WordPress is open source software. Open source software has its advantages to be sure, but since it is “open,” meaning that the code is available for all to see, those that study the code close enough can find holes.
If a hole is found by one of the “good guys,” then it can be filled, and providing the user updates his or her version of the software, all is well. However, if the version of the software is out of date, or if one of the “bady guys” finds a way in first, a security breach may be the result.
It’s not just the core WordPress files that could leave a web site open to attack either. It could be a poorly coded plugin or theme that is to blame. Keeping plugins and themes up-to-date and buying/downloading them from reputable sources is a smart idea.
More than just programming bugs, weak passwords are commonly to blame for security attacks as well.
Plugins to Help Keep WordPress Secure
There are a variety of plugins that exist that are designed to help keep a WordPress installation secure from attacks. Whether they “patch” up some default behaviour of WordPress that makes it vulnerable, check for existing exploits, or keep a watchful eye, many of the plugins are feature rich and offer peace of mind to the web site owner(s).
Each plugin naturally has a different feature set. I will go through the features of some of the best security plugins below.
BulletProof Security is a popular plugin in the WordPress community and is available from the WP plugin directory. This plugin is meant to provide protection against attempts for: XSS, RFI, CRLF, CSRF, Base64, Code Injection and SQL Injection hacking.
It offers simple protection for distributed configuration files (.htaccess files). These files are processed before a hacker’s malicious code has the opportunity to execute, so it stands to reason, at least to the BulletProof Security developers, to lock these files down first. It also offers one-click ability for turning on maintenance mode for the site. The files can be modded from the backend without the need for any file transfer methods like FTP or Control Panel file transfer. The root of the site, as well as the WordPress admin area are protected with this plugin.
Protected files include wp-config.php, bb-config.php, php.ini, and php5.ini. Standard features include the turning off of database errors, and the removal of the WordPress version, among others.
When in maintenance mode (503 Website Under Maintenance), admins will be able to see the site, while everyone else will see a custom “under maintenance” page. Additional IP addresses can be added to give other users the ability to see the site while under construction.
Wordfence is another good security plugin for WordPress and it works with the MultiSite or Network version of WordPress. It includes some firewall protection too. The free version will suffice for most sites and it’s by far my favorite!
Even without having backups, the plugin can verify the integrity of, and restore WP core files, plus theme and plugin files too. The core plugin is free but there is a premium version that extends the geolocation capabilities and allows the blocking of traffic from certain countries. The paid API version also allows for scans to be scheduled during set times.
The firewall feature will block fake Googlebots, and other common security threats, and it also offers the ability to block entire networks.
The scans will check for signatures of more than 44,000 malware and their variants, and check for other changes in files. Common backdoors will be looked for, which include: RootShell, Crystal Shell, Matamu, C99, R57, Sniper, Predator, Jackal, and others.
Standard features like blocking the ability for WordPress from revealing information that may compromise security exists within this plugin. It boasts a real-time traffic log which includes robots, page-not-founds, human traffic, logins and logouts. City-level geolocation is included in the real-time traffic view to see what locations are consuming the most content and posing as a threat.
The plugin attempts to prevent DDoS attacks by monitoring disk space.
Better WP Security
Better WP Security attemps to “obscure” WordPress by hiding or removing certain standard behaviours from the software. Knowing that common attacks on WordPress are from obsolete or out-of-date software, weak passwords, and plugin/theme vulnerabilities, the developers included ways to circumvent the attacks from those areas.
They set it up to prevent attackers from learning too much about the WordPress site by:
- removing WordPress meta “Generator” tag
- changing URLs for login, admin, etc.
- reamoving header information related to Windows Live Write and RSD
- renaming the “admin” account if it exists, and changing the ID for the first user that has the ID of 1
- changing the database prefix from “wp_” to something more obscure
- changing the path for “wp-content”
- removing login error messages
- randomizing the version number for non-admins
If the need ever arises to recover from an attack, the database backup option can be set up. It will send database backups by email on a customizable schedule.
The Better WP Security plugin works on both single site and multi site WordPress installations, and works with Apache, LiteSpeed and NGINX.
It may also be worth pointing out that security can start at the computer level. The computer and network (especially wireless) can be the point of entry for attack on a web site. It’s a good idea to keep a computer free from viruses, malware, and spyware to keep your web sites safe as well. A secure wireless network and secure file transfers can go a very long way with keeping a web site secure. Always use strong passwords on a computer, network, router, FTP software, and everywhere else.
Deleting all unused themes and plugins prevents you from having to keep them up to date and worrying about them becoming a “hole” or “backdoor” into the system. Consider the implementation of SSL on the site’s admin and login areas.