As website owners it’s important to keep abreast of issues and trends affecting WordPress Security. Fortunately our friends at iThemes are helping us with their series of free webinars on this topic. The first webinar, recorded May 27, 2015 was an overview of WordPress Security and what we as users and developers can do to keep our sites as secure as possible. Below are my notes from the lecture, or you can download the a PDF of the notes: https://www.sosmymarketing.com/wp-content/uploads/security.pdf
State of WordPress Security
Vulnerabilities are everywhere.
- If you want to be on the internet 100% absolute security is impossible
- ex: IRS.gov was recently hacked – 100,000 U.S. taxpayers info stolen
Why is WP such an attractive target for hackers?
Ripe target: 25% of all sites run WordPress (over 65% of all CMS installations)
Open source Code: Hackers know how the code operates (e.g.: the calls php uses to talk to the WP database and what the default tables are)
- Because it’s so easy to set up…and not everyone is careful, thorough, or security conscious.
How hackers take advantage of WP
- Failure to update the core software
- As users we’ve been programed to wait to update for fear of the update breaking something.
- Did you know….80% of updates to WP code are security related!
- Question: Do you know what happens when a WP update fails?
- Answer: if the update fails to execute, or does not complete, the update will stop itself.
- Conclusion: you should not wait to update your WordPress site!
- Plugins & Themes
- Do not get plugins/themes from untrusted sources. Restrict yourself to the WordPress.org repository or well-known companies.
- 8 out of 10 of the FREE themes/plugins have base64 encoding ex: footers that can’t be deleted.
- It’s estimated at any one time 20-30% of the top 50 plugins have some sort of vulnerability. Remember the timthumb.php that destroyed so many sites?
- Take the updates as they are issued!
- Weak Logins
- It doesn’t matter how much effort developers put into security if you don’t have a strong password!
- Do you use the same password for more than one site?
- Is your username “Admin”? If so, change it! It’s the first username hacker-bots try.
- Things to avoid when choosing a password: Any permutation of your own real name, username, company name, or name of your website; a word from a dictionary, in any language; a short password.
- If your computer is infected then your WordPress site is more easily hacked.
- Make sure your computer (and the computers of those accessing your websites!) are free of spyware, malware, and virus infections.
- Always keep your operating system and the software on it, especially your web browser, up to date to protect you from security vulnerabilities.
- Vulnerable Servers (your Website site host)
- Low-cost providers jam as many sites as possible on each server and are less likely to quickly respond to issues.
- Changing file permissions – ex: 777 lets the outside world execute commands.
Sources used in this post:
- Hardening WordPress: http://codex.wordpress.org/Hardening_WordPress
- iThemes training on YouTube https://www.youtube.com/channel/UCfhymuLFm8OT5YYbydc5pLQ
 From a study of WP plugin and theme updates over the past 5 years.