How secure is WordPress?
- Generally speaking, WordPress Core is very secure
- Major threats to your WordPress site:
- Third-party themes, widgets
- Server vulnerabilities
- Exploits discovered in libraries used by themes, plugins, or core (see: TimThumb)
- Your own users
Don't worry, it'll be okay
Another approach to passwords
Keeping WordPress Current
Major v. Point Releases
Major releases have version numbers like 4.1 and usually contain new features and functionality.
Point releases (4.0.1) fix bugs and patch security holes.
Is it safe to upgrade core?
Point releases are very unlikely to break your site
Major releases require more extensive testing, but are still typically safe
If you're not running a staging instance no time's better than the present to get started
Common reasons people don't upgrade:
They're afraid of breaking something
- This is why we test on staging
- If you're using version control and/or take backups before you upgrade you can easily roll back
They've modified core and know they'll break something
Somebody told them not to
- Sometimes agencies manage site updates for you (they'll even test!)
- If not you, find out who is responsible for updates and make sure they're being applied
"But I manage several sites and it's hard to stay on top of it all!"
- Make a habit of checking the sites regularly - if a new core version comes out plan on updating them all
- wpremote.com
Knowing who to blame
Remember: if core upgrades break your site, it's most likely the theme or plugin that's broken, not core!
Plugin upgrades
Most plugins don't receive nearly the amount of testing and auditing as WordPress core
Read upgrade notices and do your research on plugin updates, especially if you're testing on production
What happens if something goes wrong?
- Revert the plugin upgrade
- Post a support ticket on the plugin's WordPress.org page
- Premium plugins sometimes offer separate support methods
- If a developer doesn't know an issue exists he/she can't fix it!
How risk adverse are you?
Remember: Each third-party plugin or theme you install increases your level of risk
- Stick to extensions from reputable authors and do your due diligence before installing
- Read (and write) plugin reviews!
- Keep your plugins up-to-date
- Remove plugins you no longer need
Security begins at home:
Your site is only as strong as its weakest user!
Restrict user capabilities
- Re-evaluate who has access and what level of control they have on your site
- Use WordPress roles and capabilities to restrict access
- Limit users' capabilities to what's needed and nothing more
Use multiple accounts
Create one account for administrative tasks like upgrades or managing plugins
Use a separate account for content authoring
Avoid the "admin" username
Scripts and botnets normally target "admin" as it's a default user with full privileges
Removing the default username from your site drastically reduces your risk of "drive-by" attacks
Security through obscurity…
Security through obscurity
Make it difficult for hackers to automate anything against your site by avoiding default settings, filesystem structures, or anything else a hacker might be used to
Not secure in itself but effective in reducing opportunistic hacking
"Keep your head down and hope nobody notices"
Security plugins
Your mileage with all-in-one plugins may vary
Limit Login Attempts
- Temporarily block an IP address after a certain number of failed login attempts
- Extremely effective against brute-force attacks
- It hasn't been updated for a long time, but still works
- wordpress.org/plugins/limit-login-attempts/
Moving wp-content
WordPress allows you to move your wp-content/ directory to another location
define( 'WP_CONTENT_DIR', dirname( __FILE__ ) . '/content' );
define( 'WP_CONTENT_URL', 'http://example.com/content' );
Another example of security through obscurity
Disable file editing
WordPress constant that will disable the plugin and theme editors
define( 'DISALLOW_FILE_EDIT', true );
…or disable everything, including the plugin installer
define( 'DISALLOW_FILE_MODS', true );
This will break automatic updates!
wp-admin over SSL
Force WordPress to serve login pages over SSL:
define( 'FORCE_SSL_LOGIN', true );
Serve all admin and login pages over SSL:
define( 'FORCE_SSL_ADMIN', true );
Of course, this requires that your site has SSL enabled
