Written by WordPress Multisite

WordPress security never ends

Better WordPress security happens after the fact because nobody wants to invest in hardening until after their site gets hacked.

KyleBondo.com - WordPress security never ends

I once heard a quote that went, “Anyone can play basketball, but only a few can play in the NBA.”

The same is true with WordPress developers. Anyone can figure out how to install a WordPress website onto a garden variety server. However, the amateurs are quickly separated from the pros when it comes to things like security hardening, third party plugin conflicts, multisite weirdness, and keeping the spam-bots out of your content. You can claim to be a Pro all you want, but when the real world hits your site, your skills will be challenged in a way that will either prove (or disprove) your claim!

This week, my true test was in the security department. No matter how much security you put into your WordPress sites, you can never assume a plugin will not break that security, nor can you assume a third party plugin author had security in mind when they wrote their code. With almost 75-million WordPress websites out their (18.9% of all self-hosted websites on the Internet), there is a lot to be gained by hacking any WordPress installation.

Most hackers go after those sites that do not update their code. I can only imagine the army of zombies (compromised sites used to attack visitors or launch attacks against other sites) these hackers can create from just a fraction of the total WordPress sites out there. But there is another group of hackers that are looking for something more precious – private or protected content. These guys are after the stuff you think is secure – your WordPress admin backend, internal company information, server access credentials, draft documents, membership lists, resumes, phone numbers, email addresses, etc. – anything you do not want the Internet to see!

How do you keep these creeps out of your site? Well, if you understand how security professionals think, then you have to take a page from their playbook and assume the bad guys are already inside your code. What does that mean? It means that hackers already know EVERYTHING about your site before you even load the code to your server. They already have access to every release of WordPress source code every made. You have to assume they know all your out-of-the-box file names, folder names, and where all the goodies are kept (e.g. wp-config, uploads, wp-admin) too. Worse still, they most likely know how your server is set up and what counter-measures your host will have deployed to stop their attacks. Before you think you’re hosting company has your back, good hackers already have a way around the security measures that most cheap hosting companies employ.

If you assume the bad guys are better WordPress Developers then you are, then you have to accept the fact that they have un-zipped, inspected, and explored the next WordPress installation code long before you even receive the email that it has become available. Your security thinking has to BEGIN with the acknowledgment — no matter how far fetched — that a WordPress hacker is three-steps ahead of you before you even start! Doesn’t seem fair, does it?

So how do you counter an adversary that is three-steps ahead? Hackers are looking for EASY. They want the low-hanging sites that have neglected their security and lax on patching their code. In other words, to prevent your site from being hacked, you need to stop looking like an easy target. You need to make your WordPress site a Day-Zero hard target by employing some simple, yet effective, defensive measures.

Here’s how you can make your WordPress less attractive:

1. Pre-Installation Thinking: Michiel Heijmans, renowned WordPress plugin developer and founder of Yoast, has an article on his SEO Blog called WordPress Security. Heijmans’ article gives you a great perspective on his view of WordPress Security that includes pre-installation thinking like picking a good host, the dangers of free themes and plugins, and a focus on replacing ALL defaults (including the database prefix). Heijmans article also introduces Sucuri, a globally recognized website security company that can audit your WordPress security measures, or help recover your site from a hack.

2. Optimization Thinking: Amit Agarwal, founder of Digital Inspiration, wrote another great security article called Optimize your WordPress Installation. Agarwal covers many of the tweaks you need to make to the out-of-the-box WordPress installation to keep it from becoming a target. Although he shares several of the same tips as Heijmans, Agarwal gives you a step-by-step guide to reducing the elements within your security profile that you probably didn’t realize was a potential threat (e.g. To many RSS Feeds). Not every step in this guide will be effective for every situation, but it will give you a fighting chance to make your site much tougher to crack.

3. Beyond Optimization Thinking: Kevin Muldoon from WPMUDEV has written an excellent article called WordPress Security: The Ultimate Guide. Unlike the first two guru’s, Muldoon gives you some insight into the world of WordPress hacking, resources for advance security reading, and challenges you on what should be common sense security (that many developers, to my surprise, often overlook). One of the more asymmetrical strategies this article provides is thoughts regarding backups as a fall back plan to any successful hack. If all your security efforts fail, it’s good to think that a simple backup could be a vital part of your recovery plan. Muldoon’s ultimate advice is, “If you fail to prepare, prepare to fail.”

This is obviously not an exhaustive list of WordPress security resources but should be enough to make your site a much harder target. The key point to this post is to make you aware of just how vulnerable your WordPress website can be out-of-the-box, and how just a few security changes can make life so much better. Nobody wants to get hacked, and those that have been hacked certainly do not want to be hacked again!

When it came to criminals (like most hackers are), my father’s advice to me was, “Kyle, everyone hates guns until they get mugged!” The same can be true for WordPress security. Everyone hates thinking about security until their site gets hacked! Then they can think about it enough. So, please don’t learn about security after the fact! Become a WordPress Development Pro by getting educated, getting disciplined, and most of all, become a harder target today.

Remember — WordPress security never ends!

Tags: , ,

Last modified: August 20, 2019