One Dev’s Hard Won Lessons About WordPress Security
Today’s guest blog post was written by Isaac Castillo. Isaac is the founder of Echo Design Solutions, a San Antonio-based WordPress and WooCommerce development company. Isaac and his team recently completed a project where they helped a site owner recover from a WordPress security breach. There were many valuable lessons learned from the experience, and Isaac has agreed to share them with us. We hope you find these tips helpful.
Security is a crucial element of any WordPress site. The irony is that most WordPress site owners don’t really think about WordPress security until their site is compromised. Most go about their daily business unaware that there’s a problem until they notice that something doesn’t quite work right. Maybe they notice tons of comments backlinking to a network of natural home remedies sites (best case). Maybe they find that their email accounts have been blacklisted because their site has been sending out hundreds of spam emails per hour (worst case). Either way, the news isn’t good and most site owners find themselves scrambling to clean up the mess.
A good chunk of my consulting practice is dedicated to rescuing site owners from WordPress security compromises and making sure that it doesn’t happen again. As a matter of fact, not too long ago I started working with a client that got blacklisted just like in the example above. I learned a lot about the common types of security vulnerabilities and best remediation methods working with this client and others. So I thought I’d share my experiences with you to demonstrate how you can secure your WordPress site and avoid all this nastiness.
You can rest easy knowing that the security best practices described below have been battle tested and have worked well. For the record, this client hasn’t had a security issue since we started working with them.
Called to the Rescue
The first thing that I did after my client called was to take a good look throughout the site to find where things went wrong. I found some images of male-enhancing pharmaceuticals that someone had uploaded to the site. It was certainly bad news for my client, although not as bad as it could have been. It was hard to pinpoint exactly where the vulnerability occurred, so I started systematically locking down the site following best practices.
The next thing that I did was disable all the plugins on the site. I then asked the client which plugins they actually used and then upgraded and enabled only those. I deleted all the rest.
It always surprises me just how often I work on sites that have many more plugins installed than necessary. Very often these orphaned plugins also never get updated by site owners. This creates a huge vector of attack for the bad guys. So if you have any of these orphaned plugins installed on your site, please do yourself a favor. Deactivate and delete them as soon as possible to immediately improve WordPress security.
You also need to make sure that you are using trusted plugins. WordPress is great in that there is a wide range of plugins to choose from to add functionality to your site. With such a vast selection, it’s also likely that you are going to come across a few that are not well written and have security holes. WordPress has a rating system that allows you to view how well a plugin is regarded by users. Make sure that you choose plugins that are rated highly by a large number of WordPress users.
Finally, please make sure that all your plugins are up to date. Make it a habit to log into your WordPress site at least once a week specifically to check for plugin updates and then install any that are available. Getting into this one habit can make a huge difference when it comes to the WordPress security.
Securing WordPress Core
Another thing to keep in mind is that the core of WordPress needs to upgraded as well. This particular project was at version 3.5 when the current version was at 4.3. Lots of security and bug fixes have happened between those two versions. So the next thing I did was upgrade this client’s WordPress core to 4.3.
I can’t stress how important it is to make sure you keep WordPress core up to date. The good news is that many WordPress hosting providers like Pressable will update WordPress core for you automatically. So if you don’t work with a host that offers this service you should consider moving to one right away.
Locking Down Access to Your Site
Now it was time to lock down the site’s access points starting with the WordPress admin account. You would be surprised how often I come across clients’ sites where not much thought was put into creating a secure username and password. This client was no exception. One tool that I use to help me generate strong passwords is Norton’s password generator.
Another consideration at this stage was securing other access points. Here’s a short list of items you should add to your checklist:
- cPanel/host access
- FTP access
- Database access
Make sure that, for all of these access points, you create a unique username and a strong password.
Alter WordPress’ Database Prefix
One thing that I do on all my clients’ sites is modify the table prefix that WordPress uses by default. It’s the line that says “wp_” in the wp-config.php. I usually change it to some alpha numeric prefix unique to each of my clients. This makes it harder for the bad guys to access/alter data directly from the database.
Another common attack vector involves altering the wp-config.php file. So I make it a point to move this file to another directory. The config file can live one directory above the public facing directory. Normally the folder is called html, www, public or public_html. I move my wp-config.php file so they it’s at the same level as the site root. WordPress will look for it in the current directory first. If it doesn’t find it there, WordPress will go up one level in the directory structure and look for it there and so on until it hits the site’s root directory. Moving this file there will make it inaccessible to the public via the browser.
My last step involved checking my client’s site on a mobile device. For some reason on mobile devices my client’s site kept downloading casino applications. I immediately checked out the .htaccess file and sure enough it had been compromised. It probably happened because they were running an older, less secure version of WordPress for so long. Fixing it was a simple matter of creating a new .htaccess file and testing to make sure their mobile experience was no longer compromised.
Fortunately it didn’t take long for my client’s business to return back to normal. They also realized that they weren’t in a position to maintain WordPress security on their own. So they happily signed up for one of our ongoing maintenance packages to help keep their site secure. Things have been running smoothly ever since.
Take my advice, and don’t let this happen to your business. Put these WordPress security strategies into practice from the very beginning and avoid the mess. And if you don’t know how or don’t have the time, hire an expert to do it for you. Believe me, most of us that do this kind of work would prefer not to swing to the rescue like Batman after the bad guys have blown up Gotham. We prefer doing all the little things every day to make sure that the Joker never gets out of Arkham in the first place.