WordPress blog (self-hosted): What you need to know

Note from the editor: Bev Robb, aka teksquisite, is a new Expert contributor to the EE Tech News blog. She is an IT consultant with nearly 20 years of experience in Internet Security, software, networking, social media, and more.

WordPress BlogIf you opt for a self-hosted WordPress blog, there are a few things that you should know prior to installation. Perhaps you’ve read “Self-hosting your WordPress site in ten easy steps” (or the equivalent of such)? Did you notice any mention of how to secure your new blog? Probably not. Self-hosted WordPress blogs are a dime-a-dozen when launched for the sole purpose of blackhat-affiliate marketing.

During the summer of 2012, SophosLabs intercepted a major malware campaign. Because many WordPress admins did not secure their sites, malicious hackers were able to surreptitiously place malicious code from the Blackhole exploit kit on vulnerable sites. They used two major stealth modes to infect the sites:

  • Drive-by-downloads
  • Malicious iFrames

Whether the hackers gained access through weak passwords; vulnerabilities in the WordPress core, plugins, themes; or via script injections – all compromised sites were insecure and actually invited these hacks. WordPress admins, listen up. Your lazy WordPress no-security practices are a strong factor in propagating these types of attacks.

security lockIf you are clueless about the WordPress core, plug-ins, themes, MyPhpAdmin, and regular WordPress site maintenance and security; you would be doing the web a favor by selecting WordPress.com to host your blog (it’s free). If you are serious about learning more about hardening and securing a WordPress blog – this blog post is meant for you.

Running a self-hosted blog comes with a list of responsibilities. It is not like you can merely install it and be done with it. Your first priority should be to familiarize yourself with the WordPress CMS (Content Management System) platform, along with the pros and cons of self-hosting.

You should also be technically savvy and aware of the various ways to harden a WordPress blog installation. You will be responsible for technical maintenance (backend configuration; backups; blog security; logs; spam filtering; and core upgrades/plug-in updates). Your choice on how you secure (or no-secure) your site makes you directly responsible to the web community as a whole.

Hosting your blog

Choosing the right host can affect the security of your blog. In the past I have been the victim of two WordPress hacks. At the time of the first hack, I was on a managed VPS. All maintenance and administrative tasks (including software updates) were administered by the hosting provider. In my case, the software was rarely updated.

Take the time to find a reputable and reliable hosting service – do your research first. You don’t want to end up on a server that is easily compromised, is slow to update software, has bad tech support, or has too much down time. The fact that hackers and cybercriminals favor targeting WordPress is for the same reason they favor exploiting Microsoft Windows – it’s popular!

WordPress.org recommends Bluehost, Dreamhost,or Laughing Squid. I’ve had great success hosting the majority of my blogs at Namecheap. You should look for the following five features in a potential hosting provider:

  • Server reliability of 99.99% uptime
  • cPanel hosting
  • 24/7 customer support
  • Money-back guarantee
  • Awesome hosting reviews

There are hundreds of thousands of web hosts out there, the vast majority of which meet the WordPress minimum requirements, and choosing one from the crowd can be a chore. Just like flowers need the right environment to grow, WordPress works best when it’s in a rich hosting environment. —WordPress.org

Securing your blog

From the moment that you install WordPress, you should be thinking about security. Forget about all those ads and profits that you hope to gain from publishing the viral top 10. SEO, building reputation, and page rank take time. If your blog gets blacklisted before it even gets off the ground, you only have yourself to blame. Hosting a no-secure blog is equivalent to graduating from the Edith Bunker school of driving. If you only know how to press a Softaculous automation button and you don’t know the why behind the process – it’s time to dump Edith Bunker and go to a real driving school. Seriously. Do you get my gist?

I have seen a lot of site admins downplay the importance of updating CMS software and hardening company WordPress blogs. This is especially prevalent with small businesses and start-ups that rely solely on development teams to schedule site updates and releases.

I’ve also seen many home businesses slap together WordPress self-hosted blogs (because they noticed that cPanel had a Fantastico, Softaculous or an Installatron autoinstaller), and they think that all they have to do is populate their blog with posts, widgets and plugins. Sadly, they never really do their security homework. It is the responsibility of every site admin to maintain a secure site, that is free from malware links and other code nasties.

The Top 10 Security Mistakes

flickr via Dani LatorreSix months ago I wrote the Top 10 Security Mistakes That Self-Hosted WordPress Blogs Make over at the AntJanus blog. Since the information is still applicable and I am not a gal who likes to reinvent the wheel, I am going to post these WordPress security bytes here.

According to Forbes, one out of every 6 websites on the Internet is powered by WordPress (nearly 60 million in all), with 100,000 more popping up each day. WordPress.com currently hosts over 62.5 million blogs. As of this writing, WordPress stats did not include the number of self-hosted blogs, but rest assured there are many of us! I’ve been using WordPress since Gold days and it only gets better with each release.

1. Managing a WordPress site from a friend’s/public computer or insecure/public Wi-Fi

You should always login to your site via a secure connection. You never know what could be lurking on someone else’s computer; from keyloggers to password-stealing Trojans, take your pick. The same goes for logging in on an unsecured Wi-Fi connection.

2. The use of weak passwords

Last March (2012) when 30,000 WordPress blogs became infected with rogue anti-virus, many of the blogs had weak administrative passwords, were outdated, or had vulnerable plugins. Forget about using weak passwords [123456], and don’t ever use the same password across multiple sites!

  • How long would an online attacker using a password cracker at 1,000 guesses per second take to figure your password out? Let’s take a look at how effective your password is at GRC:
  • If your password is 5 characters long and uses:
  • Just numbers, the time to “crack” = 1.85 minutes (Example: 123456
  • The full alphabet but doesn’t mix upper and lowercase, the time to “crack” = 3.43 hours (Example: alpha).
  • The full alphabet and numbers 0 through 9 but doesn’t mix upper and lowercase, the time to “crack” = 17.28 hours (Example: alp12).
  • The full alphabet and numbers with mixed case, time to “crack” = 1.54 weeks (Example: Alp12).
  • You should also change your cPanel (control panel), WordPress, and FTP passwords on a regular basis.
  • Use a combination of uppercase, lowercase, numbers and symbols
  • If we combine the alphabet, numbers, mixed case and use 6 characters instead of 5, the time to “crack” jumps to 1.84 years (Example: Alph12).
  • If we go to 8 characters and throw in symbols like # % & *, the time to “crack” jumps to 2.13 thousand centuries (Example: Alph12*!). –The Cocoon Blog

Continue reading

  • Fantastic post. Worth the read.

  • The only quibble I have is that not all WordPress managed hosts are unreliable. Two in particular worth mentioning are WP Engine and Page.ly. They are priced pretty high for shared hosting but basically roll security services and backups (think VaultPress) into your monthly hosting fee. If you are security-conscious and/or your WP site is an income generator and you don’t know security from swiss cheese, give those two hosts a look.

  • Mark Wills

    Thanks Bev, great reading and most helpful 🙂

  • I find this post somewhat condescending. Good advice, yes, but a little less “you only got yourself to blame” attitude would go a long way.

  • Thanks Mark! Thanks Jason – I will certainly check them out soon 🙂

    Thanks Robin – sometimes I find upsetting potential “I just want to plant my WordPress site and leave” mentality more a “call to action.”

    In the real world of WordPress self-hosted sites – there is a high % of site admins that do not admin the site at all. It’s just there to generate $$$’s, and unfortunately in many cases, the unattended CMS platform ends up with something like the Blackhole Exploit Kit – which progresses to attack any vulnerable system that lands at the infected blog.

    It also affects the web community as a whole. If a person installs a self-hosted blog, I strongly believe that they better be up to par on securing it and responsible enough not to expose their “no-security” blunders to the rest of us.

    I perceive it like this: I’m driving down the freeway at 65mph and the truck in front of me has a bunch of sheetrock that is not secured. The sheetrock flies off the truck and hits my Jeep full force and causes a pile-up, including fatalities.

    Because the person in the sheetrock truck was too lazy to secure the load – the “victims” from the accident have serious injuries and even death. What could have prevented this type of scenario?

    I’m always questioning the “why.” Why did that sheetrock kill and injure innocent drivers? Why do those “no-secure” WordPress sites infect people who simply visit their blog?

    It’s really all about taking digital “responsibility” and helping to make the global webspace safe for all 🙂

  • karen

    good Article. I am a newbie and a learning being. I have been hacked twice, each time not a difficult recovery, although a learning experience. Sorry to say that my host at level one left me to figure out some of the problem but restored my data within a couple of hours. I might ad that the host should make backups of your site on a regular basis. You must be responsible for backing up your database. I would like to suggest Wordfence as a security plugin. At least I am hanging my bets on it. I am actively denying admin logins every day and blocking their attempt to intrude. I get a quirky pleasure out of doing this. Hope this helps.

    • Thanks Karen – and getting hacked is quite the tough learning experience to endure. I love Wordfence – it sends great alerts too. I also purchased the premium version (for one of my blogs) to block/redirect countries with high fraud/malicious activity and for remote scams for vulns & intrusions. Quirky tech pleasures are the best 🙂

  • Excellent !

  • Chelsea Thomas

    You have to hire a WordPress expert if you wish to fully optimize your WP site. It is good to know that there are people willing to help you. You just have to know the best experts.

    http://hirewordpressdeveloper.org/