Standing Tall in the Face of Recent WordPress Security Scares

If you’ve paid any attention at all to WordPress related news over the past month or so, you know that there have been some security vulnerabilities discovered (like this, this, and this and yeah, this too.). Not only did they affect WordPress itself, but a large number of plugins as well.

Sure, it’s serious stuff. Maybe even a little bit scary. At the end of the day, all of these security issues reflect the world we live in. The information age is wonderful, but it also means that there’s probably some bot out there trying to hack into your internet-connected toaster. Even large, expensive government networks get the same mistreatment.

wp_main

That being said, is it any surprise that a website, regardless of which software platform it’s on, has vulnerabilities? I recently had an interesting conversation with a colleague about someone who created their own rudimentary content management system (CMS) to run their client’s sites. While that home-grown CMS might not necessarily be the target of as many botnets as WordPress, there’s no doubt there’s a security flaw in there somewhere.

My point is, everything and everyone is vulnerable to some degree. But here’s the thing: In large part, both the WordPress core team and larger developer community stepped up big-time during the recent issues.

Doing What’s Right, Fixing What’s Wrong

When the recent WordPress vulnerabilities were uncovered, there was quite a coordinated effort between security experts, those who develop the WordPress core along with many theme and plugin authors. Envato also stepped up to immediately to notify WordPress developers selling products on the Market about the issues and provided steps they could take to rectify them.

As a result, security fixes have been coming through the pipeline at light speed. Those of us with many WordPress-powered websites to maintain have stayed busy applying those updates to ensure the latest security fixes are in place.

Overall, the situation couldn’t have been handled much better. Information was shared efficiently with a far-flung group of developers, site managers and users.

Being Proactive

While it’s wonderful that a good deal of progress has been made in sealing up these vulnerabilities, this should serve as a reminder that we all need to take steps to secure our own websites. While it may not prevent every potential issue, it can certainly harden your site against attacks.

Here are five simple things you can do:

  1. 1. Turn off comments if you aren’t using them. One of the recent exploits revealed were related to malicious code running inside comments. WordPress installs have comments enabled by default. If you aren’t using them on your site, turn them off by going to Settings > Discussion inside the WordPress admin. If you are using comments, make sure to use a plugin such as Akismet or Anti-Spam Bee to block out spammers.
  2. 2. Change the default WordPress table prefix. This is a step aimed at experienced developers. By default, WordPress has a database table prefix of "wp_". Bots look for such identifiers to find which sites they can attack. A simple change to, well, just about anything other than the default can help.
  3. 3. Please, strengthen that password. I know, we all like to have short passwords that are easy to remember. Bots love them too. Make your passwords long and as unintelligible as possible. Write it down, keep it in a safe place at home (unless you live with a bot). Let your browser remember it. Just stop using ‘password1’.
  4. 4. Deactivate and remove unwanted plugins. Maybe you tried out a few similar plugins on your site until you found one you like. Perhaps they’re still sitting there, active and well out-of-date. You might have some plugins that aren’t even being developed anymore. Clean out the ones you no longer need.
  5. 5. Install a Security Plugin – There are many outstanding security plugins available for WordPress. And, if you run Jetpack, they’ve recently added a "Protect" feature that will help stifle brute-force attacks.

Don’t Feel Insecure

All of this security talk has reminded me of a line from Eels, one of my favorite bands:

"a careful man tries to dodge the bullets, while a happy man takes a walk…"

In other words, it’s easy to hide in the corner and not want to come out when security issues arise. But the fact is, that’s the complete opposite of what you should do and the opposite of what the WordPress community did.

The best thing all of us can do is to stay vigilant, stand up and knock out one bug at a time.

Image Source: Internet Security Icon via Shutterstock.

Comments

  • Luke Pettway

    I always try to remember that there is no such thing as a secure system, just varying degrees of difficulty to attack them. WordPress out of the box already has some decent security within its infrastructure and with a few security plugins and enabling SSL on the login form, you are pretty much good to go. The recent update to the way updates roll out is a huge step in the right direction as it makes patching faster and more effective.

    Most of the time I see a hacked site it is because the site is out of date or they are using a plugin that had a poorly secured codebase. I cannot emphasize enough how important it is to check out the code of any plugin you are using. I know it is a pain in the butt however it can really save you down the road, especially if it is something you plan on using a lot. Don’t be afraid to reach out to the developer of the theme or plugin and ask them if they have had their code audited, many authors are more than happy to let you know.

    Ask yourself if you really need to use a plugin or if you can use a javascript framework and advanced custom fields to do what you want. Your client isn’t going to use even 1/3 of the features that a slider plugin has, so why bloat your site with it and leave it open for attacks?

  • karks88

    Many good points, Luke. I have started to rely on a few more tried and true commercial and free plugins when building sites. Items that get updated more often are my first choice. If you don’t really need it, don’t use it!

    Unfortunately, there’s most likely never going to be an “unhackable” site, regardless of which CMS we choose.