Eileen Lonergan

Website security is an important issue – no one wants their blog hijacked and filled with links to scammers, or their members’ emails stolen and sold to spammers. And while securing WordPress is certainly a priority, sometimes people forget that it’s not just WordPress itself that can be vulnerable but the underlying server as well. For instance, last week (May 3^rd, 2012), a security hole in PHP 5.3.12 and PHP 5.4.2 was announced that allowed an attacker access to the underlying webserver via the server’s PHP interpreter itself.

So it’s important to make sure that both your actual WordPress install and your server are kept up to date and adequate security measures are taking – especially if you’re hosting your site on your own server, or your host gives you access to server related functions. Read on for some tips for both securing both WordPress and Linux-based Apache servers.

WordPress Security Tips

First, a caveat about keeping your WordPress system and plugins up to date. While this is generally a best practice in order to make sure all security vulnerabilities are patched, it’s not the only method you should use to protect yourself. Updating your site and it’s components is not a security silver bullet. If malware is built right into plugins or themes, updating those obviously won’t fix the security holes they themselves are introducing. And even after being uninstalled some malware can actually still reinfect your site by infecting the WordPress automatic update option itself so that it reintroduces the malware to your cleaned up site. So be proactive about security – lock down what things you can, and scan your site regularly!

Settings

• Strong Account Passwords
  This one’s a no brainer, but nonetheless many people still choose easy to crack passwords. If you don’t want to include special characters or numbers in you password, a good alternative is to choose a phrase instead of a word – something like “My password is secure!” is a much better choice than a word out of the dictionary. You can check your password strength using online tools such as How Secure is my Password or the Password Meter.  To change your password, log into your WordPress site and click on the “Profile” navigation menu item on the left.
• Changing Installation Default Settings
  While security by obfuscation won’t stop experienced black hats, it’s certainly proof against the casual drive by attempts. One of the easiest ways you can protect yourself is by changing default settings when installing WordPress. The less that malicious hackers know about your installation in advance, the harder it is for them to crack into it.
  • Database Table Prefix: this is a big one! Change the default database table prefix of “wp_” to anything else! The database is where almost everything about your website is stored.  The simplest way to do this is via a plugin such as Better WP Security, or you can do it manually by (1) using a database tool such as phpMyAdmin to edit each table and change tables with the wp_ prefix to something else and then (2) editing your wp-config.php file (found in the root of your WordPress install on your web host, along with directories like wp-content) and replacing the “wp_” for the entry for “$table_prefix  = 'wp_';” with the new table prefix.
  • “Admin” User: this is another big one. Change the default administrator account username to anything else! Once they know an administrator username, they’re halfway into cracking into your site. If you already have an “admin” user account, create a new one and give it administrator privileges by logging into your WordPress site and clicking on the “Users” menu item from the left hand navigation bar. Then go back and delete the “admin” account.  Before you delete the “admin” account, you can either manually assign assign all posts, etc. to the account you just created or there will be an option to reassign posts, etc. during the WordPress account deletion process.
  • Randomize Authentication Keys and Salts: these weird things are the keys that WordPress uses to encrypt data. You can change them by editing your wp-config.phpfile:
    define('AUTH_KEY', 'change this to 65 or so random characters');
define('SECURE_AUTH_KEY', 'change this to 65 or so random characters');
define('LOGGED_IN_KEY', 'change this to 65 or so random characters');
define('NONCE_KEY', 'change this to 65 or so random characters');
define('AUTH_SALT', 'change this to 65 or so random characters');
define('SECURE_AUTH_SALT', 'change this to 65 or so random characters');
define('LOGGED_IN_SALT', 'change this to 65 or so random characters');
define('NONCE_SALT', 'change this to 65 or so random characters');
    Change them to anything at all, or use the online generator to create random keys for you and paste them in.

Plugins

• Better WP Security
  This is one of the most well established and thorough security plugins, and can take care of a lot of checking server security settings. Unfortunately the sheer number of options can be intimidating for new users. As well, be aware that it’s possible to break your WordPress site by using this plugin, so be sure to back up before trying anything at all, and again before trying anything that you’re unsure of. If you’re a newcomer to WordPress or not very technically savvy, you’ll probably want to wait until you have a little more experience before trying this one out. It’s also much better to use when first setting up a site than on an older, well-established site with lots of plugins, etc.
• Limit Login Attempts
  One way to help secure your site against brute force attackers trying to gain access to your administrator accounts is to limit the number of times a login attempt can be made before the account is locked out for a set amount of time.  This makes the overall amount of time it would take to crack a password by brute force effectively forever, and can help protect your site against user accounts that have weak passwords.
• Wordfence
  This is a newcomer to the security plugin scene, and so far it’s been doing a decent job on my sites. It has both free and paid versions, with the paid version including scanning theme & plugin files for infections an the ability to repair plugins along with technical support. However, other plugins can step in to fill the gaps for scanning themes and plugins (such as AntiVirus).
• WordPress Firewall 2
  This pluging defends your blog from malicious web-based attackes such as including SQL queries or WordPress function keywords in applications parameters, and politely sends you an email whenever it detects hackers trying to use these intrusion methods to gain site access. Very handy!
• AntiVirus
  AntiVirus does an excellent job of scanning for suspicious code in theme template files. However, some code that can be used for malware can also be used quite legitimately by a theme as well (eg,”include()“). AntiVirus gives you the option in the report to mark this as a ‘safe’ usage and won’t bug you again about it. While this requires a little knowledge of coding and a little work on the site owner’s part to be truly helpful, it can at least warn the less knowledgeable that there might be a problem and to keep an eye on things.
• Exploit Scanner
  Similar to AntiVirus, but it scans every file and database entry for your WordPress site. This takes up a lot of time and server resources, but is very thorough. Useful if you think you may have been hacked, or after you’ve installed new plugins and as a general monthly maintenance chore.
• WP Security Scan
  This one works well in conjunction with checking server security settings. It scans for weak passwords, insecure file permissions, hides WordPress versions from hackers, etc.
• Akismet
  No list of security plugins would be complete without Akismet. This tried and true spam blocker will shut out 99% of spam and maliciously crafted URLs from your comments. This protects not only visitors that might click on a maliciously-crafted URL, but keeps your Google page rank high (Google’s algorithms penalize spam links). It costs a few dollars, but well worth it if you don’t want to annoy and frustrate your visitors with CAPTCHAs.

Server Security Tips

First off, let’s talk about the aforementioned PHP vulnerability. Thankfully it only affects the few servers that are using the PHP CGI binary, rather than the Apache mod (note: Windows servers are much more likely to run PHP as a CGI). If you don’t know if your server or host is using the CGI, it’s easy to check to see if you’re vulnerable: just add ?-s to the end of any of your website’s URLs (eg, http://www.mysolutions.it/?-s). If you see PHP source code gobbledy-gook, you are vulnerable. If your page shows up normally, you don’t have a problem.

• File Permissions
  It’s important that files can only be edited by the webserver account. If black hat hackers have gained access to your server – say via a poorly secure user account – this will prevent them from being able to damage your website by editing files directly.  You should also ensure that your wp-config.php file is not writable by any user, as well as any .htaccess files.  If you need to edit them later you can always change the file permissions to writable temporarily.
• Database User Account Password Strength
  Just like WordPress user account passwords, the database user account needs a strong password as well to keep the baddies from being able to change your site’s settings directly – for example, by creating a new administrator account with a blank password.
• .htaccess Files
  These files are powerful tools that shouldn’t be meddled with lightly – they can really screw up your site.  Editing .htaccess files is definitely for advanced users only; they are are lists of instructions (“directives”) to the webserver on how to handle showing web pages to the world and can be very complicated.  If you’re tempted to change these files yourself, make absolutely sure that you know what you’re doing and that you have an alternate way to restore these files back the way they were originally in case you make an error (for example, uploading a backup via FTP or changing the file back from an SSH console session).

These are just a few ways you can secure your server.  The WordPress Codex has a lot more detail on how to harden your WordPress installation on the server side.

---

Whew! That’s a lot of information, and if you’re hosting your site on your own server, this introduction only just scratches the surface of what you need to know to keep your site safe.  Fortunately for most WordPress users, the web host shoulders the rest of the responsibility by keeping the web server secure and thus your site safe from black hats.  So if you’ve made it all the way through here to the end – congratulations!  You should have a good start on how to secure your WordPress web site and keep it secure using security plugins, WordPress settings and a few server settings.

---

Tyler Style is a systems architect for My Solutions IT Consultants and Head Tech for TechAlberta.ca. 

My Solutions IT can help you with your website, systems administration, telecommunications and more!  Contact My Solutions IT today to find out how we can streamline your business operations and help you leverage internet and telecommunications technologies to your company’s best advantage.