WordPress Security for Small Business Owners
It's no secret that WordPress has taken the web world by storm. A quick Google search of the phrase "WordPress is awesome" yields 113 million results. Awesome is an understatement considering WordPress runs 22 out of 100 new websites in the US, and currently holds nearly 54% of the CMS market share. This easy use, SEO power-packed, and customizable platform is a must for any small business owner. The only problem? Hackers have latched on to this amazingly powerful tool to take advantage of those trying to move their business forward. We've noticed in our 16 years of web development, that there's a lot of information on how to build WordPress websites online, but not so much practical information on how to protect WordPress. So we've developed "WordPress Security for Small Business Owners" to help safeguard sites from permanent data loss, expensive security audits, damage to online reputation, and battles with hackers. This ebook was designed to help a normal person protect their website. It's not written to impress other techno-nerds with our extensive knowledge of jargon. It's instead broken up into 3 phases, so readers can protect their websites depending on their own personal needs. The first phase consists of securing the foundation. Topics Covered: - Hardening WordPress Authentication - Moving wp-config.php file - Scheduling Regular Backups - Performing Updates and Upgrades The second phase covers preventative maintenance. Topics Covered: - Eliminating Spam Comments - Limiting Login Attempts - File Monitoring The third phase, although it may be a sensitive subject, is for those who have already been hacked. Topics Covered: - Checking Machine & Changing Passwords - Removing Infected Files - Reinstating the Latest Clean Site Version - Performing and Testing Security Measures And as a bonus, we've added in a section that address extreme security needs. This section covers how to password protect the admin directory, and how to modify the content directory.
- 1. 1 Table of Contents First Things First - WordPress.com vs. WordPress.org WordPress: The Most Hacked CMS Available? The Problem The Reasons The Proof Dont Throw the Baby Out With The Bathwater Why We Love WordPress The Solution Hardening WordPress No Security Is Ever 100% The Plan (3 Phases) Phase 1: Secure Your Foundation Harden WordPress Authentication Move the wp-cong.php File Schedule Regular Backups Perform All Updates & Upgrades Secure File & Directory Permissions Remove the Version Number Clean Up User Proles Phase 2: Preventive Maintenance Eliminate Spam Comments Limit Login Attempts File Monitoring Phase 3: Already Hacked? Stay Calm Check Your Machine & Change Passwords Remove Infected Files Reinstate the Latest Known Clean Version Of The Site Perform & Test All Security Measures Extreme Security Measures Password Protect Admin Directory Modify Your Content Directory Next Steps Your Checklist Resources Glossary About the Author 2 3 4 5 5 6 6 7 7 7 8 9 9 9 9 10 10 10 10 11 11 11 11 12 12 13 13 13 13 14 14 15 16 17 18 19 20
- 2. 2 WordPress.com The online version of WordPress allows users to quickly create their own blogs in a matter of minutes. There are approximately 200 templates to choose from and they can be customized. WordPress.com does not allow you to add new plugins or modify the code at all. This can really limit the exibility for small business owners. WordPress.org This version requires the software to be installed and hosted by you but allows you to upload your own themes, upload plugins and most importantly, have complete access to the code so that you can modify the software to t your exact needs. For small business owners, with expansion and exibility in mind, this is the avor of choice. For more information on the differences between WordPress.com and WordPress.org click here. This ebook largely deals with plugin and setup security for those that are using their own self-hosted version of WordPress. Many of the takeaways are applicable to any content management system (CMS), but the tasks and language are specic to the WordPress.org backend. First things First: WordPress.com vs. WordPress.org WordPress, as a software platform, really comes in two avors.
- 3. 3 WordPress: One Of The Most Hacked CMS Of 2013! Let me start off by saying: I love WordPress. As a web developer with over 14 years of experience, WordPress has turned into my companys go-to publishing platform for most of our clients sites. Why? Because it works! Over the past few years we have built over one hundred WordPress websites and we still use it to this day. That isnt to say that all great things dont have aws... Case In Point: Pizza with Anchovies. Yuck!
- 4. 4 The Problem As business owners, we typically run around wearing many different hats. We get in early and we work late. We work weekends and holidays. We dont have a whole lot of extra time and money to be wasting in areas that dont help our businesses. Unfortunately, one of the areas that are almost never a concern (until it is too late) is website security. Like identity theft in the personal realm, website security breaches have drastic implications for site owners. A compromised website can cost its owner: Time Many website owners do not take the proper precautions against website hacking, so recovering from a hacked site can be time consuming. Often, businesses have to start from scratch. Money Once your site is compromised, it has to be xed. Whether you hire a web developer at $100 an hour or a security expert at $250 an hour, these charges add up and they add up fast. Reputation The most devastating loss for any business owner when their site is hacked is loss of online reputation. Even though you arent the one performing the malicious acts you could still suffer from decreased email deliverability and loss of search engine placement. Additional consequences of a compromised website include (but arent limited to): Having your website completely blacklisted from search engines Decrease in page rank which directly impacts where you show up in the search results Having your hosting account shut down or suspended until the site is xed Exposure of your site visitors to malicious software Loss of web content Instant loss of condence in your web site visitors From one business owner to another... Think about it. How much spare time (money, energy, resources, traffic, leads...) do you really have?
- 5. 5 The Reasons Lets get this part clear: every server and every website in the world faces hacking attempts. However, WordPress is now being singled out for a couple of reasons: Popularity According to Google Trends, WordPress is the fastest growing web- publishing platform available. In 2012, WordPress ran on nearly 73,500,000 websites around the world. It powers 22 out of every 100 new websites in the US and currently holds nearly 54% of the content management system (CMS) market share. Open Source WordPress is vulnerable to compromises because the software is open source. Because they have access to the code, a large developer community exists where programmers from around the world are constantly adding plugins and extensions that make WordPress a more powerful tool for small businesses. The downside of open source software is that hackers from around the globe ALSO have access to the code. The second a new distribution is released, these jerks start pouring through the code looking for ways to exploit it. The Proof Although WordPress developers work extremely hard to keep hackers out, they still manage to nd ways in. According to the National Vulnerability Database at the National Institute of Standards and Technology, WordPress one of the most vulnerable open-source CMS platforms. And although the table below was created in Q1 of 2013, WordPress, Joomla!, and Drupal have already had their fair share of vulnerabilities. For additional information, check out Yoast.coms WordPress: A Global Phenomenon Infographic. 2013 2012 2011 2010 2009 2008 6 22 58 11 45 2 33 38 114 50 11 1693477 1020 4 34
- 6. 6 Dont Throw the Baby Out With the Bathwater. I always thought she was just a little crazy, but apparently this is a common idiom dating back over 500 years. (Check it out here) What Gram was saying was: Dont get rid of something good, just because there are some parts you arent happy with. Lets take a few seconds and remember why we chose WordPress in the rst place. 6 Reasons to Love WordPress! Great functionality out of the box Free to download at Wordpress.org Search engine optimized Easily extendable with thousands of plugins Constant development (it is getting better) You can DIY (do it yourself) Abandonment isnt the solution, being prepared is. As a web developer that has built custom content management systems for over a decade, I can honestly say, WordPress is great tool. We shouldnt be afraid to use it. As business owners, we just need to be smart when we implement it. Smart implementation means secure implementation. My grandmother used to say ... If WordPress is the most exploited CMS being used today, the answer is simple... STOP using Wordpress, right? not so fast!
- 7. 7 The Solution Now we know WordPress is going to be our content management system of choice. Question: How can we take advantage of all that WordPress offers us while at the same time keeping our systems and websites locked down and secure? Answer: System hardening. Hardening In computing, hardening a system refers to the process of securing a system by reducing its surface of vulnerability. The lower the number of vulnerabilities, the more secure the system becomes. The steps outlined in this ebook help you lower your sites vulnerabilities. No Security is Ever 100% The FBI, the White House, and the Department of Justice have all been hacked. Youre thinking, The FBI?! Really? Security is their thing and they still got hacked? Well, I must be doomed. No offense, but youre probably not the focus of those kinds of hackers. The people we are more concerned with are opportunistic hackers looking to make money by placing hidden links on your site, using your mail server to send out spam, or through other malicious activities. What makes these guys (and gals) easy to deter, is the fact that theyre lazy. They write programs that automatically scan the Internet looking for sites that meet specic criteria (i.e. specic software versions, default usernames and passwords). Once these sites are identied, the hackers go to work.
- 8. 8 The Plan: 3 Phases To deter hackers, we will implement a three-phase strategy. Everybody will perform the rst two phases. The third phase is saved for those whose website has already been compromised (hacked). Again, although this ebook has been written with WordPress in mind, these steps are valid for any modern-day content management system. PHASE 1: Secure Your Foundation When WordPress was initially installed on your web host (where you purchased your hosting, sites like GoDaddy, Bluehost, or DreamHost) certain default values were likely used. The rst phase of the security plan is to go through your current installation and make these default values more secure. PHASE 2: Preventive Maintenance Once we have your WordPress foundation secured, we want to look at your site the way hackers do. We will eliminate spam, block spammy comments, add CAPTCHAs to forms, limit login attempts, etc. These are all steps that we will take to reduce our surface of vulnerability. PHASE 3: Already Hacked? Last but not least if your site has already been compromised, we will walk you through the process of regaining control and implementing tactics that reduce the chance of future infections.
- 9. 9 Phase 1: Secure Your Foundation Hardening the foundation of a WordPress installation is a relatively simple but tedious task. While not incredibly technical in nature, it is very important that whoever performs these functions understands the basic workings of WordPress and the sites database. The following is a brief list of actions to perform. Harden WordPress Authentication Authentication (requirement of a user name or password) is your rst line of defense against unauthorized users gaining access to your site. Below is a list of the authentication elements that you should change. Database Name Administrative Username Database Table Prexes Administrative Password Database Username Cookie Encryption Database Password Force SSL Login (If SSL) Move the wp-cong.php File In WordPress, the wp-cong.php le lives in the directory where you loaded the software. It contains all of the pertinent connection information about your WordPress site including database name, database username, database passwords, database table prexes, etc. If an unauthorized user gains access to this le they will have complete control of your database. WordPress allows you to move this le up one directory in your hosting server without having to change any conguration variables or templates. Do it. Schedule Regular Backups The single largest part of being prepared for a website compromise is having backup les ready that you know are safe. Backup les should be complete, clean and easy to access. Make sure that when you create your backup les you backup both the WordPress les AND the WordPress database. In the event of a total corruption you may need both. WordPress le backups are typically scheduled through your hosting control panel and WordPress database backups can easily be scheduled through a WordPress plugin like WP DB Backup. DEVELOPER TIP: FREE Gmail accounts are a great place for backups to automatically be sent.
- 10. 10 Perform All Updates & Upgrades Upgrades and updates to WordPress, your theme, and any plugins that you have running on your site are usually done for one of three reasons: To add new functionality To x a bug As a security patch Make sure you stay on top of these updates ESPECIALLY when security issues are involved. WordPress is great about notifying users of available updates on their dashboards. Additional information can be seen here in a video we shot for Black Dog Education. Secure File & Directory Permissions File and directory permissions are used to determine which users can do certain things to your les. Some can edit, some can read and some can execute. Double check your permissions: PHP les should be set to 644 Directories should be set to 755 Uploads directories will likely need to be set at 777 Permissions can be modied by some FTP programs or through your web hosts online le manager. BE CAREFUL Incorrect permissions can cause your site to stop working. Remove the Version Number The fastest way for a hacker to know how to compromise your website is to know what version of WordPress you are using. By default, WordPress tells them exactly what they need to know with a little snippet of code that looks like this: Most places will instruct you to remove the version from the header.php le but this isnt the only place this shows up. Depending on your theme and version it can also show up in your RSS feeds among other places. To read more about the proper way to remove this code throughout multiple les, check out our blog post about it here. Clean Up User Proles The last step in this phase of your security audit is to clean up the user proles. By default, WordPress comes with a user by the name admin. We know this and so do the hackers. The best way that we can make it difficult for these guys to get in is to delete this default user. We always want to have at least one, preferably two, users with administrative privileges on the system so once you remove the user admin, make sure you replace that user wi...