WordPress Security Part I

Regular readers will have noticed that  for the last few days the blog was sporting a skull and death to everyone motif. This wasn’t a new nihilistic  F*ck-you WordPress theme. The blog was defaced by idiot hackers. Well we are back up and running again and no lasting damage was sustained although the inconvenience was significant.

This misfortune gives me the opportunity to talk about security. There are a number of ways in which the little tinkers can mess up your site. Including server vulnerabilities,  network attacks, database hacks and accessing admin areas.

Server Vulnerabilities

Server vulnerabilities are the foundation of a secure site, if this is poor none of the rest of the post will help very much. It is the responsibility of your host. If you keep getting hacked because of this then find a more security conscious host.

Network Vulnerabilities

Network vulnerabilities allow passwords to be intercepted via sniffers or  other sorts of attacks (such as man-in-the-middle attacks) to happen. To avoid network vulnerabilities you should insure that all the  computers on your network are free of malware,  spyware and viruses. Secure your wireless network with a strong password and use a  firewall. You can also enable secure connection with this  SSL login plugin (yon need to have HTTPS enabled on your host).

Software Problems

With any complex piece of software, there are going to be situations where the unexpected happens which may cause it to malfunction giving unintended access to your system. Such vulnerabilities are often fixed quickly but if you are using an old version it makes your site a target. Therefore,  it is important to upgrade your WordPress installation to the latest version. Since 2.7 automatic upgrades have become a standard feature so it is not a problem to keep up to date.

Database Vulnerabilities

WordPress runs on a database and it is the heart of your blog. If hackers can get into the database,  they will have a field day. They may be able to add spam links to your site, delete information, add incorrect information which may not be noticed, known as ‘data diddling’. It is has great potential for industrial espionage.

• Create a database for WordPress only to limit damage/access from other applications
• Only allow the minimum permissions for database users. This is possible from PHPMyAdmin in your host’s control panel. WordPress requires:
• Choose a new user name rather than the default admin
• Choose a different, strong password to gain access to the database (c.f. password security)
• Knowing the names of the tables in the database makes it easier for the hackers to get information from the database.  Change the default table prefix from wp_ to make it more difficult for hackers to extract  information from the database. The wp-security-scan provides this facility. For a new installation, simply edit the wp-config.php file as shown below:

$table_prefix = 'whatever_';

If you would like to update an already existing WordPress installation, you will need to update the wp-config.php file as shown above in addition to renaming all WordPress database tables. This can be done via PHPMyAdmin or some similar web interface that enables you to update your databases.

• Make regular backups of your database and download them to your computer.  Your host should also do this as a matter of course. If the worst should happen then you can limit the damage done.

In part II of this post, I will explain how to lock down the wp-admin area and other measures to make those pesky hackers lives more difficult.