WordPress Security is About More than WordPress

[davecoveney]

Something I've wanted to get off my chest for ages is that having a secure WordPress site isn't just about running the latest version. In fact, the glib assertion that the latest WordPress is secure is so utterly false, it scares me.

If you think about it, almost every version of WordPress (and there are a lot of them) in the past has had a security hole. And that means that on that trend every future version will too.

So you need to run your server in a secure way. Have secure habits, and do some extra work to harden your site.

I've written more up than is healthy to post in a forum over at http://www.interconnectit.com/679/a-...curity-primer/ but really, the point is that you mustn't, ever, assume that your secure just because your WordPress is up to date.

You're not.

Just like I worked out how to make my house more secure should a burglar get past my front door by fitting an alarm system, so you need to find ways to secure your WP site beyond WordPress itself.

[Ryan]

I'm guessing you just read Matt M's latest post ... http://wordpress.org/development/200...dpress-secure/

[JohnM]

I believe security is the biggest threat for anyone making money making WP sites for customers.

One day someone will make a really stealth worm compromising zillions of WordPress installls, damaging the WP consultant market.

I`d like to see a canonical security plugin maintained with commitment from Automattics devs. A plugin which does whatever is possible to check security, and recommend changes and installation of other security plugins.

If theres critical mass of exploitable WordPress installs around, there will be a growing community hacking WP, with blackhat economical motivation driving exploit development.

WP security is more important than features at this point, and I`d like to see security enhancements in 2.9, even if that means 2.9 will have to wait a bit.

[andrea_r]

I thought your post was quite excellent, myself. Although I do feel the need to add that it's still not entirely up to WP. The same could be said about Windows (actually, worse could probably be said), or maybe it's the huge downside to open source.

If the hackers can see how they may potentially get in, then yes, they will try. The platform doesn't really matter. Well - the more popular a platform is, the more they'll try...

Anyway - your post says a lot I wish more people would pay attention to. It's not just WP. I tell clients things over and over again many of those things.

"but I only want to have to remember one password. Isn't it your job to make sure everything is secure?"

*headdesk*

[Rarst]

Excellent post, will be going through list properly later. I have a lot of such lists to go through after getting hacked recently. :)

I had also posted about that hack in relevant thread at official WP forum and read few more threads. It was very unpleasant to see there constant remarks that if you got hacked it's your fault for getting virus/trojan/losing password/etc.

Running latest WP version is necessary to be secure, but as practice showed me - has little to do with actually being secure.

[Jeffro]

Boy, after reading all the responses to the attacks these past few days, my blood pressure has skyrocketed by the lack of common sense people seem to have.

For starters, Dave makes a good point in that it's not just about WordPress, but about everything that is involved to make WordPress tick. PHP, MySQL, etc. However, one of the easiest things that people can do to help keep their site secure is to keep current on the latest versions of the software. If people can't even do that much, than I have no hope for them.

Call me lucky or whatever but I've been using WordPress since 2007 around the 2.3 days. I don't use any fancy WordPress security plugins. I have removed the admin account, turned user registration off, and use a complex password to login. That is pretty much it. I haven't had any problems so far. Considering the simple security measures I have taken, why have I not been attacked? Why hasn't any of my WordPress powered sites turned into a hidden spam farm? Is my password that complex that it just hasn't been brute forced yet? Is it my webhosting account that's pretty good?

I see all these people recommending WP Anti Virus and security scanner and this, that and the other but I don't feel the need to use a single one of those. What is going on here?

[davecoveney]

Well, it's a bit like how I generally don't run anti-virus on my PCs and yet, after all these years, have remained infection free.

No obscure OS, no obscure set up - just an awareness of what is and is not dangerous. I used to have a honeytrap folder on my old laptop. If it changed, something was trying to get in, as a rule. Hooking into many Wi-Fi spots and networks was the riskiest behaviour and, sure enough, you could get infected on some networks (Hong Kong airport four years or so back, for example) within about 30s.

Same goes for WP. You can run WP 2.0 perfectly safely, and I do. And you can run 2.8.4 very dangerously.

Part is common sense - don't install plugins you can't trust, don't use the cheapest hosting you can find from an unknown company, don't use obvious passwords and so on. The other part is also down to luck, a little. We don't chance on hosts any more, but we got lucky with Namesco when we were first setting - we just happened to find a very reliable host with good security practices. Lucky us.

[davecoveney]

@Ryan - not really inspired by Matt's post, but in all the 'official' posts I was irritated by the lack of detail on the vectors used. It wasn't made clear what one could do to protect, if at all, an older site. Being told to upgrade wasn't helpful for everyone, and was also repeating the mantra that a new install of WP is always secure. I call BS, basically :-)

@JohnM - I'm not sure that it's feasible for Automattic to get that involved. Obviously they're careful about what goes on WordPress.com, but WordPress.org is an open playground. You get involved with self-hosted WP and you need to know what you're doing. Hosts can help too, by setting things up in a secure way - but that will make installation and configuration of WP trickier for some.

@Andrea_r damn right, and yes - some users think that for low fees we'll also provide all support and security. Akin to getting cross with your mechanic because your car got stolen - which, actually, I suspect happens to garages quite often!

@Rarst - I think you're learning the painful way. We had one site hacked, which helped teach us a few lessons - it's often difficult to explain the problem to clients, although generally we find our clients to be understanding when things go wrong.

[JohnM]

I'm not sure that it's feasible for Automattic to get that involved. Obviously they're careful about what goes on WordPress.com, but WordPress.org is an open playground. You get involved with self-hosted WP and you need to know what you're doing

Lets say Matt then. If you make an easy-to-setup CMS with a famous 5-minute-install and have 100.000 or more users installing and running it, without having a clue about servers or security then you also have some responsibility towards these 100.000 + users.

If not, Wordpress` success will be individual users failure.

If I understand Matts "philosophy" correct, WordPress is more than a cms tool, it a free communication tool for the masses. Freedom to speak, freedom to blog. An altruistic project.

If this leads to lot of people beeing exploited, theres a responsibility to address this problem.

btw; I`m sure theres a commercial opportunity for someone too in bringing more sequrity to WP installs. It would fit nice in with Akismet and other Automattic products.

[MiroslavGlavic]

You know, I was going to do this thread but went to sleep.

You know what I say to the people who have WP 2.0-2.3? YOU GOT WHAT YOU DESERVE.

Here are some rules I go by:

1. I keep my WP installations up to date - Isn't that what a administrator/webmaster/CTO does?
2. I do not use 0.x plugins
3. I do not use plugins that have not been updated in a year or more
4. If the last time it was updated within a few months, depending on version issues with WP, I might use it
5. I delete the admin accounts
6. In sites with forums, I make sure accounts don't have PASSWORD as the password (I can't believe so many people use that)
7. BACK UP BACK UP BACK UP

There is more but I don't have the chart right now.