Wordpress getting hacked, need more security
March 2, 2012 8:17 AM   Subscribe

I love wordpress but I am finding that it seems to be very unsecure when it comes to viruses and hacking. What do other Wordpress users do to keep their sites secure and safe?

My sites are hosted on Dreamhost and I can't help but wonder if there's something about their one click install that leaves wordpress on their server open to attacks. It's hard keeping up with all the updates that are constantly being issued on wordpress and the plugins and the themes, but I do my best.

I seem to be doing everything right and yet my sites have gotten hacked. Any suggestions? Ideas? What are other people doing?
posted by hellodonna to Technology (14 answers total) 15 users marked this as a favorite
Any shared hosting is really bad for security. If you can upgrade to a VPS (dreamhost has an option, but most lower end hosts offer this now) its not dramatically more expensive and will be much better for security.

Otherwise, don't use a ton of plugins, and delete any themes/plugins you aren't using.
posted by shownomercy at 8:27 AM on March 2, 2012

Hrmm, I just make sure to keep everything (plugins/themes/core) updated, and haven't run into any issues (*knock on wood*). On Dreamhost as well, but I don't do the one-click install. A good backup strategy would be recommended as well, so you can restore to a previous install if need be.
posted by backwards guitar at 8:29 AM on March 2, 2012

I do professional WordPress consulting and have spent a lot of time building a managed WordPress hosting platform for my clients, and I still find that the best go-to guides are at WPSecure.net. They cover a lot of fixes for WordPress, but also a lot of fixes for your server's software (Apache, PHP, MySQL) that will help lock things down tight.

The site also keeps a record of released plugin vulnerabilities, so you can keep track of what plugins you may want to avoid because of past security holes.
posted by cvp at 8:30 AM on March 2, 2012 [6 favorites]

Also it's been a while since I've used Dreamhost's one click installer but I do remember them installing a hundred or so themes with WordPress core. This is convenient and all, but once you pick the theme you want, make sure to delete the rest. Chances are there are some in there that aren't being maintained, so there are likely to be some security vulnerabilities poking around. (In fact, why not delete them all and start from scratch? Can't hurt anything)
posted by cvp at 8:33 AM on March 2, 2012

Rename the admin account! For serious.
posted by jsturgill at 8:36 AM on March 2, 2012

Rename the admin account!

This gets mentioned a lot, but it says "Usernames cannot be changed." Would someone kindly clarify? Thank you!
posted by Glinn at 9:29 AM on March 2, 2012

If it won't let you rename the admin account directly, you can just create a new admin account called something else, and then delete the one called 'admin.'

As for general security procedures, WP isn't really any different than any other CMS, its just very popular and insecure installations are common and make good targets. But good habits go a long way towards keeping your site secure. If you just do your simple due diligence -- keep WP updated, keep your plug-ins updated, keep your usernames and passwords highly secure and difficult to guess -- you will be far ahead of most folks, and your site will most likely be OK.

But if you want to ratchet up your defenses even more, Google the phrase "hardening Wordpress" and you will get lots of good tips.
posted by spilon at 9:52 AM on March 2, 2012

The new(ish) WordPress install asks you for your username when you're setting things up - but it could be that the auto-install blocks this. That said, spilon's advise is correct - just create a new administrator account, log in as that account and remove the original admin user.
posted by backwards guitar at 9:57 AM on March 2, 2012

I host maybe 200 WP sites and I think I've only seen 1 0Day vulnerability. I've seen a bunch of sites get injected because they weren't updated though. Keep everything updated all the time and you'll probably be fine.
posted by Blake at 10:03 AM on March 2, 2012 [1 favorite]

Wordpress is very secure, I'm not sure why you suspect it isn't. WP is just as secure as any open or commercial CMS, probably more so because its relatively simple software and open source.

I also fail to see how 'one click' makes things worse. Would you rather compile everything from scratch?

From the exploits I've seen renaming admin wouldn't have a made a difference. YMMV, but if you're technical you should be able to follow all sorts of hardening advice, a lot of which looks of questionable utility like hiding version numbers. These are advanced topics that most end users who use dumbed-down panels couldn't implement anyway.

I suspect a lot of this is feel good snake oil. Reminds me of old men telling me that I need to run two anti-viruses at the same time and I need to clean my reg daily because of 'teh hackerz!!' If there's a SQL injection hack then all the renaming and version hiding in the world is not going to help you. Most exploits completly side-step the user authentication components and directly attack the db with the stored db credentials.

Do updates, stop worrying. Its supported software that millions run supported by a very large community of talented developers. All you need to do is the updates and do backups.
posted by damn dirty ape at 10:08 AM on March 2, 2012

I use this extension that automates all the commonly suggested changes to harden your installation. I've had a Wordpress site up since 2001, and it's been hacked twice - and both of those instances were quite a while ago.
posted by COD at 10:18 AM on March 2, 2012

Renaming the admin account doesn't stop the exploitation of a bug in the code, it stops automated brute force password attacks of perfectly good code, which are pretty darn common (and it is more effective in stopping these than advising people to use strong, long, random passwords).
posted by jsturgill at 12:40 PM on March 2, 2012

Wordpress is not really insecure, but there are plenty of things you can do to make it harder, security-wise.

Have a look at this recent AskMe for some steps: http://ask.metafilter.com/209490/Wordpress-admin-interface-lost-its-style

I list steps in two blog posts (which tend toward the geeky side):
- http://www.malcolmgin.com/blog/2011/07/02/rebuilding/
- http://www.malcolmgin.com/blog/2011/06/30/details-of-hack/

The general tips are to obfuscate and maintain the installation as much as possible:
- Keep WordPress and your plugins up to date
- Change the name of or delete the admin account (takes a MySQL operation to change the name)
- Change the table name prefix your WordPress install uses
- Hide the Wordpress version number (it is a very light thing you can do but every bit counts) - there's at least one WordPress plugin that does this
- If you get hacked and recover, use a separate, not easy to guess admin account name for admin stuff (installing and updating plugins, updating WordPress) and a different more public account for posting
- If you get hacked and recover, change ALL your passwords, especially if you tend to share passwords between sites
- Shared hosting is fine as long as it's well run and you understand OS-level security (I use Dreamhost shared servers since December 2007 and have been hacked once, through my own stupidity)
- Install an anti-exploit plug-in that's vouched for if you like (beware that if you're not careful these are high risk and could introduce flaws instead of fix them)
- Only install plugins from developers that you trust and install from sources you trust (i.e. the WordPress Codex is better than a haxxoring site)
- Delete plugins you aren't using
- Delete themes you aren't using
- Install and register Jetpack so you can see unusual spikes in traffic
- Consider signing up for Google Website Administrator tools or Google Analytics for the same purpose

Read up on securing WordPress. There are other things you can do to help too.

If you are a person who shares passwords between sites, consider strongly not doing so. A password wallet service like LastPass or 1Password can help you do that at little cost of hassle to yourself. And LastPass, even if you use the mobile apps, is only $12/year - and otherwise free. (And a good service besides - I'm a customer of theirs and have no other financial relationship with them.)
posted by kalessin at 1:21 PM on March 2, 2012 [10 favorites]

Any shared hosting is really bad for security. If you can upgrade to a VPS (dreamhost has an option, but most lower end hosts offer this now) its not dramatically more expensive and will be much better for security.

I'm on a Dreamhost VPS, and am security-aware. I've had drive-by automated hacking episodes half a dozen times in the last year, after years of no trouble.

Do updates, stop worrying. Its supported software that millions run supported by a very large community of talented developers. All you need to do is the updates and do backups.

I update nearly immediately, every time. I love WP, but I am less sanguine about its security than I once was.
posted by stavrosthewonderchicken at 12:19 AM on March 5, 2012

« Older Using my frozen claw to type this post   |   BCP at any old time, or... Newer »
This thread is closed to new comments.