WordPress developers: come one, come all! I’ve got something special for you.
Over the course of the next few weeks, we’ll be running a series all about WordPress security as it pertains to developers. Seriously, everything you ever wanted to know – or didn’t even know you wanted to know – will be covered here, in detail. And there’ll be plenty of insights from bonafide security experts to keep this whole thing legit.
The first part in this five-part series will cover your first step in securing WordPress: Installation. As more posts in the series are published, I’ll update this post with the appropriate links below.
Part 1: Installation
- Part 2: Updates
- Part 3: Management & Logins
- Part 4: Security & Backup Plugins
- Part 5: Roundup
Now, grab a pen and paper and get ready to take some notes. It’s time to go to school on WordPress security. And everything related to installation will be my focus today.
Selecting the Right Host
A secure WordPress installation starts with selecting the right host. Without a secure, reputable host on which to place your site, your security efforts can only go so far. Now technically, since WordPress uses PHP and MySQL, any host that offers a Linux environment would suffice, says Damon Burton, director of SEO National. However, he does suggest avoiding GoDaddy and Yahoo! as hosts. “Their hosting environments are aimed at being simplistic in nature, so much so that it causes them to be restrictive,” he says. “This means that they are not user friendly for doing anything beyond WordPress basics.”
So, if you tried to modify settings to manually improve security, doing so would be very difficult on these types of restrictive hosts.
“The primary thing to be concerned about with shared hosting,” says Marcus Hildum, lead security engineer for DreamHost, “is ensuring your provider has correct Unix permissions set.” Basically, you don’t want to have access to other people’s files or vice versa. “After that,” says Hildum, you can do several things to make a WordPress installation more secure, like use “web application firewalls, easy SSL support and regular site scans.”
Most security professionals recommend using a host that offers VPS. In fact, that’s precisely what Tony Perez, co-founder and CEO of Sucuri uses. He also utilizes a website firewall to, “repel attacks before they ever get to my server,” he says, adding that, “this helps address a number of things, specifically software vulnerabilities[…]and it also helps me save server resources.” These effects all fall under Perez’s “protection” category of WordPress security. Unfortunately, this is where a lot of people stop and that’s just not good enough.
He elaborates by comparing it to physical security: “…they have cameras, security guards, metal detectors, yet theft still happens.” To ramp up security further, Perez uses tools to keep tabs on the state of his site’s security. These tools show him who’s logging in, who’s making changes to posts, and so forth. It also reveals WHOIS, DNS and malware activity. “Each one of these things are designed to capture various aspects of the security spectrum, and things many don’t account for,” he says. He recommends Sucuri Scanner for performing site audits, but he notes there are other plugins out there that do the job, too.
The Problem with One-Click Installs
Many hosting providers now offer “one-click” installation for WordPress, which is seriously convenient and lets a lot of people get access to WordPress faster than they would normally. Of course, the simplicity of the process can come at a price, says Mike Murphy, owner of Erion Media, a web design and development company.
“…they almost always create those installations with a default user ‘admin’,” says Murphy, which makes your site vulnerable to brute force attacks. And they also tend to use “wp_” as the database table prefix of choice. Since this is the default in most documentation, this means hackers know it already. “An attacker can pretty much count on table names like wp_users,” Murphy says, which “eliminates any guesswork on the part of the attacker as to where a website’s data is stored.”
While you can easily change the user name and table prefix – which we’ll talk about in more detail later – the problem here is the assumption one-click installs create. Because your host offers it, many people assume it’s safe and secure. Unfortunately, this isn’t the case, which means a manual approach is likely to be a better idea.
How to Install WordPress
If you’re not using a one-click installation process, getting WordPress installed on your host should take about 10 minutes, says Burton. You’ll need a basic understanding of FTP and databases. There are several tutorials out there for going through this process, from selecting an FTP program and uploading files to setting up a database. Since the focus here is on security, I won’t bog this article down with those details.
Once all of your files are uploaded and the database has been created, you’ll be prompted to setup a username and password. The default username used to be “admin,” but thankfully more recent versions of WordPress don’t automatically insert this. Still, it’s recommended that you choose a username that is complicated and would be difficult for a hacker to guess. So that means: don’t make it your name or something equally guessable.
Same goes for your password. For the love all things holy, make it complicated! I know that’s inconvenient, but it’s a must. Hackers run brute force attacks to crack passwords, which means they run scripts that guess your password over and over again until they break through and gain access to your site. The more complicated the password, the longer it’ll take them to guess it. But usually, hackers will give up on trying to hack a site with a super complicated password because there are just so many others out there with a password of “password,” that they can prey upon.
Changing Your “Admin” Username
I’ve already talked about the importance of avoiding “admin” as a username and why you need a complicated password. But let’s say you got started with WordPress a while ago and the default username given to you was “admin.” As I said before, you can always create a new administrator for your site then delete the default username but if you already have a lot of posts and pages with the “admin,” author you might want to make this change through PHPMyAdmin.
To do this, log into your cPanel (assuming you have one here) then navigate to PHPMyAdmin. Next, select your WordPress database and scroll to the wp_users table. Find “admin,” and click Edit. Then just enter whatever new username you want in the user_login field. Your posts and pages will automatically be set to display this name as the author, you don’t have to delete anything and you reduce your risk of brute force attacks. And it takes like, what? Two minutes, at most.
Much of the time, people seem to think that WordPress security is something that’s tacked on after the fact through a plugin. And while that’s certainly an important part of the puzzle, you still need to do some things during installation to make sure everything’s secure from the get-go.
Be sure to check back soon for the next installment in this series. I’ll talk all about WordPress security as it relates to managing logins and your site in general. But in the meantime, did I miss anything? Have any hot tips I should know about that pertain to WordPress installation and security? Feel free to share in the comments below!
Image source: David Goehring