WordPress Security Basics

WordPress Security Basics: now available in presentation form!

Each year thousands of websites are hacked. Sometimes it’s by way of a crafty social engineer (someone who tricks someone into giving up information without realizing it) conning some unsuspecting user out of his/her login. Other times it’s a backdoor in some code that grants a malcontent access to a site.

If your site is running on WordPress you can rest easy – WordPress core is considered to be a very secure application. The downside to WordPress core being secure is that if someone breaks into your site you likely have nobody but yourself to blame. Never fear: these tips will help keep your site safe and sound.

Passwords

The easiest step you can take towards a more secure WordPress site is using strong, unique passwords. Database passwords should be different than your SSH and/or FTP passwords which should in turn be different than your user login credentials. With the number of good, secure password vaults out there (I prefer 1Password synced via Dropbox for my laptop and phone and we use LastPass at work) there’s no absolutely no good reason to re-use passwords. For generating user passwords in WordPress there’s WP Password Generator, a free plugin that will generate a strong password with one-click.

If you don’t want to deal with a password manager (though I highly recommend it) another approach is to use a number of disconnected words (example: “piano garden table labrador”). Obviously it’s important to use different words for each site, meaning your mileage with this technique may vary.

Source: xkcd

Why can’t I reuse passwords?

You’ve worked so hard to memorize that password. “k6K@Pp2VwD,” you think, “nobody will ever guess that.” You’re probably right – it’s not the most secure password in the world but it does mix upper- and lower-case letters, has a few digits, and even a special character. It doesn’t appear in any dictionary, doesn’t have any connection to your life, and is a whole 10 characters long, two more that the minimum enforced by most banking websites.

How many sites use your email address during login Or a username that you use across different sites so people will recognize you? Let’s say your Facebook login is [email protected] and your password is k6K@Pp2VwD. You also use those same credentials on the forum for your fantasy football league. Facebook is a multi-billion dollar company that undergoes regular security audits, chances are even if someone was able to steal their database the user passwords would be salted (extra information added to the password) and hashed (transformed through a cryptographic method to alter the original string in a way that can’t be undone). It could take days, months, or even years to brute-force (systematically try passwords until something takes) a single user password. The fantasy football forum likely doesn’t have that same level of security and could be storing the passwords in plain-text (meaning there’s a row in the database that says “username: [email protected], password: k6K@Pp2VwD”) or with weaker hashing methods. If a hacker is able to gain access to the fantasy forum he/she already has your Facebook credentials and, if you use that password elsewhere, possibly your email, bank, or 401(k).

Keeping WordPress up to date

WordPress core development is led by a team of highly skilled developers with hundreds of other developers contributing code. Thousands of developers across the globe work with WordPress on a daily basis. Generally speaking, the WordPress point releases (for example, 3.5.2 is the second point release in the 3.5 release family) are security updates and considered safe to install (major releases, like the upcoming version 3.6, require more thoughtful upgrade as these are more likely to break existing code).

Plugins

Unlike WordPress core third-party plugins do not go through stringent security audits. Often they’re released and maintained by a single or small team of developers, typically have little or no formal testing in place, and are more likely to break on upgrade. It’s important to research a new plugin before installing it and always test it in a staging environment before promoting it to production.

Remember that every plugin you install carries with it a certain level of technical debt. For every widget, slider, or photo gallery you introduce a greater risk of plugin conflicts and/or security holes. Backup your site before installing a new plugin, test it thoroughly before deploying, and stick to plugins from trusted developers. The WordPress.org forums offer users the ability to write reviews for and rate plugins; if you find a plugin that works well (or one that doesn’t), please take the time to write a quick review covering your experience with the plugin. It means the world to developers of good plugins and helps other site owners avoid broken, buggy, or insecure plugins.

What’s in a plugin review?

Reviews are a great place to highlight a plugin’s features and weak spots. Was configuration a breeze? Is the interface super-intuitive and easy for your interns to figure out without training? Feel free to mention those things in your review.

If you run into bugs with the plugin don’t rush to leave a negative review. Plugins hosted on WordPress.org have built-in support forums for you to post support issues (pay attention to the plugin’s README file – some plugin authors prefer to offer support through forums outside of WordPress.org) – if you’re running into an issue with the plugin it’s best to let the developer know so he/she can work to resolve it. Too many plugins get immediate 1-star reviews due to basic configuration errors that, given a proper bug report, could be smoothed out for everyone.

Also remember that plugins available on WordPress.org are free. Unless you’re running a premium/freemium plugin where you’ve paid for support the developer is likely working on this plugin in his/her free time. Go through the developer’s preferred support channel, be as detailed in your bug report, and don’t get upset if it takes a few days for the developer to get back to you.

User management

If you have multiple users on your WordPress site it’s important to remember that your site is only as strong as its weakest user. Perhaps it’s the product manager who needs to update the product catalog but hands out his password to her subordinates. Maybe it’s the C.E.O. that keeps her password on a post-it note stuck to her monitor. It’s important that everyone with access to the site understands the importance of password security and never revealing login credentials to people who shouldn’t have access.

Your site is only as strong as its weakest user.

Avoid the “admin” username

Recently there has been a botnet (a network of hijacked computers) attack on WordPress sites attempting to brute-force access, typically using the default “admin” username. You can reduce your risk by changing the “admin” username (more advanced users can change the username directly in the database).

Avoiding the default username is an example of a practice referred to as “security through obscurity“; if your site isn’t doing what everyone else’s is that means more time/effort required by the attacker and a higher chance that they will move onto the next target.

Restrict user capabilities

Depending on your organizational structure you may want to read up on WordPress roles and capabilities. Rather than defaulting every user to administrator access you can limit the actions that can be taken by a specific user. Besides making it easier to moderate content before it’s published restricting user capabilities also reduces the pool of privileged user accounts that could be compromised. If any account were to compromised wouldn’t you rather it be one that can’t edit site settings, install plugins, or publish anything without editor approval?

Limit login attempts

If you took my advice and have started using a password manager then chances are you’re not having to actually type your WordPress password very often and, as a result, will be unlikely to mis-type your password (both of the password managers I mentioned earlier can fill in forms for you). You can help block botnets and other scripted attempts to brute-force your WordPress site by installing a plugin like Limit Login Attempts to lock-out an IP address after a number of failed login attempts. An enterprising hacker could still spoof his IP address in order to try again but the lock-out is just another hurdle to overcome in order to break in.

Advanced Steps

Hardening your wp-config.php

Your wp-config.php file should be treated as the most sensitive file in your WordPress installation. After all, it contains your database credentials (which, as we’ve already discussed, should be strong and unique). Beyond the database passwords there’s a section that looks like this:

define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('AUTH_SALT', 'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT', 'put your unique phrase here');
define('NONCE_SALT', 'put your unique phrase here');

define('AUTH_KEY', 'put your unique phrase here');

define('SECURE_AUTH_KEY', 'put your unique phrase here');

define('LOGGED_IN_KEY', 'put your unique phrase here');

define('NONCE_KEY', 'put your unique phrase here');

define('AUTH_SALT', 'put your unique phrase here');

define('SECURE_AUTH_SALT', 'put your unique phrase here');

define('LOGGED_IN_SALT', 'put your unique phrase here');

define('NONCE_SALT', 'put your unique phrase here');

If your wp-config.php looks like this you should visit https://api.wordpress.org/secret-key/1.1/salt/ right away and replace the defaults in wp-config.php. These items are used in the encryption of cookies, passwords, and forms in your WordPress site. You can learn more about the keys and salts in the WordPress Codex.

Relocating WordPress directories (advanced)

A little known feature of WordPress is that it allows you to relocate the wp-content directory. While this isn’t enough in itself to consider your site secure it is another example of security by obscurity. By moving wp-content (which contains your theme, plugin, and uploads, among other items) out of the default WordPress location your site is less at-risk from “dumb” scripts probing for common vulnerabilities related to that directory. Opinions vary on whether or not this is an effective strategy but it may be worth evaluating for your site.

A final note on WordPress security

If a hacker is skilled, motivated, and has reason to target you then the steps above may not be enough. In most cases hacking a WordPress site is a crime of opportunity – somebody sees a vulnerability and exploits it. Anything you do to make it harder for an unauthorized user to access your site reduces your risk and makes it that more likely that the hacker/botnet will move on to the next, more vulnerable site.

Additional Resources

Hardening WordPress from the WordPress Codex
The Definitive Guide to WordPress Security from Moz Blog (extensive and somewhat advanced)
Three Tips to Fight WordPress Hacks from Van Patten Media
How to Cope with a Hacked Site from WordPress core contributor Otto

2 Comments

Add Comment →

Maryrose Lyons

Great minds think alike Steve! I came across your post AFTER I had written mine, which was written in light of a very stressful few days dealing with the aftermath. FOLKS – listen to this good man and take heed of his advice. And if you want to read one woman’s tale of what happens when you don’t, you can here: http://brightspark-consulting.com/how-to-keep-your-wordpress-site-secure/

July 22, 2013

Bradford Penrod

Very thoughtful and useful information. You really helped answer a few questions that have been nagging me. Definitely one of the better blog posts about WordPress security and password use.

November 5, 2014

Steve Grunwell

Open-source contributor, speaker, and electronics tinkerer

Passwords