Kieran O’Shea, open source enthusiast and author of the Calendar plugin gave a talk at WordCamp Edinburgh 2012 on methods to help secure WordPress from hackers. Kieran combined a lot of useful advice with his experience to deliver an informative talk. Something the nerds will appreciate, Kieran was running his WordPress demonstration site on a Raspberry Pi throughout.

Kieran ran though a number of interesting security stats including:

  • average of 156 days before victims realise hacking has taken place
  • 90% of all businesses have been hacking victims within the last 12 months

I’m going to run through some of the topics covered by Kieran including account security, server security and a number of recommended WordPress plugins.

Account security

Avoid the use of the default “admin” username, instead favor something more obscure. The default WordPress username is well known and reduces the amount of work required to brute force the password.

Choosing a strong password was stressed as well as avoiding the reuse of passwords between systems. Particularly important is to use a unique password for your email account, should your email be compromised then password resets can be intercepted and completely bypass any of your other security measures.

There are only so many passwords that can be memorised, this is where password managers come in. Imagine a world where you didn’t have to remember passwords, wouldn’t it be magical? You could use strong random strings of letters, numbers and special characters.

A number of password managers were mentioned including a number of online services which give you access to your passwords no matter where you are.

Server advice

Kieran demonstrated a variant of the c99 shell script, showing the level of access and damage that could be caused from a single script. Some of his advice:

  • Avoid 777 directory permissions – in a shared environment, any user on the server can move files to this location. To protect against this, suPHP was suggested
  • Completely block the WordPress administration folder and use a whitelist of known IPs
  • Prevent script execution within the uploads folder

WordPress Plugins

Kieran recommended a number of plugins which can help secure WordPress and also help in the process of recovery and auditing:

  • WordPress File Monitor Plus by Scott Cariss continuously scans website files for modifications. A useful method for detecting rogue code which may not be friendly
  • Limit Login Attempts by Johan Eenfeldt limits the number of failed login attempts allowed from a single user
  • Audit Trail by John Godley keeps track of user actions within WordPress allowing administrators to place blame identify who made certain changes. The plugin keeps a copy of the post content allowing modifications to be reversed

Kieran’s presentation, Secure from the Start is available on Slideshare and he maintains a personal blog.

We’ll be covering more of this year’s WordCamp talks in the coming weeks. Subscribe to our feed to keep yourself updated. Remember, iWeb provides open source and bespoke web solutions. We work with WordPress and Magento, get in touch if you’d like to learn more.