WordPress Security

[BranCook]

Does anybody have any recommendations for good, up-to-date books out there that cover WordPress security?

Thanks
-Brandon

[nixnerd]

You can totally get a book if you want. That’s fine for conceptual application. For anything practical though… a book would be outdated by the time it was published.

The best thing that ANYONE can tell you to do is… limit your plugins, keep them up to date and make CERTAIN to update WordPress. I would advise you to never ever skip updates because you’re afraid of breaking your theme or whatever.

Wordpress by it’s very nature has a pretty huge attack surface. That doesn’t mean that you can’t or shouldn’t use WordPress. If you deem it the right tool for the job, use it… with caution.

Anytime you have that much PHP, making that many database calls, you’re going to have a great target for an exploit. WordPress is hugely powerful and that’s why people spend time trying to use it for nefarious purposes.

Forms are the real biggie. Make sure you’re locking those down real, real tight.

[shaneisme]

Don’t use “wp_” as a table prefix.

Don’t use “admin” as any login name.

Use the salts built into the wp-config file (they give the URL to copy in your own).

If you do that + keep up to date and only use popular and up to date plugins you should be good.

If you have full control over the server and you’re not on a shared host I have more tips :)

[nixnerd]

If you have full control over the server and you’re not on a shared host I have more tips :)

I second this. That’s the biggest thing… you’re limited on what you can do with shared hosting.

[John]

I use Wordfence, it notifies you of any updates and scans the site. You can also block ip’s, etc. You also get emails of any updates, like virus threats, or plugins that they have found a problem with.

[nixnerd]

Suffice it to say I wouldn’t rely solely on this ^

[__]

If you have full control over the server and you’re not on a shared host I have more tips :)

And I have a tip if you’re not: you are wide open.

Shared hosting is not, and by its nature cannot be, secure. : )

[nixnerd]

Shared hosting is not, and by its nature cannot be, secure. : )

I second that. Get the $5 per month Digital Ocean plan and run your own VPS.

[BranCook]

We are looking at a dedicated server, we want something fully managed so we don’t have to worry about things like updating PHP and MySQL.

I planed on using all of the options above along with additional server side security options provided by the host such as: Firewall, Anti Spam, Virus Protection, HTTP Intrusion Protection, Server Hardening, Daily Security Audits or scans, Disabled Root FTP Access, etc.

I was also looking into the plugin WP Login Security 2 as an additional security option.

It would seem to me that the reason that WordPress might be considered not as secure as something like Drupal is because of the following 2 reasons:

1. WordPress is the most popular CMS so it makes it a bigger target.
2. WordPress is very easy to use, so there are more “non-tech” users utilizing the CMS and not properly securing it.

[nixnerd]

It would seem to me that the reason that WordPress might be considered not as secure as something like Drupal

In my mind, Drupal is on an equal playing field with WordPress. They both use PHP and MySQL. Many times, the exploits will be exactly the same.

WordPress is the most popular CMS so it makes it a bigger target.

This implies that there is such a thing as “security through obscurity” and that’s just simply not true. It’s a false sense of security. The REAL reason WordPress is insecure is because it’s so effing powerful. It can manage enormous sites, with an enormous amount of content and be totally dynamic, adding new content in real time is a breeze.

That kind of power though comes with great responsibility and a HUGE liability. You can cache static content but a lot of what’s on WordPress is dynamic. That means a PHP script calling the database every single time a page is requested. That kind of power will always be an attractive target, whether it’s WordPress, Drupal or Joomla. It doesn’t matter.

It’s that communication with the database on the server where you’re most susceptible. Now, this is true for many languages and many platforms. And… in many, many circumstances, static content is just not an option.

But keep in mind, reactive things like “spam protection” or “anti-spyware” will not totally solve your problem. All these things do is protect against widely known vulnerabilities. But in some cases, what is known as a zero-day exploit will exist for 5-6 months before it’s widely known. Savvy people, the type of people you’re trying to protect yourself from, can and will use these for months without anyone knowing.

I would maybe look into administering that server in-house if its at all feasible.

[nixnerd]

Savvy people, the type of people you’re trying to protect yourself from, can and will use these for months without anyone knowing.

Just last year I believe it was… a true zero-day exploit was found in the Linux kernel. The scary thing is… it was there for a year and a half without anyone knowing. Now… Linux is WIDELY known for it’s awesome security. That’s why it is often times the OS of choice for enterprise servers. All of Wall Street is powered by Linux. So, clearly it’s good enough to protect trillions of dollars each day. Be that as it may, even Linux is not impervious to the dreaded security flaw.

[BranCook]

So when somebody says “Drupal is better because it is more secure”, it’s really not that simple and each have their vulnerabilities. I’ve seen that statement on a few blogs and articles here and there but there are never any reasons given to back the statement up.

It would seem that each CMS whether it’s Drupal, WordPress or Joomla! has it’s vulnerabilities but with some due diligence and caution we can try to prevent or limit attacks and intrusions as much as possible.

[nixnerd]

In all honesty… around these forums, @traq is probably the person best suited to tell you how. He probably won’t like me saying that but he knows a lot of PHP and can best guide you on how to do this.

[__]

“security through obscurity” …that’s just simply not true. It’s a false sense of security.

Very true. However, WP does suffer because of its popularity.

Its bigger downfall, however, is not its popularity or its power. It’s because of how much effort is put into making it user-friendly.

PHP has a bad rep in the security world because of the lengths it goes to to keep going no matter what. Where other programming languages have the philosophy of “whup, something’s wrong, let’s stop until it’s fixed,” PHP has the philosophy “whup, something’s wrong, let’s assume we’re supposed to do this… and that… whatever, just keep going until it’s completely unsolvable.”

Both PHP and WP take this approach because it seems very “forgiving” to newcomers. You can screw up your script a lot, and it still (mostly…apparently?) works like you intended.

This not only opens up security holes, it makes them very difficult to close because, for every serious “bug,” there are hundreds of people that rely on it as a “feature.” You can’t fix it, in the name of backwards compatibility.

(I can’t tell you how many times I try to help someone fix an error in their code, and they insist that it’s not the problem because it “works perfectly on the other page, with no errors at all.” Well, no; the error is still there. You just turned of error reporting and called it solved.)

Because PHP and WP are both so attractive to “newbies,” they have a disproportionately large percentage of “newbie” users. Many people who write plugins for WP -very popular and successful plugins- simply don’t know how to write code. (I’ve spoken to WP developers who don’t even realize that WP and PHP are different things.) This is why so many of WP’s vulnerabilities come from plugins.

“Drupal is better because it is more secure”, it’s really not that simple and each have their vulnerabilities.

True; it’s not that simple. Drupal and Joomla are both written in PHP, and so share PHP’s weaknesses. However, Drupal is orders-of-magnitude better written and more secure that WP. whitehouse.gov runs on drupal.

The catch is the Drupal is a “not really a CMS” type of CMS. There’s a lot more you have to do to be ready to launch a site, and it has a much steeper learning curve as well.

(…and don’t bother with joomla.)

I planed on using all of the options above along with additional server side security options …

Most of the “options” you list aren’t really “options.” You can’t just flip a switch, or install them, or something like that. “Server Hardening,” for example: what does that mean? It’s not an answer. It’s not even a topic, really, it’s a whole field of study.

We are looking at a dedicated server, we want something fully managed so we don’t have to worry about things like updating PHP and MySQL.

Honestly, there are two approaches I would suggest:

• Hire a sysadmin.

Not someone who can manage a server; someone who’s career is managing servers and has a good track record of doing so. Someone who can contribute to the security side of you website as well. Someone who has actually cleaned up after attacks. It’ll take interviewing, and a reasonable (depending on your point of view) salary. But it will be worth it.

• Roll your own.

Buying a managed server kinda leaves you in the same boat you’re in already. You’re leaving things in the hands of others (probably salesmen), just like on a shared server.

(BTW, a true “dedicated server” is probably not what you want. Think long and hard before buying hardware, because you inherit complete responsibility with it. You might like the idea of living on a private island, but remember: if you fall down the stairs, you’ll be waiting a day and a half for the paramedics. And then you have to pay for their helicopter. A VPS instance (like digital ocean or linode, as Joe_Temp suggested) is more forgiving to set up, has no maintenance costs, and has much better redundancy.)

Yes, a fully managed server might be more than suitable for what you need. And it is certainly better than shared hosting! But if you feel the need to “harden” your server, then doing it via a CP, and being separated from tasks like updating PHP or MySQL, is going to be more of a hindrance than a help.

If you need that, get a barebones VPS instance and install everything yourself. Working with your server on a lower level will help you understand how it actually works, and that is the one thing you actually need if you want security.

[__]

tl;dr:

• WP is not awful. It is a very useful piece of software. But its security vulnerabilities are real and largely unavoidable.
• A managed server will be much, much better for security than a shared server. There is really no point in fancy security measures on a shared server. But “hardening” is not a simple or straightforward task. There is no “one-click” solution.
• Hiring (or becoming) a good sysadmin is the only final solution.

edit:

This post might interest you.

[Author]

Posts