Securing WordPress



  • Does anyone have any ideas on securing WordPress?

    WP seems to be a perennial security problem. I run on CentOS and never have platform issues. But WP itself seems to get hit with vulnerabilities regularly. So the attack vector appears to be the app which is very hard to harden.

    We are considering things like tripwire and read-only files systems. Any ideas?



  • There is this: http://codex.wordpress.org/Hardening_WordPress

    Not use that is much help tho...



  • Yup. Securing Wordpress simply means walking away from it until it's been secured and then entertaining the thought of returning. 😉



  • Apparently I need to develop a security process around this.



  • The link above is a great place to start with securing it.

    We use http://www.wordfence.com on all our (the company I work fors) sites it goes a long way in securing them and alerting you to issues quickly.

    IMO worth putting on the premium version unofficialspiceworks.com runs the free version which does the job paid for one gives better scheduled scans and external checks.



  • @akp982 said:

    The link above is a great place to start with securing it.

    We use http://www.wordfence.com on all our (the company I work fors) sites it goes a long way in securing them and alerting you to issues quickly.

    IMO worth putting on the premium version unofficialspiceworks.com runs the free version which does the job paid for one gives better scheduled scans and external checks.

    Awesome, thanks. Totally checking that out.



  • One of the main things to check either with wordfence or a grep is for the version of timthumb used in plugins WordPress now has a new engine for thumbnails but old plugins and themes use old versions of timthumb which are EXTREMELY easy to use to upload malicious content to your server.

    That's caught us out twice now so much we have a plugin approval process which includes a manual check for timthumb.

    If you find an out of date version it's really easy to update just download the latest from the link in the header comments.



  • We use VERY few plugins and try to run nearly vanilla for most of the sites. But there is always something, of course.



  • WordFence is great as mentioned earlier. I also like to use TAC (Theme Authenticity Checker) and Theme-Check. Simply, TAC looks for code that doesn't belong and T-C looks to see if theme is coded to the latest specs.

    I also like to check the site with http://securi.net

    The hardening info is good to follow. I don't have Administrator or admin as a user and all passwords are mixed upper & lower case, numbers and symbols.

    I can't stress the need to update WP, the themes and plugins. If the plugin hasn't been updated in over a year, it might be time to find something new or fork the plugin with your code.

    We use WordPress for all of our clients websites. We figured if it is good enough for the NY Times and the Huffington Post, it's good enough for our clients!