types
Let’s start with the types of attacks you can suffer. They fit into two broad categories: generalized and targeted.
Generalized
These are the types of attacks that you associate with “being hacked”. They’re opportunistic in nature. Attackers use bots to search the web for sites with known vulnerabilities like “TimThumb”. They use these low-hanging vulnerabilities to infect sites on a large scale.
Targeted
A targeted attack is about focusing on a specific site. These tend to be large WordPress sites with lots of traffic and exposure. They have a larger potential payoff for the attacker. Thus are worth more time and energy to compromise. It’s also why most of us will never suffer from this type of attack.
One exception is former employees or contractors. If your relationship didn’t end well, they might want to attack you as payback (real mature, I know). That said, you should never underestimate the motivation of a disgruntled person.
Vectors
Vectors are the different ways by which an attacker attempts to infect your site. It’s THE concept to understand.
Every security recommendation out there is about them. They attempt to remove or reduce the risk of a vector of attack. The fewer vectors of attack you have, the safer you are. It’s a bit of generalization, but it’s meant to show the importance of the concept.
Here are some of the common vectors that attackers use to infect sites.
Using vulnerable software
Vulnerable software isn’t just about using out-of-date versions. It’s easy to think of the two as the same. Rather you should focus on the vulnerable state of the software. Being out-of-date is one way for software to be vulnerable.
So what makes out-of-date software vulnerable? It’s the vulnerabilities that the developer repaired. You see these vulnerabilities often become public knowledge once fixed. By falling behind, you’re exposing yourself to them. For an attacker, these are low-hanging fruits that are easy to exploit. In general, this is more of an issue for plugins than WordPress itself.
Where you get your software can also make it vulnerable. Anyone can tamper with the code of a popular plugin and then redistribute it. You end up installing a plugin thinking it’s safe. Instead, you gave access to your site to an attacker.
Compromised credentials
Fact: Most of us don’t like passwords. It’s a simple truth that attackers leverage all the time. Often times, our password habits are the chink in our armor.
That’s because security breaches happen on a regular basis nowadays. Using the same password or set of passwords puts you at risk. You almost have to assume that your password is out there in the wild.
Often people think it’s just their WordPress login that can screw them over. That’s one target out of many. You have credentials for your FTP, SSH, database and cPanel to name a few. And that’s just for your site.
If an attacker gains access to your email, he can just reset all your passwords. You’ve now lost all the work you put in to secure your site. That’s why they’re a common avenue for infections.
You can use a service like “haveibeenpwned” to alert you if a security breach compromises you.
Contaminated servers
It’s easy to overlook servers as a source of contamination. Hosting gets cheaper every year. Yet it’s still too common to take shortcuts with them.
If an attacker compromises your server, he can infect every site hosted on it. We call that cross-contamination. The whole thing can invalidate a lot of security precautions you might have taken.
It also complicates the clean-up job. A cross-contamination will just keep reinfecting your sites. You’ll need to clean the entire server to get rid of it.
Infections
Now that you’ve seen the infection vectors. Here are some common types of infections.
Backdoors
The purpose of a backdoor is simple: It allows an attacker to gain access to your site. It does so by bypassing authentication systems.
The backdoor itself doesn’t do any damage. Its purpose is only to compromise the security of your site. This gives them free reign to it. The attacker can then use that backdoor to do actual damage.
Injections
The goal with injections is to add unwanted content to your site. That content can take various forms. The common ones are:
- Links
- iFrames
- SEO (meta tags, headings, titles)
- Redirects
- Malicious scripts targeting your visitors
Attackers use these for financial gains. They can point to pharmaceutical products or websites. They can be part of some SEO spam scheme.
Disfigurements
Did you wake one day to find your Bengal kitten enthusiast site turned into a PETA activist site? People tend to view these types of attacks as “hacks”. Attackers often perpetrate these attacks to show support for a cause.
Recommendations
Let’s take a look at some recommendations. They focus on the configuration, maintenance and hosting of your site. They’re relevant to both beginners and experts. You also don’t need coding experience to put them in place.
Configuration
Configuration recommendations focus on the initial setup of your WordPress site. They’re small changes that you can do during that process. They’ll ensure that your WordPress install is more secure from the get-go.
Don’t use any defaults
Have you seen “The Imitation Game”? The story revolves around breaking this encryption machine called “Enigma” during World War II. Its encryption was so complex that it was impossible to break it. Yet it ends up being undone by a simple default. Every message ended with “Heil Hitler”.
Using the default “admin” username creates the same type of weakness. You make your credentials weaker by removing one obstacle for the attacker to overcome. He only has to figure out your password now.
The default table prefix is another default that attackers leverage all the time. Most SQL injection attacks assume the site has “wp_” as the default prefix. The majority of attackers won’t bother to check what the actual prefix is. They’re looking for low-hanging targets to exploit and you ain’t one of them!
Use a strong UNIQUE passwords
This one is like beating a dead horse at this point. Any password needs to be unique and longer than 12 characters. It should also contain:
- Upper and lower cased characters
- Special characters
- Numbers
A passphrase is one way to achieve all these requirements. It also makes it easier to remember. Yet this only detracts us from the truth…
You need to use a password manager. It helps you generate complex passwords and saves them for you. 1Password and LastPass are the two that come up all the time. It’s a great investment.
Make an administrator account and a regular one
This idea comes from the “principle of least privilige“. It states that you should give an account the least amount of rights to do its job. This way you don’t expose yourself to unnecessary risk.
Most of the time, you don’t need administrator capabilities. You’re publishing content. You’re not installing plugins or changing settings. Create a separate administrator account to use for those special circumstances.
Disable file editing
File editing is the most powerful capability available to administrators. It allows any attacker to execute malicious code. All they need is an administrator account.
Even with solid account security, you’re still taking an unnecessary risk. You shouldn’t edit files in a production environment. Disabling file editing makes sure that an attacker can’t either.
Maintenance
Maintenance recommendations deal with your day to day. They’re good habits for keeping your WordPress site secure.
Use trusted sources
Never use a plugin or theme that came from an untrusted source. It’s easy for an attacker to tamper with the code of a well-known (often, paid) plugin. The attacker then redistributes it outside normal channels (often for free).
Keep everything up to date
This is another dead horse that’s beat on quite a bit. You need to keep everything up to date. Attackers love to exploit outdated sites. They’re easy targets with known documented vulnerabilities. Staying up to date keeps you out of their radar.
Maintain regular backups
You should keep some form of regular backup. They don’t make your site more secure per say. They just reduce the potential damage that an attacker can do. Yeah, it still sucks, but it’s a lot less painful. You can repair and get your site running again in no time with some good backups.
Remove unused themes or plugins
Here’s a common scenario. You want to try out a new theme or a new plugin. You install it, play with it and forget about it. They just stay there gathering dust.
You should remove any plugin or theme that you’re not using. They can introduce security issues even if you keep them updated. It’s another way to hedge your bets.
Hosting
Hosting recommendations target contaminated servers. The goal is to limit the damage done by the attacker if that were to happen.
Avoid shared servers
A shared server is a server that hosts other sites besides your own. They’re a common cause of cross-contamination. It’s like like living in an apartment building. You have to pray that the hosting company (a.k.a. the landlord) took the right precautions. Otherwise, you’re at the mercy of anyone else sharing the server with you.
That’s because you have no control over the security of the other sites. It doesn’t matter if you took all the necessary precautions. If one of them gets infected, it can spread to every other site housed on that server. This makes the clean up near impossible. As long as your site stays on it, it’ll keep reinfecting your site.
So spend a little more and get yourself a dedicated server or VPS.
One WordPress install per server
This takes the whole server thing one step further. Doing this limits the exposure of your own servers to cross-contamination. If an attacker compromises your server or WordPress install, the infection cannot spread.
If you want to run more than one site on a single server, you should use a “Network Install” instead. That’s what WordPress.com does. It’s worth noting that a well-targeted attack can still compromise all your sites. Being mindful of security is even more critical with this setup.
Use SSL encryption
While using SSL encryption isn’t mandatory yet, it’s getting closer every day. Google now gives a slight preference to sites that use SSL encryption. There’s an increasing amount of pressure for everyone to do it.
Using SSL encryption prevents an attacker from intercepting your traffic. There’s no way for them to steal your credentials and gain access to your site.
If you don’t know how to install an SSL certificate, don’t worry about it. CloudFlare offers SSL for free with all their plans (even the free tier). It’s a painless one-click option on their dashboard.
It’s about managing risk
At its core, security is about managing this risk. These recommendations aim to remove the most common attack vectors used by attackers. Fewer attack vectors mean less risk. It’s that simple.
You’ll never reach 100% protection, but each step you take edges you a bit closer. This shifts the discussion to one about tradeoffs. What changes are you willing to make to reduce that risk? What quality of life are you (or your clients) willing to sacrifice for it?
In the end, security is all about managing that balance.