WordPress & Security Notes From The St. Louis WordPress Developers Meetup

This week at the The St. Louis WordPress Developers Meetup we discussed tips and tricks on how to ensure your WordPress installations are as secure as possible. I’ve collected my notes below.

For further reading, check out Eric Juden’s notes as well.

Things you can do “Out of the Box”

  • Check the Codex for some general tips on Hardening WordPress.
  • Check your file permissions to make sure they are as secure as possible.
  • Change default “wp_” prefix to something unique. This is used by MySQL injections that search specifically for “wp_” (As Ken Johnson points out in the comments of the WordPress Meetup, this is probably only a good idea on new installations!)
  • Delete Default Admin account. You should never post from admin as it looks dorky and gives away that you’re using WordPress.
  • Use strong passwords! Don’t give clients the same lame password over and over. Be unique.
  • Delete unused themes and plugins. They just take up space and are yet another vector for attacks.
  • Use Akismet for managing comment spam. Not exactly security, but part of decreasing the amount of time you dedicate to meddlesome maintenance.
  • Hide your version number and change the readme.html file to something random. Nefarious people are looking for easy targets, changing things up a bit makes these automated attacks more difficult to pull off.
function remove_wp_version() {
     return '';
}
add_filter('the_generator 'remove_wp_version');

 

  • Change Salts often – you can even use this handy tool to generate new ones – https://api.wordpress.org/secret-key/1.1/salt/
  • Move wp_config.php to the directory above public_html. If they can’t get to it via the web, they can’t see your database username/password or salts.
  • Update your stuff. Here’ a list of security fixes just in 3.5.1 alone!
    • Server-side request forgery (SSRF) and remote port scanning via pingbacks. Fixed by the WordPress security team.
    • Cross-site scripting (XSS) via shortcodes and post content. Discovered by Jon Cave of the WordPress security team.
    • Cross-site scripting (XSS) in the external library Plupload. Plupload 1.5.5 was released to address this issue.
  • Find a good, respectable host! someone who keeps up with new version of PHP, MySQL, etc. – not GoDaddy.
  • When all else fails, having a good backup will be your last line. Test your backup regularly.

 

Extra Things You Can Do

Some useful plugins that can help give a piece of mind or help with managing WordPress.

 

Further Reading

http://www.netmagazine.com/tutorials/protect-your-wordpress-site-htaccess

http://wpsecure.net/secure-wordpress-advanced/

 

Themes Mentioned During the Chat

 

Join Us

If you’re thinking about attending one of the meetings I encourage you to do so. The diversity of knowledge and skill sets almost guarantees that there’s something new to learn. Everyone is approachable and there to share and grow together.