|
|
The Definitive Guide to WordPress Security |
The Definitive Guide to WordPress Security Posted: 01 Jul 2013 07:26 PM PDT Posted by SamAntics This post was originally in YouMoz, and was promoted to the main blog because it provides great value and interest to our community. The author's views are entirely his or her own and may not reflect the views of Moz, Inc. If you work in online marketing, the chances are good that you've worked on, are working on, or will at some point work on a WordPress site. If you work with wordpress.org in any capacity, this post is for you (much of this post doesn't apply to *.wordpress.com hosted sites). Script kiddies suckIn hacker lingo, a script kiddie is the lowliest form of hacker (using the term hacker loosely), and relies on common tools and scripts to find and take advantage of the weakest and most common security vulnerabilities: crappy passwords, use of public WiFi without a VPN, outdated plugins, low-security hosting, phishing attacks, and other things of this nature. Sadly, these issues alone grant access to a shocking number of sites. Unless you're in charge of a WordPress site for a major brand, the majority of the security issues you're likely to face will be the result of script kiddies. The good news is this: If you follow this guide, your site should be as close to invulnerable as you can reasonably get. (To be fair, nothing is truly invulnerable, but this will get you pretty close.) Abracadabra, vault-like security is yours. Without further ado, let's dive in. I personally take a four-tiered approach to WordPress security: Hosting and server level securityWhen it comes to securing WordPress, it's best to start from the ground up. When you host your website with a hosting company that isn't sufficiently security-conscious, if any site on a server is hacked, there's a chance that any other site on that same server could be vulnerable. After a ton of research, I've determined that the most secure option for hosting Wordpress is WPEngine.com (and, conveniently, Moz has a PRO perk for them, 4 months of free hosting). The effort they put into security is re-freaking-diculous (seriously). I'm in the process of moving all of my WordPress sites over to them as we speak. They aren't cheap, but you get quite a lot for what you pay. They even have a partnership with Sucuri Security, so if your site ever gets hacked, they'll fix it for free. That said, they might not be a perfect fit for everyone. For example, there are quite a few plugins they don't allow (many for performance issues, not security issues). There are alternates to most plugins though, so hopefully that isn't a deal breaker. If you HAVE to use another host for whatever reason, or need to host on your own servers, there are a few things to keep in mind (WP Engine does most, if not all, of this):
There's more to this, but those are the biggies. If you want a lot more detail, go here and here. The next step in this process involves configuring some server rules. If you have access to the main server configuration file, it's best to do these things at that level, but not everyone is going to have that access. For that reason, I'm going to cover how to do this via the .htaccess file by walking you through a real .htaccess file (Note: edit your .htaccess file AFTER you install WP. It's server-centric though, so I'm covering it here). BIG FAT WARNING: Be very, very careful when making changes to your .htaccess file. If you aren't extremely comfortable with code, it's best to let your developer do this. I've personally used all of this code, exactly as is, but I've seen bits work on some sites and break things on others (it totally depends on your server configuration, plugins installed, etc.). To be safe, get your developer to do this for you. WordPress auto-creates a section in the .htaccess file. Don't put anything inside of the WordPress section of the .htaccess, as it will be overwritten. Some things will need to go before the WordPress .htaccess section, and some things after, to avoid breaking things. If you don't know what should go where, you probably shouldn't be editing your .htaccess file. OK, here goes... This first bit of code helps to prevent errors on some Apache servers, and activates the rewrite engine (which many of these commands require to function): ## Include this at the start of your .htaccess file ## Options +FollowSymlinks RewriteEngine On This next bit turns off the server signature. This is a "security by obscurity" trick, as the less info a hacker has about your system, the harder it is to get in. The more they know, the easier it is to go out and hunt for known exploits: ## Disable the Server Signature ## ServerSignature Off Sometimes spammers will append their own crappy query strings to the end of a URL, attempting to do all kinds of nasty things, and this next bit of code can negate it by 301 redirecting certain query strings back to the canonical URL. Just edit the enter|query|strings|here bit to include the query strings you're having issues with, separated by pipes (a pipe is a separator in RegEx). This next bit of code also has uses beyond blocking spammers, and can sort out issues with ?replytocom and other common junk query strings: ## Remove Spammy Query Strings ## <ifModule mod_rewrite.c> RewriteCond %{QUERY_STRING} enter|separated|query|strings|here [NC] RewriteRule .* http://www.%{HTTP_HOST}/$1? [R=301,L] </ifModule> While not hacker-specific (though it certainly could be), this next bit of code will prevent bots with no user agent from hitting your site. Just change out yourwebsite.com with your actual URL before placing this in your .htaccess: ## Protect from spam bots ## <IfModule mod_rewrite.c> RewriteCond %{REQUEST_METHOD} POST RewriteCond %{REQUEST_URI} .wp-comments-post\.php* RewriteCond %{HTTP_REFERER} !.yourwebsite.com.* [OR] RewriteCond %{HTTP_USER_AGENT} ^$ RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L] </IfModule> A common hacking tactic is a SQL injection, and this bit of code can block the vast majority of attempts: ## SQL Injection Block ## <IfModule mod_rewrite.c> RewriteBase / RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC] RewriteRule ^(.*)$ - [F,L] RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR] RewriteCond %{QUERY_STRING} boot\.ini [NC,OR] RewriteCond %{QUERY_STRING} tag\= [NC,OR] RewriteCond %{QUERY_STRING} ftp\: [NC,OR] RewriteCond %{QUERY_STRING} http\: [NC,OR] RewriteCond %{QUERY_STRING} https\: [NC,OR] RewriteCond %{QUERY_STRING} (\|%3E) [NC,OR] RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR] RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR] RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)||ê|"|;|\?|\*|=$).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*("|'|<|>|\|{||).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(%24&x).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127\.0).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare).* [NC] RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*$ RewriteRule ^(.*)$ - [F,L] </IfModule> Now, there are plugins that can limit the number of login attempts from any one IP address, but that doesn't prevent hackers from using large blocks of IPs to brute-force your site (a la public proxy lists). I've experienced this first hand numerous times, so the following bit of code has been a lifesaver as it only allows my login pages to be reached from IP addresses I specify, and blocks access to those pages from all other IPs. Just adjust the allow from lines to reflect your actual IP addresses (you can get your IP addresses by going to Google from each place you connect to the internet and searching "What is my IP"). If needed, change the login filenames as well (wp-login.php is default, and login is not, but my site uses both because of a plugin I use). Or, to make it easier on yourself, go to ProxyBonanza and pay $10/mo for one exclusive proxy IP of your own, and then allow that IP and use that IP whenever you want to access your sites. (ProxyBonanza has plugins for Firefox and Chrome, which make this step really easy.) Just swap out the fake IPs below with your actual IPs. If your IP changes, you can always go in and fix this via FTP later. ## Restrict WordPress Login Pages to Your Own IPs ## <Files wp-login.php> order deny,allow deny from all allow from 192.168.1.1 allow from 192.168.1.2 </Files> <Files login> order deny,allow deny from all allow from 192.168.1.1 allow from 192.168.1.1 </Files> There are a number of files that nobody but you should ever be accessing, and this bit of code will block them from being accessed via a browser: ## Block Sensitive Files ## Options All -Indexes <files .htaccess> Order allow,deny Deny from all </files> <files readme.html> Order allow,deny Deny from all </files> <files license.txt> Order allow,deny Deny from all </files> <files install.php> Order allow,deny Deny from all </files> <files wp-config.php> Order allow,deny Deny from all </files> <files error_log> Order allow,deny Deny from all </files> <files fantastico_fileslist.txt> Order allow,deny Deny from all </files> <files fantversion.php> Order allow,deny Deny from all </files> If you find your site being hit repeatedly with attack attempts from certain IP addresses, you can manually block certain IPs with the following bit of code. Just edit the deny from bit to include the offending IP, with one IP per line as follows: ## Malicious IP Blocking ## order allow,deny deny from 1.1.1.1 deny from 2.2.2.2 allow from all If you have people hitting you really often from the same IP or IP block, you can redirect that IP/IP block to a nice rickroll video (just change the IP below to reflect the one that's hitting you). :) I've done this on my sites for a few repeat offenders: ## Redirect Recurring Spammer IPs to a Rickroll Video ## RewriteCond %{REMOTE_ADDR} ^192\.168\.1\.1$ RewriteRule .* http://www.youtube.com/watch?v=oHg5SJYRHA0 [R=302,L] If you have certain websites that are hitting you with referral traffic you don't want (it can happen for various reasons), you can block those referring domains with this code: ## Block Certain Referring Domains ## RewriteCond %{HTTP_REFERER} digg\.com [NC] RewriteRule .* â" [F] You can also use your .htaccess file to secure wp-includes (this can cause real issues, especially with Multisite, so I'll have you go here for the specifics). You can also do some other pretty advanced things, like blocking certain countries and browser languages, if you so choose. With all of that in place, your .htaccess file is just about as hardened as it can get. An .htaccess file can exist for each directory on a site, and is applied to everything in and under that directory. I've compiled this list from a number of different articles, with a few bits of my own sprinkled in. For further reading on these and other similar points, check out these five links. The last step is to lock down your file permissions so that only those who should have access to certain files have that access. You can read how to change file permissions here (be careful with this one too, as it can break things, particularly plugins.) This is something you should test very carefully as you implement it, ideally in a sandbox or dev environment. And that's it for WordPress server-level security (not really â" you could fill a book with this stuff â" but this should be sufficient for your needs). Next up, WordPress itself! Your WordPress installationOnce you have your hosting and server security sorted out, it's time to get WordPress installed, along with the necessary security plugins. Even if you already have an existing WordPress site, don't skip this section! You'll want to download the WordPress install files directly from wordpress.org, and go through the install process via secure FTP (SFTP). Many hosts offer a one-touch WP install, which is also fine. As you do this, make sure you pick secure passwords (outlined in the next section), and don't use the same password for more than one site/thing (separate passwords for your database, FTP, WordPress admin, etc.) With WordPress installed, the next step will be to pick a theme â" and not just any theme will do. As any black-hat SEO knows, themes and plugins have long been a great way to get links, albeit in a shady and unethical way (remember MozCon 2011, when Richard Baxter gave a live demonstration of pointing millions of links with anchor text of his choice from a set of WordPress sites running a theme/plugin he'd created? Yeah.) Because a lot of potentially dangerous things can be hidden inside of themes, it's a good idea to use or buy a secure, clean theme. The themes that come with wordpress.org by default are pretty safe, but here are a few other options for clean themes: Option 1 and Option 2. To get a better feel for why this is so important, there's a great video here. If you already have a theme installed, you might want to run a security scan, or have a security-minded developer look through the theme code. Ditto for any plugins you might have. After you've selected your theme, the next step is to start picking plugins. When it comes to plugins, you need to be just as careful as you were with picking a theme. Even popular plugins can contain vulnerabilities, and developers can sometimes be slow to fix them (or perhaps put them there themselves). For that reason, I recommend using as few plugins as possible to get the job done. That said, from a security perspective, here are the plugins I highly recommend:
If you opt to use WP-Engine for your hosting, be aware that they are very strict on what plugins they do and don't permit. I find this pretty annoying, and while I understand their reasons, I really like some of the plugins they don't permit. If you have unused themes or plugins installed, I'd recommend deleting them. Just having them installed on your site, even if they aren't active, can potentially pose problems. You should also make sure that you keep WordPress, your plugins and your themes up-to-date. Updates often fix known security issues, and one of the first things a smart hacker looks for is out-of-date plugins and themes they can exploit. As you build out your site, you should also pay very close attention to what is and isn't reachable by crawlers, and how your site handles things like login info, passwords, lost passwords/password resets, security questions, etc. There's an entire sub-set of hacking called Google hacking, dedicated to surfacing information Google has found and indexed that it probably shouldn't have (great article here). Making effective use of your robots.txt file to block things that should be blocked is highly recommended. While site security is never finished, this will sort out the vast majority of problems you're likely to encounter. Remember, nothing is unhackable, so the goal is simply to make your site more way trouble than it's worth to the majority of hackers. Personal securityAs any half-decent hacker knows, the human element of security is usually the weakest link in the chain. The most security-conscious web admin or host can be foiled by a common password (Love, Sex, Secret, God, Hack the Planet!). The human brain likes routines, patterns, and comfort zones; and hackers exploit that with glee! If you want a fascinating yet frightening read on this topic, check out Kevin Mitnick's book The Art of Deception. Here are my seven personal best practices for locking down the human element:
Last but not least, exercise constant diligenceWhen it comes to WordPress security, you can't just set it and forget it. If you put all of this in place, and then fail to monitor and update and change things as time goes by, you'll be in just as bad of shape as if you'd never done any of this to begin with. To make sure that all of your hard work doesn't go to waste, I recommend a seven-step checklist to maintain constant vigilance for your WordPress sites:
Sign up for The Moz Top 10, a semimonthly mailer updating you on the top ten hottest pieces of SEO news, tips, and rad links uncovered by the Moz team. Think of it as your exclusive digest of stuff you don't have time to hunt down but want to read! |
#MozCon Speaker Interviews: Avinash & Annie Posted: 01 Jul 2013 05:06 AM PDT Posted by Lindsay Today I'm excited to bring you a short interview with two of the top web analytics professionals in the industry, Avinash Kaushik and Annie Cushing. Not only are they experts at leveraging data effectively, theyâre incredible conference speakers who are returning to MozCon this year! Avinash Kaushik is the digital marketing evangelist at Google and co-founder of Market Motive. He is also the author of two best-selling books, Web Analytics 2.0 and Web Analytics: An Hour A Day, and he writes a popular web analytics blog, Occam's Razor.
Heâs an energetic speaker who delivers eye-opening insights about the power of data that you can put into action immediately. He gave an awesome presentation at MozCon 2011 which inspired a flood of tweets and ended with a standing ovation. Annie Cushing is an SEO and analytics consultant. Her areas of expertise are analytics, technical SEO, and everything to do with data â" collection, analysis, and beautification. Sheâs on a mission to rid the world of ugly data, one spreadsheet at a time. If you donât think analytics can be sexy, chances are Annie will change your mind. She shares practical, actionable information that revolves around one of her passions â" making data sexy. At MozCon 2012, the audience at her amazing presentation left with tons of useful tips and tricks for creating Excel spreadsheets that are comprehensive, easy to understand, and compelling to decision-makers. We are honored that Avinash and Annie are joining us again at MozCon, and we hope you will join us, too! Their talks will help you demystify analytics data the moment you get back to the office. In his keynote, âSimplifying Complexity: Three Ideas For Higher ROI,â Avinash will apply Occamâs Razor to three user cases and share practical tips for dealing with complexity. Annie will show you how to separate the junk from the sound data when analyzing organic keyword data in her talk, âBreaking Up With Your Keyword-Based KPIs.â Recently, Avinash and Annie were kind enough to answer a few questions about their upcoming MozCon presentations, must-know analytics information, and which technology would improve their lives. Tell us about the presentation you have planned for MozCon. Avinash: My plan is to share three stories that serve as an example of amplifying the awesomeness of any business not by focusing on doing one thing well. That seems like such an odd thing to say, but I've convinced that if we are to make incredible progress we need to solve for multiplicity. Three simple examples, from our everyday lives, that the audience will be able to go back and implement in their day to day efforts. Annie: Iâm going to talk about breaking up with your organic keyword data. Many marketers (if not most) who focus on organic search are using junk data that does not stand up to scientific criteria. Iâm going to talk about what data is junk, how to differentiate junk from sound data, and some alternatives to junk data that withstand statistical scrutiny. What is something that all marketers should know about web analytics, but many donât seem to know? Avinash: My 10/90 rule. For every $100 you need to invest in making smarter decisions on the web, you need to invest $10 in tools and consultants to implement the tools, and you need to invest $90 in big brains to analyze the data and recommend actions. People have this insane belief that data talks. No. Data does not talk; people make data talk. The question to ask, hence, is not how much data you have. The question is how many big brains you have. Annie: How to report on conversions in a way that gives all of the marketing channels credit for their contribution to the end goal(s). If coaches ran football teams the way marketers report on conversions, only the players who score the touchdowns would get paid. What uninvented technology would improve your life the most? Avinash: I know this seems silly, but I think I have all the technology I need in my life. Sure the batteries could last longer and my computer could just type in what I'm thinking - why do I need to physically type in a cramped plane seat? There is an impressive amount of technology we need to deploy to ease human suffering. Those solutions, big and small, from smarter malaria nets to more precise lasers to target cancer, are the ones I'm rooting for. Annie: A centralized financial system in the cloud that would enable me to manage all of my financial needs from one place â" from investing to paying bills to paying my business quarterly taxes â" with robust projection and budgeting data visualizations at my fingertips. Thank you for speaking with us, Avinash and Annie! If you would like to read more about Avinash, check out this great interview he did a couple years ago, which covers some of his views on social media, SEO, and why he is always looking for exceptional things. You can also follow Avinash on Twitter @avinash. Learn more about Annie and web analytics by checking out her info-packed blog, Annielytics, her great posts on Search Engine Land, and by following her on Twitter @AnnieCushing. Even better, get actionable analytics advice by joining us at MozCon and experiencing their awesome presentations! Sign up for The Moz Top 10, a semimonthly mailer updating you on the top ten hottest pieces of SEO news, tips, and rad links uncovered by the Moz team. Think of it as your exclusive digest of stuff you don't have time to hunt down but want to read! |
You are subscribed to email updates from Moz Blog To stop receiving these emails, you may unsubscribe now. | Email delivery powered by Google |
Google Inc., 20 West Kinzie, Chicago IL USA 60610 |
|
|
|
Facebook Twitter | More Ways to Engage