Since my early days, i’ve always been the one to second guess what the majority of people think. I’ve always been the “pain”, you know where. When i hear most of the people saying “this is bad”, or “this is not right”, there always is a denial feeling jumping out. Over the past few days i’ve stumbled across many articles about how WordPress is not that secure and, many have suggested that it’s even easy to hack a WordPress. I have had some serious thoughts about this and today, through a blog post from Sire, i stumbled across an article titled “How to Stop Your WordPress Blog Getting Hacked“. It lays out the subject very seriously, but as always, i have serious objections. I will take the points one by one.
The first point he makes is “Removing Footprints – Stop Hackers Finding You“. Here is my serious first objection. I’ll use the very basic concept of cryptography which states “don’t rely on hiding the algorithm, rely on the randomness of the internal state”. To be exact, most of the cryptographic algorithms are open source and freely available. My point is, don’t hide the fact that you are using WordPress, make sure it’s secure. By removing all the references to WordPress from your blog, the only thing you are doing is removing attribution to some people which strive to provide you with top notch website software and support.
The next point is one that i agree with, “Disabling Indexes“. As the author states:
Disabling indexes means that when someone navigates to a directory on your server, it will not give them an output of the folders and files in that directory.
If i might add, you can “disable” that one using another way, adding an empty “index.html” file in each folder. But, there is a possibility for you to forget to do so when you add a new folder or when downloading a plugin that doesn’t have one. So, the author’s suggestion is more than fine with me.
Next on the list “Blocking Server-side Directories“. I find this a bit unnecessary. The author’s concerns are valid but highly unlikely to happen. And if they do, i would say that being concerned of your top level security, that is your WordPress installation, will not be a priority.
Another point he makes is “Hiding the Admin“. As mentioned, you don’t want to hide the platform but make sure it’s secure. Since you will be proud to tell the world you are powered by WordPress, you might as well keep the default admin directory. One more problem would be future updates of WordPress which will be a pain to do (especially now that are automatic).
The next one on the list is “Move the Config Data“. The purpose is to make sure that your database username and password is not exposed to the open in case something goes wrong and someone gets to read the file. But here is my objection. Even if i get to know the database credentials, they will be completely useless to me! Here is why. All serious hosts, when creating a username that can access your database, define a constrain on the location of where a connection can be made to the database. To be exact, if the database is on the same machine that the scripts are running, then the username that you use to connect to the database is only allowed to make a connection from the local machine. That means that if i use your username and password and try to connect to your database from my computer, or any computer for that matter, the access will be denied since i am not connecting from the local machine! On clustered hosts, where databases are on different machines, the username is granted access to connect only from the IP that the scripts are running, in other words the machine that hosts your website. So, still, credentials are useless. One would say “what if the attacker finds a way into my machine and can execute scripts?”. Well, that situation can be called “FUBAR“, and believe me, whatever you do is worthless.
For the next one, “Database Encoding“, i had to make a small research. As it turns out, WordPress is SQL injection vulnerable, when the database encoding is not set to UTF-8. I had no idea about it and this alone is a serious problem. So, make sure it’s UTF-8.
Next on the list is a precautionary measure, “File Permissions“. Well this is something i would suggest doing even when you are not hosting a WordPress installation. This way you make a more secure directory environment for your installation. No guarantees, but it’s “better safe than sorry” tactics.
Finally, i couldn’t agree more with the last one, “Themes and Plugins“. I’ve said before that you must take care what plugins and themes you are installing. You never know which one is mallicious and, even worst, which one is vulnerable.
At this point, i would like to thank David for giving me food for thought. Also i would like to tell him not to take me wrong here, i am like this with anything, especially with things that are worth mentioning and debating about them. For all you out there, all i have to say, is take care but don’t be paranoid. Check out both our arguments (and any more you might find) and decide which steps are better for your security.
Hi, No qualms with your input on this. Input is what makes things better, so long as its done in a constructive way.
I def. agree with you that security would be preferential over hiding things. Problem is a lot of people don’t know how to do the more technical points on my list, but they have found it easy to get rid of the footprint. I know people who are black hat SEO spammers and I’ve also had a forray into the hacking/internet security forum. From my exprience in these areas, I’d arguee that its vital to get rid of your footprints because without them hackers and also spammers won’t find you. For example, there are freely available WP spam apps on the net. These rely on WP footprints and can spam out 100-1000s of comments a minute. Likewise, hackers use the same footprints to get a list of susceptible sites and then just push them all through a sausage machine. The really bad thing about WP is it also give out the WP version, which is really useful if you want to find a hack for a certain blog.
On the blocking the server-side directories. I can understand your stance on this. I am a bit of a particular creature and like to do things in certain ways. One of those ways is I think that all server-side directories should be blocked from HTTP access. I just think its another way in which people can get info on your site. Plus I don’t Google indexing my files.
I saw a funny one once, in which someone had spammed loads of links into a non-existent page to get it indexed: domain.ext/XSI.html
Because of sloppy coding, you could load whatever page you wanted.
I saw another in which any non-existent URLs would output. So you could do:
domain.ext/You’ve been hacked!All your files are belong to us
@David: In order to keep things secure when using WordPress, in my opinion, you don’t need to be techy, you need to be careful. That’s why i agreed on the themes/plugins point. On the spamming techniques, i know spammers hit blogs hard but, if you have a pretty simple spam protection (like captcha, or math that i use) you get rid of most of the spam comments. To prove my point, my site is not that popular but it’s indexed enough and i get a lot of spam bots visits but no spam comments and i don’t use AKISMET (which i think sucks).
As for blocking the directories, i will insist on this. If you write secure code, or you are confident the platform you use is pretty secure, then you don’t need to go that extra mile.
I am surprised these maths things work on WP. I’d imagine the one you are using is a plugin? Quite simple to check for in a spam app.
How about your templates directory? I use XSL templates and I don’t really want people snooping through them. That seems like the sign of a bad app to me.
Although, I guess you are safe enough by blocking all the indexes, unless someone knows what they are looking for.
@David: Well the template i use is a standard one from “Elegant Themes”. But let me tell you, even if they know what they are looking for, how can they exploit something if it is not there? What i mean is, and i insist on that, if you write secure code you won’t be vulnerable. Let me quote Mr. Miagi “Best way to avoid punch, not be there!”. If there is no security hole, how can one exploit it?
As for the math thing, it is a plugin and let me assure you, since i installed it, no spam comment comes through (when i have about 10-15 a day without it).
The WP spammers are not as advances as I previously though. I guess its ignored by most as there aren’t many dofollow WP blogs – about 4-5%.
It would be best if there were no security holes, but there probably aren’t many web apps that are 100% secure. That is one criticism and pros of open source – if there is an issue its going to get found, abused, then fixed. I am pretty sure there would be security issues in my coding even though I am familiar with common exploits.
@David: It’s actually impossible to code bug/exploit/vulnerable free. You are just human after all. The key, and i agree with you, is open source and collaboration. As for the spammers my opinion is that they are many but the community has managed to develop tools to make things as spam free as possible (see Akismet, CAPTCHA, Math problems and many others).
Yeah, I am seeing the benefits of open source at the moment. I have a few PHP classes on my site – have had three bug (no-security related) on one of them. May not have found them otherwise. Makes you think how problematic some closed source apps might be.
A nice discussion fellas, and in David’s defense he did say that people could leave a link to wordpress on their about page or something.
Me, now that I know there is a possibility I am quite happy not to have any footprints.
Thanks for the detailed post. I have read many posts about how to secure your site. I guess spammers will do their best to manipulate your site.
I read today about how someone can see your contents in your plugins/themes/uploads folder. I created a blank file with a message for those kind of people.
With captchas, filters, etc. won’t this just encourage advanced and smarter tools to be created for the spammers? I’m not saying we shouldn’t use them but it seems like an unending battle.
Why don’t you like Askimet Stratos? No spam comments get through on my site.
@Kim: Well it is a never ending battle unfortunately. Many people make money like this so they will try to break any filter you make. Most of the times, it’s just a matter of time.
As for Akismet, a great majority of spam messages is caught, true, BUT there are valid comments caught as well. And from my point of view, i prefer having to reject a few spam comments every now and then rather than losing real comments and maybe new readers… I had a whole article in mind with a lot of hatred for Akismet (after a comment of mine got caught again) but i held back on it…
I worry about Akismet catching valid comments too, as some people can leave multiple links in their comments that are valuable for the comment at hand, or they have bad English but are making a relative comment.
My site was hacked recently, and I just took care of it as fast as possible and shared the experience, in case others would find it helpful.
~ Kristi
I usually check on a daily basis and not much non spam is caught and when I find them I retrieve them. A small price to pay for akismet.
Stratos, as far as memory consumption is concerned, would akismet use more than a captcha? If so give me a link to your captcha plugin.
@Kikolani: I saw your post and it was a very nice one too. Thanks for visiting!
@Sire: The thing with falsely caught comments is that it might drive people out (and piss them of as it did on me 🙂 ). As for the captcha i use the “Math Comment Spam Protection” provided at http://sw-guide.de/wordpress/plugins/math-comment-spam-protection/
I don’t have real comments go into spam very often. There is one commenter that always does – someone must have marked that person as a spammer – it wasn’t me. I should contact her to let know about the problem.
You didn’t answer my other question stratos in regards to memory usage?
@Kim: That has happened to me, as a commenter, a few times and i can assure you there is nothing more annoying than this. In most my comments i put some serious effort to compile and having them rejected (which means that even if i resubmit there is no use to it) is the most annoying thing. That’s the main reason i hate Akismet.
@Sire: Memory usage is minimal since no query is done. To install it you need to tweak your comment.php file and then a hook is there to the comment submit to compare the values. Minimal resource usage.
@Sire – If you are using a server-side captcha (one that is generated on your server) it can use quite a bit of system resources because the image libraries require them to generate images all the time. If you have a high traffic site, its really going to mount up. You can use something like reCpatcha though which uses external servers to generate the images.
I think Stratos has the best spam solution by using this math problem. Another good one to use is to use JavaScript to add the action attribute to a form or make the form AJAX. This is what I have done and I’ve never had any spam.
David I don’t actually have a captcha at all. I was thinking of deactivating akismet and use the math problem instead.
Even i read david’s post and sire’s post.
Security is utmost important to protect our blog from bad guys..
A small but good security measure is to make your log-in something other than the default ‘admin’. Make it something unique and hard to guess, and it’s almost as good as having two passwords.
Great article!
Sherry
@Sherry: I have discussed this before and my opinion is that if you have a good password you can keep any username. But if you feel safer this way then go ahead 😉