WordPress Security 101

Last Wednesday I delivered a presentation entitled “WordPress Security 101” which got the discussions started in earnest about WordPress Security among our team.

Here are the takeaways:
  • Keep your blog up to date
  • Don’t use plugins that aren’t in general public use unless you know who wrote them or have thoroughly reviewed the code
  • Forms for reader upload/feedback are the single biggest point of attack – be sure if you code one you use the WordPress “Nonce” function to keep junk off your server
  • Watch out for other programs you may add to your site
  • Keep up to date on both OS and DB – if your host doesn’t do this, get a new host
  • Keep your WordPress installation up to date.  Recent versions will warn you that there is an update available
  • Remove the XML-RPC file if you don’t use an external blog editing program.
The problem we face is that WordPress is an open source program, hence it’s code base and db schema are generally known items.  Since it is in wide use, it is frequent target for attacks.  The good news is that it is patched quickly when vulnerabilities arise.  However, many bloggers never update – I could show you several 1.x level installations – and these are highly insecure.
Let’s get up to date people…and for God’s sake make sure  you get a backup of your database weekly, as well as keeping a local copy of your wp-content/uploads folder – that will allow you to recreate the site if the worst happens.