Securing WordPress – Part I

Posted: 01 Feb 2013 01:25 AM PST

When the issue of security arises many imagine a perfect system. However, it is impossible to create perfect, impermeable security. It is the elusive snipe. That does not mean that we quit trying. We must transform our ideas of securing a system from a static set of steps to a dynamic set of protocols that we are constantly adjusting as the threats arise and new technologies are created both to defend and for the attackers to exploit.

The Network and Computers

Securing a program requires securing the computers involved in managing and serving the program, as well as the network over which they are served.

Starting with your own computer, make sure there is no malware anywhere on it. If there is a program on your computer, such as a trojan virus or a keylogger, then any additional security is irrelevant. So start with securing your own computer, then move on from there. That also means applying all security updates for your OS, browser, and FTP client.

The same principles apply to your server. In as much as you have control over the programs running on it, make sure it is clean of malware and that the latest patches are applied to all of the programs involved in running and serving your WordPress. You should be able to trust your host to take care of security issues for you when you need assistance,

Note that if you are serving up your WordPress on shared hosting that your site is vulnerable to any intrusions into any other site on the same server. Since you do not even know who your neighbors are, it is not recommended that you run a WordPress site that you want to secure, on shared hosting. You should purchase at least some level of VPS.

The most mysterious part is the network. All passwords should be sent encrypted from your computer, through your router, via your network provider, to the end point on the server. The rules on any firewall along the way should be properly secured and maintained.

User Names and Passwords

Here is a place in the chain that most people fail in dramatically. There is the assumption that if the other parts are in place, that no one can even try guessing your user names and passwords. That is a naïve assumption, though. You must take user names and passwords seriously. You have to make it as difficult as you can for a brute force on your WordPress and supporting programs, such as MySQL.

Maximum Password Strength and Random User Names

If a hacker gets into your admin account, he can install any kind of malware he likes and you might never notice until it is too late. So how do you maximize the strength of your security in passwords? Use a password generator. A word of warning, is in order. Avoid any generator that transfers the randomly generated password across the Internet to your browser. Some will generate the password using client side scripting. This is best. Be sure to use 50 characters that are a mixture of alphabetic (upper and lower case), numeric, and symbols. This kind of password is, practically speaking, uncrackable. When creating a user name, you should have a randomly generated one as well. Otherwise, if you use dictionary words or simply admin, then half of the hacker’s job is done by using a dictionary file to guess and try various words. User names should be limited to 8 characters and should be alphanumeric only (upper and lower case). Cpanel, Database, and FTP user names should only contain small letters and numbers. Otherwise, when you create a user name with capital letters, it will be converted to smalls without notification and your original login name will fail.

Never Store Passwords on Computers

The last point to practice regarding user names and passwords is to never ever store them in your browser or any other program on the computer. Even a password storing program requires a master password to enter and you are most likely to choose a simple one that can be guessed. The best security is to keep your password on paper and in a safe or locked in a foot locker or box. Do not carry it on you everywhere you go. If someone who knows you finds it, they will figure out that this is your list of passwords and might use them, even if only out of curiosity.