WordPress Security Recommendations?

[SenseiSteve]

Just saw where Reuters was exploited.

Curious what recommendations you make to your clients to shore up security on their WordPress sites?

 

[SolidShellSecur]

Must have missed that article. Did they say how they got hit?

 

[SenseiSteve]

From pcmag.com -

Reuters reporters use blogging platform WordPress to write and upload stories to the website, though the trouble could stem from the software version the company uses. Mark Jaquith, a member of the WordPress security team, told the Wall Street Journal earlier this month that Reuters was using version 3.1.1, instead of the more current 3.4.1 version, which has been updated to fix holes in its security system.

 

[SolidShellSecur]

That would explain that. But back on topic:

Some of the ways we work with securing WP are
- custom written mod_sec rules for WP to filter all attack vectors out
- white list ips for admin areas
- ensure that permissions are right on files
- restrict any type of execution in dirs that don't need it
- proactive monitoring on access_logs
- automatic updates on security releases.

Now that doesnt cover server side of things, but application wise it does a good job.

 

[ReadyMakers]

Just make sure you have the latest patches installed and everything will be ok.

 

[HostLeet]

Well, assuming the server WP is hosted on is already hardened and secured and WP is up-to-date, of course.. I always recommend the following plugins for security:

Wordfence - http://wordpress.org/extend/plugins/wordfence/

Bulletproof - http://wordpress.org/extend/plugins/bulletproof-security/

Both are excellent ways to protect your WP site from hackers/attackers. :thumbsup:

Also.. Don't forget to keep ALL plugins and themes installed, secured and up-to-date at all times, even if you're not currently using them!


EDIT: Forgot to mention to hardened WordPress first and foremost!

 

[samirj09]

Ive always found that plugins do more harm then good.

Custom Mod Security Rules to block common exploits along with keeping all posts, plugins and themes updated keep sites secure.

 

[gate2vn]

Ive always found that plugins do more harm then good

Can you provide more details of your comment please?

 

[SenseiSteve]

Ive always found that plugins do more harm then good.

If you list the pros and cons of plugins, I'd wager the pros vastly outnumber the cons. Of course, you have to keep your plug-ins updated, and make sure they're tested for the latest version of WordPress, but how hard is that?

 

[BreezeHost]

You need to upgrade the wordpress to the latest version for more security.

 

[aleach]

We see a lot of compromised accounts because of WordPress themes that have outdated TimThumb code within. Since it's not as easy to update a theme as plugins and WordPress itself, people often don't bother. A lot of free themes don't provide updates either. There is a small plugin called 'TimThumb Vulnerability Scanner', which can be used to scan theme files and find outdated TimThumb code. It also allows a webmaster to patch it on the fly without having to manually edit any files.

Although this is just one of many ways websites built with WordPress can be exploited, it's an easy and well known way for attackers to gain entry into an account.

 

[H4G-Kushal]

Only use the necessary plugins.

 

[WeLoveServers]

We see a lot of compromised accounts because of WordPress themes that have outdated TimThumb code within. Since it's not as easy to update a theme as plugins and WordPress itself, people often don't bother. A lot of free themes don't provide updates either. There is a small plugin called 'TimThumb Vulnerability Scanner', which can be used to scan theme files and find outdated TimThumb code. It also allows a webmaster to patch it on the fly without having to manually edit any files.

Although this is just one of many ways websites built with WordPress can be exploited, it's an easy and well known way for attackers to gain entry into an account.

Thanks for the tip! TimThumb is an awesome plugin, just installed it on my blog to make sure there were no instances of TimThumb.

 

[httpEasy]

Keep your version updated!

 

[TekStorm - James]

Keep your version updated!

+1

Of the compromised WordPress installations that I've worked with post-breach, the vast majority of them hadn't been kept updated; leaving them vulnerable to attack via exploits that had been patched in later revisions. While keeping it up-to-date is in no way the only thing that can and/or should be done, it's an important part of keeping it secure.

 

[adarshhost]

Keep your version updated!

Also
Check WP Security with these tools:

http://wordpress.org/extend/plugins/wp-security-scan/
http://wordpress.org/extend/plugins/secure-wordpress/