For the Dear Love of the Gods, Please Read This If You Use WordPress

Note: this only applies to people who don’t use WordPress.com, but have their own hosting and their own WordPress installations.

WordPress blogs are notorious for falling prey to massive automated attacks, anywhere from scanning WordPress versions to exploit known security holes for that version, to scraping error information in dictionary attacks against the login box, to passing specially formulated URLs that cause bad PHP code execution.

If you do nothing else, please install Secure WordPress, go to its options page, and check a lotta boxes, and click “save changes”. Although I suggest a few more measures at the end of this post.

Here are what the options mean, and whether you want to tick the box or not (usually you do, but not always, such as if you’re using third-party software like MarsEdit, ScribeFire, or Windows Live Writer):

dl.no-bold dt { font-weight: normal; }

Error-Messages…

This removes the error message WordPress gives on a bad login. You’ll still know if you failed to log in (as in WordPress will simply present you with the login box again), but scripts and hackers won’t know specifically why the log in failed—they don’t know if it’s the user login or the user password that failed.

If a hacker does know, for instance, that the password failed but the user login was valid (because WordPress by default gives very specific login errors), they will know to proceed with dictionary attacks rather than keep attempting to guess logins.

Plus there’s certain kinds of security holes that can be exploited if you know the login of at least one user for sure.

Amusingly, many people put more thought into their user login than their password.

You should tick this box.

WordPress Version…

If you ever do a view-source of your blog page, at the top of the source you will see something like this:



By default, WordPress kindly tells every script and hacker out there its version, the better for them to scan thousands of URLs and generate attacks loving tailored for each WordPress version’s security holes.

If you tick this box, Secure WordPress will replace the WordPress version in all publicly viewable pages, as well as in your RSS feed (a less popular but as legit place to retrieve your WordPress install’s version) with a random 4-digit number.

Do not listen to WordPress’s plea to leave that line in for stats. Tick this box for your safety.

WordPress Version in Backend…

Only really necessary for installations that have multiple non-administrative users registered, and which don’t trust their users to not, for instance, accidentally leave a completely crackable password which will allow a script access to the WordPress version through non-publicly viewable pages (i.e., the administrative section of WordPress).

I think you should tick this box regardless. A user with admin privileges will still see the WordPress version.

index.php…

Many web hosts already block the listing of directories, because directory listings are a popular way for crackers to discover specific URLs (like CGI scripts) they can use for attacks.

Tick this box regardless, because it’s a good habit to get into.

Really Simple Discovery….

Really Simple Discovery (RSD) is metadata that WordPress generates in the header of every publicly served file that conveniently tells remote programs which special URLs to use when posting/deleting/editing/etc posts. This is used by third-party blogging software, which depend on knowing these URLs in order to allow you to post from outside WordPress.

Of course, it also allows hackers to find the special URLs to use when posting/deleting/editing/etc posts.

If you really love your third-party external editor—and they range from the WordPress iPhone app to ScribeFire and MarsEdit and even more—then you want to keep this box unchecked.

If you always post from inside WordPress anyways, tick this box.

Windows Live Writer…

Windows Live Writer is also a third-party external editor, but it doesn’t use RSD. Instead, Windows Live Writer uses a special link generated by some blogging platforms, like WordPress.

If you don’t use Windows Live Writer, tick this box.

Core Update…

These days, WordPress displays a little message in yellow atop of administrative screens when a new version is available and you should upgrade. Upgrading is dead simple these days, so there’s no excuse.

But if you want to keep the WordPress version extra-hidden from non-administrative users even when an upgrade is needed, tick this box. Administrative users will still see this rather important message.

Plugin Update…

Similar to the “Core Update” option, with similar recommendations as to tick or not.

Theme Update…

Similar to the “Core Update” and the “Plugin Update” options, with similar recommendations as to tick or not.

WP Scanner…

If you tick this box and then follow the directions about editing your theme temporarily, you can use wpscan to find possible exploits in your system. I’ve seen themes revealed to be really stupid about what they allowed in the search box, for instance. WordPress themes are more powerful than themes in most blogging platforms, which can both rock (in the normal case) and suck (in terms of security exploits).

If wpscan runs and mentions anything about search queries, and you don’t know how to fix your WordPress theme to not allow that sort of thing, switch WordPress themes.

Block bad queries…

This helps protect your blog from malformed URLs and queries that exist as exploits whether you seal everything up or not. Jeff Star created this code in the wake of an extremely bad period, quite recent, of a very malicious worm, and Secure WordPress now incorporates it.

Totally tick this box. There is almost no reason not to. In fact, I can’t think of a reason not to.

There are more recommendations for securing your WordPress install out there, but the Secure WordPress plugin covers many of the vital ones, though not all of them.

Some More Advice

  1. I wish I knew how a plugin like Secure WordPress would automate this, but it’s probably not possible. And that is to make sure that the ‘admin’ user no longer uses ‘admin’ as their login. It’s a default that WordPress sets up, and one that hackers of course know about.

  2. When you download a WordPress theme, please check its source code for anything suspicious looking before you install it. This is so important, as if you install a hacked WordPress theme, you’ve undermined all your security regardless of what you’ve done.

    Fortunately, many if not all hacks are obvious even to the non-technical eye. Here is a post from Chaos Laboratory that covers what hacked themes look like.

  3. Always update your WordPress version. For serious. These days WordPress will, if you tell it to, automatically download and install a new version of itself. It will even tell you when to do this, which is a much better state of affairs than things used to be.

  4. Always make sure your plugins are up-to-date, for they are also a source of many security exploits in the past—some plugins, like some themes, are that powerful.

    In fact, WordPress as of version 2.9 provides a very easy way to upgrade multiple plugins at the same time—under “Tools”, click on “Upgrade”, and you’ll see a section full of ticky boxes. Once you select which plugins to upgrade (usually ticking All), and hit the submit button, your site will automatically be taken into maintenance mode (people reading your blog will only see a maintenance message), all your plugins upgraded, and then your site taken back out of maintenance mode.

2 thoughts on “For the Dear Love of the Gods, Please Read This If You Use WordPress

  1. Secure WordPress is one of the coolest plugins I know, even though it does nothing flashy—it automates a lot of basic safety features I used to have to do by hand. Especially automating the blocking of bad queries and the wordpress version hiding are the best features of the lot but also the hardest to do if you’re not technical.

    Secure WordPress rox0rs. I’m going to have to donate to them soon.

Comments are closed.