Having a moderate level of experience and fascination with Computer Security, I wanted to share my thoughts regarding some practices that will better ensure your WordPress blog or website remains in your control.
On today’s internet, many webmasters like to use the WordPress content management system because of the versatility that it offers. The interactivity that comes with running a WordPress site allows your audience to communicate back to you and provide user-generated content and comments on your webpage. You can install WordPress very easily on your standard unix/linux webservers through the cPanel web menu.
I have five finished WordPress sites that I administer, some with several plugins and a lot of functions to manage and make sure they are all running smoothly. I have probably another four or five that are started but I haven’t really written the content for the sites yet. So they are fresh installs of WordPress. They usually have comments enabled by default. Some of the default WordPress installs stayed like that for a few weeks, and I left one of them open to the public, which on second thought, was pretty much a bad idea. Nothing happened, but I wouldn’t recommend it.
Here is a security practice that you should follow, whatever you do, don’t leave fresh installs of WordPress, with no original content up and open to the public, because it only is an open advertisement to anyone looking that you have installed WordPress, but haven’t configured it. WordPress can have its own vulnerabilities that can be potentially exploited by unscrupulous individuals calling themselves hackers or crackers and they often have shady motives behind wanting access to your WordPress account.
WordPress is great for its ease of install and all the features that comes with it. Plus, there is a plugin for just about any feature you want. It is easy to have a huge list of plugins associated with just one WordPress install. Sometimes you have many plugins that you don’t even use anymore but remained installed. Keep in mind that websites are open for the public to view, including hackers. It is possible to send injected data or instructions through manipulating the instructions in the URL. Anything that causes your URL to change to have a question mark in it usually involves such a situation.
These WordPress vulnerabilities are very similar to PERL CGI vulnerabilities which had comparable bugs in allowing the manipulation of URL instructions. They actually allowed a web user to potentially send their own commands under an elevated privilege, which could potentially lead to absolute control of the remote machine hosting the WordPress site. However, with a few simple procedures, I think you can remain relatively safe from any such thing.
It is common sense security to uninstall and disable anything you are not using and know you will not need in the future. The less plugins that you have enabled, that is the fewer doors that could potentially be used to open up control of your website or your hosting machine to some would-be hacker/attacker/cracker. The most secure castle is one with no doors, just as the most secure computer is one that is unplugged and turned off! If you must have a door on the castle though, it helps to have as few doors as possible, to try to limit the ways that someone could break into your castle(computer).
It also goes without saying that you should use smart passwords with capitals, and numbers and even symbols. This makes it MUCH harder for a dedicated attacker using a brute force dictionary attack to guess the password when they try every word in the dictionary as a password. Such an attack could yield access to an account with the password greenhouse but wouldn’t work on an account with the password Gr33nHouse94$$.
I also recommend a plugin called “WP Maintenance Mode” which hides a WordPress site from the public’s view while you work on it. If the site doesn’t look anywhere near finished then it might be a good idea not to let it show, because it is an open advertisement to hackers that you are in the middle of setting up a website.
So, to reiterate, I have the following WordPress security recommendations:
- Use hard to guess passwords that are not listed in the dictionary, with numbers, and symbols
- Use the minimal amount of plugins and disable plugins that you no longer need.
- Use the “WP Maintenance Mode” plugin to disable access to WordPress sites that are in the middle of being developed.