4

WordPress Security Guide For Beginners

view full story
linux-howto

http://fwebde.com – We've all put so much work into our blogs, and I'm sure you'd hate to see all that hard work just disappear. Unfortunately, there are some people who would get rid of all that, either because they think it would be fun, or because they want to spam your site to push some terrible product that they wouldn't be able to advertise any other way. If you're developing your own non-WordPress site, you might want to take a look at an older post here at FWebDe called Hack Your Own Site, which will teach you how to test certain exploits on your site, and how to fix them. Protect Your Database Login Details If an attacker gets the login details to access to your WordPress database, they can add, delete or modify anything they want. How will they get that information? Probably through the file that contains it, the wp-config.php file. If for any reason PHP fails on your server and someone accesses wp-config.php, the entire contents of the file will be displayed, including your MySQL database login details. Fortunately, WordPress allows you to move your wp-config.php one directory level above your WordPress install directory. So if you have WordPress installed at the root of your website, you can move your wp-config.php outside of public_html, where it cannot be accessed by anyone. Get Your File Permissions Right I'm not going to get into a huge explanation of how file permissions work, but it is pretty much to say who is allowed to access certain files, and what they can do with them. Generally, you want all of your directories' permissions set to 755. Permissions for files should be set to 644. If you want to edit certain files with the WordPress theme editor, set those to 666. You should avoid using 777 because that gives access to read, write and execute the file, which means that anyone can do whatever they want with them. Disable New User Registration Unless you are building a large community site, you should make sure that visitors cannot create their own accounts at your WordPress blog. The WordPress user registration system has been exploited before, with an attacker registering at your blog, exploiting a vulnerability to elevate their role to "Administrator", while using some JavaScript in your WordPress administration area to hide the fact that that user even exists. Preventing this is simple. From your WordPress dashboard, click on "settings". Make sure that "Anyone can register" is left unchecked. Prevent the Public From Browsing Your Directories You know how if you browse to a directory without an index.html (or similar) file, you'll see a list of all the files contained in that directory? Well, an attacker could browse through your directories, and get a lot of information. For example, they could find out what plugins you have installed, and exploit any vulnerabilities in those plugins. Fixing this vulnerability is quite simple, actually. Simply insert a blank index.html file into your wp-content/plugins directory, and any other directory you want to protect the public from accessing. Do Not Use the Default Admin Account You probably know that by default, when you install WordPress, the default administrator's username is "admin". This gives an advantage to attackers because they will already know your username, and will only need to find out your password. You can fix this vulnerability by going to the "Users" section of your WordPress admin and creating a new user for yourself. Make sure you set your role to "Administrator". Log out of WordPress and log back in with your new username. Now you can simply delete the previous default admin account. If you already have posts written, you can choose to attribute all posts to your new user. Update WordPress Regularly WordPress developers are working constantly to improve the security of the blogging platform, and the latest security updates will always be in the newest release. Security vulnerabilities are often found in older versions of WordPress, and if you don't upgrade to a newer version of WordPress that has been secured, that vulnerability will probably be exploited on your blog. Use a Strong Password I'm sure you've heard this many times before, but it is crucial to have a strong password, that cannot simply be guessed by somebody trying to access your site. You may already know this, so I'll keep it short: Have a long password mixed types of characters (letters, numbers, symbols, etc.), but that is still memorable by you and by you only. Don't make it anything that an attacker could find about you with a quick Google search, such as your phone number or your date of birth. And finally, if you can't seem to remember your password, do not write it down or store it in a plain text file called passwords.txt. Instead, use an encrypted password manager such as KeePass, or KeePassX. Make Backups Frequently Okay, none of the security tips listed above are 100% foolproof, and someone determined to crack into your site will eventually find a way to get in. So if or when that happens, you need to be prepared for that situation. If you care about the content on your site, you should make sure that you make backups often. That way if your site is compromised, you can return back to normal with minimal loss of content. Another advantage of keeping backups is that after your site is compromised, you can look over a previous version to determine how they got in, and how you can prevent that from happening again. Make sure that you backup the files and the database of your WordPress installation, and always keep multiple copies in separate places. An excellent guide to backing up your WordPress database can be found at the WordPress Codex. So do you follow any of these security practices? Do you have any other good WordPress security tips that you'd like to share? And do you feel like you backup your WordPress installation as often as you preobably should? Be sure to leave your answers in the comments. (Distributions)