Head Slapping WordPress Security with Expert Chris Burgess
This article was also edited by Jeff Smith. Thanks for making SitePoint content the best it can be!
Handing WordPress Security: A Recap
WordPress security isn’t a term most people get excited about. It’s a tricky topic which generally goes hand in hand with fear. Fear in wondering if you’re doing enough for your site, whether it’s done correctly, or even at all.
A couple of weeks ago we held a webinar with Chris Burgess on SitePoint to discuss WordPress security and how you can start making your site secure. We looked at:
- Common myths and misconceptions.
- What made WordPress an easy target.
- What motivated attackers and how they attack sites.
Most importantly we also looked at:
- What you can do to strengthen the security of your site.
- How you can avoid common WordPress security risks.
One thing we should all understand and take away from our webinar is that security is critical, it isn’t a product — it’s a process! We didn’t just let Chris do all the speaking, you also got involved! It was great to see, so much activity in the chat room. Viewers were asking Chris questions, viewers were answering each other’s questions. It became a WordPress eco-system full of thriving discussions, so let’s jump into some of those.
What you had asked Chris
Q: What do you mean by manually harden?
Chris: What a lot of security plugins will do is, make configuration changes to the hosting environment and the server configuration. This stops people from being able to either download files, view files and restrict access – this kind of thing. Did you know this can be done yourself? If you know what files to change. If you don’t, there are quite a few popular blogs, repositories, and recipes that people use for hardening WordPress sites. A good place to start is the official documentation, called the WordPress Codex. Specifically, a section dedicated to hardening WordPress.
I’ve met a few people that say, “look I don’t trust security plugins, I prefer to do it myself.” This is great, but you need to know what you’re doing and be prepared to put in the time. From my perspective, security plugins do a lot of the heavy lifting in a fraction of the time. Plus they also do give you other added benefits. For example, they can give you auditing and reporting, and if you’re working in a group environment, it helps to be able to have these features. You also need to consider that the security plugins are becoming more complex to protect against a growing number of threats, so there’s a lot of functionally behind the scenes. Still, if you enjoy doing the work yourself, and if you really want to get your hands dirty, you can do it! Just be prepared to put in the time.
Q: Even after hiding my
/wp-admin location, my site is still being attacked by login attempts. Are these bots, and what can I do to prevent them?
Chris: That’s a really brilliant question! It’s also why the WordPress Codex has information about brute force attacks.
There’re a few different schools of thought on how to tackle brute force attacks. All public facing sites are constantly getting probed, but for the most part these can be blocked using the popular security plugins. Security plugins can be configured to block someone after a certain number incorrect attempts, you can increase the sensitivity of this, for example, you could lock someone out after only a few attempts if it’s incorrect.
There’s also things you can do at the server level. There are also DNS services that will filter a lot of bad traffic, which can also help block harvesting and spam bots. Some of the popular DNS providers will filter some of this bad traffic even before it hits your server. These services can also often help with performance.
Q: What are the first steps you should take when inheriting a WordPress site?
Chris: The first thing that I would do is make sure you’ve read the WordPress Codex guide on hardening WordPress so you’ve covered the basics and that all of the basic best practices are covered.
- There’s no “admin” username, use strong password, restrict who has admin access.
- There’s a security plugin installed (and run a full scan).
- WordPress (including all theme and plugins) has been updated.
- Remove all unused plugins or themes.
I’d recommend auditing the site and looking into what plugins are being used. This can sometimes be a bit subjective and come down to preference. I tend to be as ruthless as possible when it comes to using plugins — there’s just so many out there! Try and stick to using only plugins by the most reputable developers that you can find. That doesn’t mean that it’s a company. There are developers that have really good reputations of being able to fix things quickly or have great support. These are the kinds of things to look for.
A checklist of what you should do when you’re inheriting a site:
- You’ve backed up your site, at least to a point where you can roll it back to how it was when you got it. That’s probably the important thing.
- Follow the best practices would be my first thing, the community documentation is very comprehensive.
- Make sure that you have installed a security plugin, and that you’ve learned the options and are using it correctly.
- Make sure everything is up to date, including themes and plugins. Make sure you have licences for any premium plugins.
- Tell the client the risks, plan your next steps based on the value of the sites you’re managing.
I think if you’re inheriting a site you have to say, “We didn’t build it, we didn’t write a lot of this code. But we’re going to do is everything we can to make sure that you’re in good hands now.” I know that’s a little bit warm and fuzzy but that’s really kind of the best that we can do because there’s a lot of sites out there that have been built and have been left with the site owner. A kind of — “Here’re the keys, see you later” approach. However most of us already think of a website as a work in progress. It’s a living ‘thing’, so clients really appreciate it when someone is willing to hold their hand and help them through something they don’t necessarily understand. You just have to try and educate them, and make sure that they understand that there are always risks. It’s not just a “build and dump”; if you want a robust online presence, it’s not just about new and shiny, it’s about also making sure that it’s maintained and secure.
Q: Is there a site that lists the good vs bad plugins for WordPress Security?
Chris: This is going be subjective. Just as if we would look for social proof in Amazon or an app store, these are things that would guide my decision:
- Is it in the WordPress official plugin directory?
- Does it have star ratings?
- How many active installs does it currently have?
- When was it last updated?
- How many support queries does it have?
Just remember that nothing beats talking to other developers or site owners. Aside from that, I would also recommend checking out the WordPress support forums, there are some very experienced people there willing to help those who need it, just make sure you’ve read the Welcome page.
If you’re researching from scratch, just look for the articles. You’ll find that there are a lot of people who write about this stuff and will actually do a deep dive into features.
A quick note on plugins. If something hasn’t been updated in two years, it’ll be flagged on the official plugin directory. Stay away from those because they’re likely going to be either problematic from a support point of view or a potential nightmare from a security perspective as well.
It’s easier to just click a button and install a plugin. Remember, that ultimately these sites are going to be around for a long time, so make sure that we’re dealing with something that’s reliable.
There’s only so much we could cover in this recap, yet there’s plenty more we hadn’t spoken about. Watch the rest of the webinar below to see the rest of our discussion. Happy watching!
Our Handling WordPress Security webinar with Chris can be found in our Learn from the Experts compilation. Check it out to see talks with other industry experts like Chris Coyier, and more.