Note from the editor: Bev Robb, aka teksquisite, is a new Expert contributor to the EE Tech News blog. She is an IT consultant with nearly 20 years of experience in Internet Security, software, networking, social media, and more.
If you opt for a self-hosted WordPress blog, there are a few things that you should know prior to installation. Perhaps you’ve read “Self-hosting your WordPress site in ten easy steps” (or the equivalent of such)? Did you notice any mention of how to secure your new blog? Probably not. Self-hosted WordPress blogs are a dime-a-dozen when launched for the sole purpose of blackhat-affiliate marketing.
During the summer of 2012, SophosLabs intercepted a major malware campaign. Because many WordPress admins did not secure their sites, malicious hackers were able to surreptitiously place malicious code from the Blackhole exploit kit on vulnerable sites. They used two major stealth modes to infect the sites:
- Malicious iFrames
Whether the hackers gained access through weak passwords; vulnerabilities in the WordPress core, plugins, themes; or via script injections – all compromised sites were insecure and actually invited these hacks. WordPress admins, listen up. Your lazy WordPress no-security practices are a strong factor in propagating these types of attacks.
If you are clueless about the WordPress core, plug-ins, themes, MyPhpAdmin, and regular WordPress site maintenance and security; you would be doing the web a favor by selecting WordPress.com to host your blog (it’s free). If you are serious about learning more about hardening and securing a WordPress blog – this blog post is meant for you.
Running a self-hosted blog comes with a list of responsibilities. It is not like you can merely install it and be done with it. Your first priority should be to familiarize yourself with the WordPress CMS (Content Management System) platform, along with the pros and cons of self-hosting.
You should also be technically savvy and aware of the various ways to harden a WordPress blog installation. You will be responsible for technical maintenance (backend configuration; backups; blog security; logs; spam filtering; and core upgrades/plug-in updates). Your choice on how you secure (or no-secure) your site makes you directly responsible to the web community as a whole.
Hosting your blog
Choosing the right host can affect the security of your blog. In the past I have been the victim of two WordPress hacks. At the time of the first hack, I was on a managed VPS. All maintenance and administrative tasks (including software updates) were administered by the hosting provider. In my case, the software was rarely updated.
Take the time to find a reputable and reliable hosting service – do your research first. You don’t want to end up on a server that is easily compromised, is slow to update software, has bad tech support, or has too much down time. The fact that hackers and cybercriminals favor targeting WordPress is for the same reason they favor exploiting Microsoft Windows – it’s popular!
WordPress.org recommends Bluehost, Dreamhost,or Laughing Squid. I’ve had great success hosting the majority of my blogs at Namecheap. You should look for the following five features in a potential hosting provider:
- Server reliability of 99.99% uptime
- cPanel hosting
- 24/7 customer support
- Money-back guarantee
- Awesome hosting reviews
There are hundreds of thousands of web hosts out there, the vast majority of which meet the WordPress minimum requirements, and choosing one from the crowd can be a chore. Just like flowers need the right environment to grow, WordPress works best when it’s in a rich hosting environment. —WordPress.org
Securing your blog
From the moment that you install WordPress, you should be thinking about security. Forget about all those ads and profits that you hope to gain from publishing the viral top 10. SEO, building reputation, and page rank take time. If your blog gets blacklisted before it even gets off the ground, you only have yourself to blame. Hosting a no-secure blog is equivalent to graduating from the Edith Bunker school of driving. If you only know how to press a Softaculous automation button and you don’t know the why behind the process – it’s time to dump Edith Bunker and go to a real driving school. Seriously. Do you get my gist?
I have seen a lot of site admins downplay the importance of updating CMS software and hardening company WordPress blogs. This is especially prevalent with small businesses and start-ups that rely solely on development teams to schedule site updates and releases.
I’ve also seen many home businesses slap together WordPress self-hosted blogs (because they noticed that cPanel had a Fantastico, Softaculous or an Installatron autoinstaller), and they think that all they have to do is populate their blog with posts, widgets and plugins. Sadly, they never really do their security homework. It is the responsibility of every site admin to maintain a secure site, that is free from malware links and other code nasties.
The Top 10 Security Mistakes
Six months ago I wrote the Top 10 Security Mistakes That Self-Hosted WordPress Blogs Make over at the AntJanus blog. Since the information is still applicable and I am not a gal who likes to reinvent the wheel, I am going to post these WordPress security bytes here.
According to Forbes, one out of every 6 websites on the Internet is powered by WordPress (nearly 60 million in all), with 100,000 more popping up each day. WordPress.com currently hosts over 62.5 million blogs. As of this writing, WordPress stats did not include the number of self-hosted blogs, but rest assured there are many of us! I’ve been using WordPress since Gold days and it only gets better with each release.
1. Managing a WordPress site from a friend’s/public computer or insecure/public Wi-Fi
You should always login to your site via a secure connection. You never know what could be lurking on someone else’s computer; from keyloggers to password-stealing Trojans, take your pick. The same goes for logging in on an unsecured Wi-Fi connection.
2. The use of weak passwords
Last March (2012) when 30,000 WordPress blogs became infected with rogue anti-virus, many of the blogs had weak administrative passwords, were outdated, or had vulnerable plugins. Forget about using weak passwords , and don’t ever use the same password across multiple sites!
- How long would an online attacker using a password cracker at 1,000 guesses per second take to figure your password out? Let’s take a look at how effective your password is at GRC:
- If your password is 5 characters long and uses:
- Just numbers, the time to “crack” = 1.85 minutes (Example: 123456
- The full alphabet but doesn’t mix upper and lowercase, the time to “crack” = 3.43 hours (Example: alpha).
- The full alphabet and numbers 0 through 9 but doesn’t mix upper and lowercase, the time to “crack” = 17.28 hours (Example: alp12).
- The full alphabet and numbers with mixed case, time to “crack” = 1.54 weeks (Example: Alp12).
- You should also change your cPanel (control panel), WordPress, and FTP passwords on a regular basis.
- Use a combination of uppercase, lowercase, numbers and symbols
- If we combine the alphabet, numbers, mixed case and use 6 characters instead of 5, the time to “crack” jumps to 1.84 years (Example: Alph12).
- If we go to 8 characters and throw in symbols like # % & *, the time to “crack” jumps to 2.13 thousand centuries (Example: Alph12*!). –The Cocoon Blog