Once upon a time I was quite the paranoid security nerd. Though I’d always messed with computers, I began working with them more extensively in high school and subsequently paid more attention to information management. Microsoft Windows was prone to viruses and all kinds of problems, so I wanted to do what I could to minimize these issues.
My transition from security-conscious cyber-citizen to Linux-locked-down ubermensch came a couple of years ago when I realized that the operating system I’d been relying on was simply not built to keep my data safe. I found myself pirouetting to the end of the spectrum, locking down my OS and web browser to the extent that a lot of functionality simply broke. I dealt with it, working around the lost functionality and comforting myself with the knowledge that I was more secure than everyone else.
Despite all this, I had never paid much attention to my website’s security beyond having decent passwords. There have been numerous articles about blogs and sites being hacked and having all kinds of problems in the last few years, but it never happened to me, and I didn’t really know what to do beyond keeping my stuff up to date and changing passwords occasionally, so I figured I was fine.
And maybe I was, but when I came across some tools to improve the security of my WordPress site, I thought I’d give it a try. After all, who wouldn’t want to be more secure?
Let me tell you who. This guy, right here.
A few months ago, I made the transition from Linux to Mac OS X when I purchased my first MacBook, and it has been a wonderful experience. Suddenly, all sorts of things Just Work(ed)™, and my computing experience was far more pleasant. While I recognize that OS X isn’t nearly as secure as Linux, it’s still better than Windows and I get the same level of functionality.
Keeping all this in mind, you might not be surprised to hear that when I installed the primary security plugins for WordPress and followed the guides for hardening my site, a bunch of stuff broke. Not horribly, but enough to lead me to disable the plugins.
WordPress Firewall prevented scheduled posting, which was a big deal for me. I schedule all of my posts in advance to go live at 4:30 a.m. every Monday, Wednesday, and Friday. For a week, I got up in the morning to discover that posts hadn’t gone live, and then I had to go in and post them myself. On top of that, the WP Firewall was causing a few other weird issues with redirection and preventing some legitimate activity to the extent that I decided to just get rid of it.
I installed WPIDS because it seemed like a good idea at the time. I uninstalled it for the same reason, because I really have no idea what this plugin does. This being the case, it’s more liable to give me a false sense of security than to serve any real purpose. I’ve read what it does, but if you’ve got everything else secure and up to date, you shouldn’t have a problem.
The biggest and most useful plugin I used of the three I tried was the WP Security Scan. This plugin “scans” your WordPress setup and highlights weak points that could be strengthened. It also has handy buttons/links you can click to automagically fix these problems and make your blog more secure.
Unfortunately, all of those automagic features failed, and I ended up making the changes manually by using the plugin author’s guides. In this sense, it was extremely helpful because I did end up improving the security of my blog. However, I could have done the same by reading a page and just following the instructions there. I disabled the plugin since it wasn’t exactly “working” and having malfunctioning plugins is never a good idea.
If you want to keep your WordPress site secure, there are some really simple tips you can follow:
- Create a separate account for the WordPress administrator and delete the default Admin account. WP Security Scan gave me this tip and it’s a good one. In fact, you should consider installing WP Security Scan and complying with as many of its recommendations as you feel comfortable with. You don’t have to keep it installed necessarily, but they claim your site will be more secure if you do.
- Keep WordPress up to date! I don’t understand why some people are still on old versions of WordPress and refuse to upgrade. It’s so easy, it gives you more features, it’s free, and it keeps your site secure. It’s not hard to figure out which version of WordPress you’re running and the exploits for older versions are well known. There’s no good reason to not update, so do it.
- Update your plugins when needed. WordPress 2.7 makes all of this crazy-easy, so there’s no excuse for not keeping everything updated anymore. When your plugins need updated, you’ll see the number of plugins awaiting update in the sidebar (left side) of your WordPress Admin Dashboard. Just head in there, find the plugin in question, and click “upgrade.” WordPress handles it all automatically.
- Create a secure password. This shouldn’t be a dictionary word, your name, or something you’ve been using for the last five years. Change your password regularly and have it be relatively random. Use leetspeak, or just mash your fingers on the keyboard. If you’ve got to write it down for a while to remember it, that’s fine. Just make sure to destroy the paper after you memorize the password.
- Protips:
- If you use Firefox, make sure to set a Master Password if you have it remember your passwords. If you do not, Firefox will store your passwords in a plain text file where anyone can get to it. If you set a Master Password, it encrypts them.
- The Secure Login addon for Firefox allows you to enter passwords in a manner that even keyloggers can’t pick up. Normally, Firefox will enter the password automatically in a standard typing method, which a keylogger can detect. Secure Login sends it straight to the page in a manner that completely masks the password, protecting you even more. This means you 1) Don’t have to remember passwords and 2) are even more secure.
- Protips:
WordPress is no different than any other software package or operating system. No matter how many security barriers you put in place, the weakest spot is going to be the person using it, so it’s up to you to do what you can to keep things tight. All it really takes to keep WordPress secure is some common sense. Use the plugins if you like, but if you don’t have a secure password or aren’t keeping things updated, you’re no more secure than if you didn’t have them.
Have some security tips to make WordPress and the web a safer place to surf? Post them here and share with the community!
you nail it sir,
most of the plugins are great in its core, but impractical in application.
what I found to be the best fix is just not use chmod 777 on anything.